Matkasse fra Kokkeløren

https://kokkeloren.no/

F0/100

Severe privacy issues requiring immediate attention

Trackers Found

118

Network Requests

11.5s

Load Time

Risk Distribution

LOW4

HIGH8

INFO19

MEDIUM

Findings by Category

Data Collection

Consent Compliance

Analytics

Advertising & Remarketing

Social Media Tracking

Fingerprinting

Session Recording

Detection Timeline

Cookies(15)

Cookie: X-AB (unknown)Cookie: __client (unknown)Cookie: __client_uat (unknown)Cookie: __client_uat_rj7vSR9- (unknown)Cookie: __cf_bm (unknown)Cookie: _cfuvid (unknown)Cookie: _scid (unknown)Cookie: _scid_r (unknown)Cookie: _ScCbts (unknown)Cookie: __hstc (analytics)Cookie: hubspotutk (analytics)Cookie: __hssrc (analytics)Cookie: __hssc (analytics)Cookie: __cf_bm (unknown)Cookie: _cfuvid (unknown)

Network(14)

Third-party requests to policy.app.cookieinformation.comThird-party requests to SentryThird-party requests to CookieBot (Usercentrics)Third-party requests to GoogleThird-party requests to Snap Inc.Third-party requests to js-eu1.hs-scripts.comThird-party requests to kokkeloren-snack-runner.kokkeloren.workers.devThird-party requests to consentcdn.cookiebot.comThird-party requests to js-eu1.hs-banner.comThird-party requests to js-eu1.hs-analytics.netThird-party requests to tr.snapchat.comThird-party requests to GoogleThird-party requests to tr6.snapchat.comThird-party requests to track-eu1.hubspot.com

Tag Manager(4)

Google Tag Manager (GTM-N8S3TGCP)Google Ads (via GTM) in container GTM-N8S3TGCPDoubleClick (via GTM) in container GTM-N8S3TGCPMicrosoft Clarity (via GTM) in container GTM-N8S3TGCP

Scripts(3)

CookieBot CMP detectedSnapchat Pixel detectedGoogle Tag Manager detected

Consent(3)

Consent banner detected: Custom consent bannerTracking before consentNo reject option in consent banner

Fingerprinting(1)

Font Fingerprinting detected

Executive Summary

Kokkeløren's meal kit website has severe GDPR compliance violations with tracking starting before consent and no option to reject cookies. The site leaks customer names to US servers through error monitoring and uses aggressive tracking including session recording, fingerprinting, and Snapchat advertising pixels. With recent EU regulatory fines reaching €390M for similar violations, immediate action is required to avoid regulatory penalties and protect customer privacy.

Critical Actions:

Immediately configure Cookiebot to block all tracking until consent is given and add a prominent 'Reject All' button
Stop personal data transmission to Sentry US servers - either mask customer data in error logs or switch to EU-hosted error monitoring
Disable Microsoft Clarity session recording until proper consent mechanism is implemented with explicit opt-in for behavior recording

Findings by Category

Consent Compliance

5 findings

Detail

Found 13 tracking cookie(s) and 1 tracking request(s) BEFORE any consent interaction. This is the most common GDPR violation.

Remediation

Configure your CookieBot setup to block all tracking cookies and requests until consent is given. Review your Google Tag Manager configuration to ensure no tags fire before consent. Test this by loading the site in incognito mode and checking that no tracking occurs before clicking accept.

Legal Reference

GDPR Art. 5(1)(a), ePrivacy Directive Art. 5(3), Planet49 ruling

Raw Data

{
  "tracking_cookies_before_consent": 13,
  "tracking_requests_before_consent": 1
}

Detail

The consent banner has no visible 'reject' or 'decline' button. Under GDPR, rejecting cookies must be as easy as accepting them.

Remediation

Add a prominent 'Reject All' or 'Decline' button to your consent banner that is equally visible to the 'Accept' button. Ensure clicking reject actually blocks all non-essential tracking. Configure CookieBot to show a proper reject button in your banner settings.

Legal Reference

GDPR Art. 7(3), EDPB Guidelines 05/2020 on consent

Raw Data

{
  "reject_button_found": false
}

Detail

Found CookieBot CMP (CookieBot (Usercentrics)) loading from https://consent.cookiebot.com/722d4d5b-d6d6-4159-8ee4-e23e6a44b532/cc.js?renew=false&referer=kokkeloren.no&dnt=false&init=false. Purpose: Cookie consent management platform.

Remediation

No action needed - CookieBot is a reputable consent management platform. However, ensure it's configured correctly to block tracking before consent (see other findings).

Evidence

Raw Data

{
  "vendor": "CookieBot (Usercentrics)",
  "purpose": "Cookie consent management platform",
  "category": "consent",
  "script_src": "https://consent.cookiebot.com/722d4d5b-d6d6-4159-8ee4-e23e6a44b532/cc.js?renew=false&referer=kokkeloren.no&dnt=false&init=false",
  "gdpr_concern": "Consent management tool.",
  "tracker_name": "CookieBot CMP",
  "data_collected": [
    "consent preferences"
  ]
}

Detail

2 request(s) to consent.cookiebot.com (Cookie consent management platform).

Remediation

No action needed - these are normal operational requests from your consent management platform.

Raw Data

{
  "domain": "consent.cookiebot.com",
  "vendor": "CookieBot (Usercentrics)",
  "purpose": "Cookie consent management platform",
  "sample_urls": [
    "https://consent.cookiebot.com/uc.js?cbid=722d4d5b-d6d6-4159-8ee4-e23e6a44b532&implementation=gtm&consentmode-dataredaction=dynamic",
    "https://consent.cookiebot.com/722d4d5b-d6d6-4159-8ee4-e23e6a44b532/cc.js?renew=false&referer=kokkeloren.no&dnt=false&init=false"
  ],
  "pii_detected": [],
  "request_count": 2,
  "resource_types": [
    "script"
  ]
}

Detail

Cookie consent banner powered by Custom consent banner (Custom) is present on the page.

Remediation

Review your custom consent banner configuration to ensure it meets GDPR requirements. Consider using CookieBot's standard compliant banner templates instead of custom implementations to reduce compliance risk.

Legal Reference

GDPR Art. 7

Raw Data

{
  "cmp": "Custom consent banner",
  "vendor": "Custom"
}

Data Collection

24 findings

Detail

4 request(s) to tr.snapchat.com (unknown) — PII detected: e in POST body.

Remediation

Remove Snapchat Pixel immediately or ensure it only loads after explicit user consent. If using for advertising measurement, consider server-side conversion tracking instead.

Legal Reference

GDPR Art. 6, Art. 13

Raw Data

{
  "domain": "tr.snapchat.com",
  "vendor": null,
  "purpose": "unknown",
  "sample_urls": [
    "https://tr.snapchat.com/config/no/1d31ab17-414f-451d-8894-ae8da4c42eca.json?v=3.54.2-2603162155",
    "https://tr.snapchat.com/cm/i?pid=1d31ab17-414f-451d-8894-ae8da4c42eca&u_scsid=02feabd3-d6eb-492e-9fa0-52acdb3b8443&u_sclid=944b9497-fa53-4aea-9b6d-a83dcea2b7f2",
    "https://tr.snapchat.com/p",
    "https://tr.snapchat.com/p"
  ],
  "pii_detected": [
    "e in POST body"
  ],
  "request_count": 4,
  "resource_types": [
    "document",
    "fetch",
    "ping"
  ]
}

Detail

1 request(s) to track-eu1.hubspot.com (unknown) — PII detected: ln (URL parameter).

Remediation

Configure HubSpot tracking to only fire after explicit consent. Consider using HubSpot's privacy-friendly options or implement server-side tracking.

Legal Reference

GDPR Art. 6, ePrivacy Directive Art. 5(3)

Raw Data

{
  "domain": "track-eu1.hubspot.com",
  "vendor": null,
  "purpose": "unknown",
  "sample_urls": [
    "https://track-eu1.hubspot.com/__ptq.gif?k=1&sd=1920x1080&cd=24-bit&cs=UTF-8&ln=nb-no&v=1.1&a=139580736&pu=https%3A%2F%2Fkokkeloren.no%2F&t=Matkasse+fra+Kokkel%C3%B8ren&cts=1773747652025&vi=b0631db9f46"
  ],
  "pii_detected": [
    "ln (URL parameter)"
  ],
  "request_count": 1,
  "resource_types": [
    "image"
  ]
}

Detail

Third-party cookie from sc-static.net, expires: 0 days, purpose: Unrecognized cookie.

Remediation

Identify what sc-static.net service this relates to and either remove it or ensure proper consent collection. Update privacy policy to document all third-party cookies.

Legal Reference

ePrivacy Directive Art. 5(3), GDPR Art. 13

Raw Data

{
  "expiry": "0 days",
  "secure": true,
  "vendor": "unknown",
  "purpose": "unknown",
  "http_only": false,
  "same_site": "None",
  "cookie_name": "X-AB",
  "cookie_domain": "sc-static.net",
  "is_long_lived": false,
  "is_third_party": true
}

Raw Data

{
  "expiry": "0 days",
  "secure": true,
  "vendor": "unknown",
  "purpose": "unknown",
  "http_only": true,
  "same_site": "None",
  "cookie_name": "__cf_bm",
  "cookie_domain": "hubspot.com",
  "is_long_lived": false,
  "is_third_party": true
}

Raw Data

{
  "expiry": "session",
  "secure": true,
  "vendor": "unknown",
  "purpose": "unknown",
  "http_only": true,
  "same_site": "None",
  "cookie_name": "_cfuvid",
  "cookie_domain": "hubspot.com",
  "is_long_lived": false,
  "is_third_party": true
}

Detail

First-party cookie from kokkeloren.no, expires: 5 months, purpose: HubSpot visitor tracking cookie.. Vendor: HubSpot.

Remediation

Configure HubSpot to only set tracking cookies after explicit consent. Reduce cookie lifetime if possible. Ensure privacy policy accurately describes HubSpot data collection.

Legal Reference

GDPR Art. 7, ePrivacy Directive Art. 5(3)

Raw Data

{
  "expiry": "5 months",
  "secure": false,
  "vendor": "HubSpot",
  "purpose": "analytics",
  "http_only": false,
  "same_site": "Lax",
  "cookie_name": "__hstc",
  "cookie_domain": "kokkeloren.no",
  "is_long_lived": false,
  "is_third_party": false
}

Detail

First-party cookie from kokkeloren.no, expires: 5 months, purpose: HubSpot user token for visitor identification.. Vendor: HubSpot.

Remediation

Ensure this cookie only sets after consent. Consider if 5-month tracking is necessary for your business needs - shorter periods may be more privacy-friendly.

Legal Reference

GDPR Art. 7, ePrivacy Directive Art. 5(3)

Raw Data

{
  "expiry": "5 months",
  "secure": false,
  "vendor": "HubSpot",
  "purpose": "analytics",
  "http_only": false,
  "same_site": "Lax",
  "cookie_name": "hubspotutk",
  "cookie_domain": "kokkeloren.no",
  "is_long_lived": false,
  "is_third_party": false
}

Detail

First-party cookie from kokkeloren.no, expires: session, purpose: HubSpot session reset detection.. Vendor: HubSpot.

Remediation

Ensure this only operates after user consent to HubSpot tracking. This is standard analytics functionality but still requires consent.

Legal Reference

ePrivacy Directive Art. 5(3)

Raw Data

{
  "expiry": "session",
  "secure": false,
  "vendor": "HubSpot",
  "purpose": "analytics",
  "http_only": false,
  "same_site": "Lax",
  "cookie_name": "__hssrc",
  "cookie_domain": "kokkeloren.no",
  "is_long_lived": false,
  "is_third_party": false
}

Detail

First-party cookie from kokkeloren.no, expires: 0 days, purpose: HubSpot session tracking.. Vendor: HubSpot.

Remediation

Standard session tracking that should only operate after consent. Configure HubSpot to respect visitor consent preferences.

Legal Reference

ePrivacy Directive Art. 5(3)

Raw Data

{
  "expiry": "0 days",
  "secure": false,
  "vendor": "HubSpot",
  "purpose": "analytics",
  "http_only": false,
  "same_site": "Lax",
  "cookie_name": "__hssc",
  "cookie_domain": "kokkeloren.no",
  "is_long_lived": false,
  "is_third_party": false
}

Detail

First-party cookie from clerk.kokkeloren.no, expires: 1 years, purpose: Unrecognized cookie.

Remediation

This appears to be necessary for user authentication. Ensure your privacy policy documents authentication cookies and their purposes clearly.

Raw Data

{
  "expiry": "1 years",
  "secure": true,
  "vendor": "unknown",
  "purpose": "unknown",
  "http_only": true,
  "same_site": "Lax",
  "cookie_name": "__client",
  "cookie_domain": "clerk.kokkeloren.no",
  "is_long_lived": true,
  "is_third_party": false
}

Detail

First-party cookie from kokkeloren.no, expires: 1 years, purpose: Unrecognized cookie.

Remediation

Review if these authentication cookies need such long lifetimes. Ensure they're only used for legitimate login purposes and document in privacy policy.

Legal Reference

GDPR Art. 5(1)(c) - data minimisation

Raw Data

{
  "expiry": "1 years",
  "secure": true,
  "vendor": "unknown",
  "purpose": "unknown",
  "http_only": false,
  "same_site": "Lax",
  "cookie_name": "__client_uat",
  "cookie_domain": "kokkeloren.no",
  "is_long_lived": true,
  "is_third_party": false
}

Detail

First-party cookie from kokkeloren.no, expires: 1 years, purpose: Unrecognized cookie.

Remediation

Audit why multiple similar authentication cookies are needed. Reduce lifetime if possible and ensure purpose is clearly documented.

Legal Reference

GDPR Art. 5(1)(c) - data minimisation

Raw Data

{
  "expiry": "1 years",
  "secure": true,
  "vendor": "unknown",
  "purpose": "unknown",
  "http_only": false,
  "same_site": "Lax",
  "cookie_name": "__client_uat_rj7vSR9-",
  "cookie_domain": "kokkeloren.no",
  "is_long_lived": true,
  "is_third_party": false
}

Detail

First-party cookie from clerk.kokkeloren.no, expires: 0 days, purpose: Unrecognized cookie.

Remediation

This is likely necessary for service security. Document in privacy policy that third-party authentication services may set security cookies.

Raw Data

{
  "expiry": "0 days",
  "secure": true,
  "vendor": "unknown",
  "purpose": "unknown",
  "http_only": true,
  "same_site": "None",
  "cookie_name": "__cf_bm",
  "cookie_domain": "clerk.kokkeloren.no",
  "is_long_lived": false,
  "is_third_party": false
}

Detail

First-party cookie from clerk.kokkeloren.no, expires: session, purpose: Unrecognized cookie.

Remediation

This appears to be necessary security functionality. Ensure privacy policy mentions security cookies from authentication providers.

Raw Data

{
  "expiry": "session",
  "secure": true,
  "vendor": "unknown",
  "purpose": "unknown",
  "http_only": true,
  "same_site": "None",
  "cookie_name": "_cfuvid",
  "cookie_domain": "clerk.kokkeloren.no",
  "is_long_lived": false,
  "is_third_party": false
}

Detail

First-party cookie from kokkeloren.no, expires: 1 years, purpose: Unrecognized cookie.

Remediation

If this is Snapchat-related, ensure it only loads after consent and is transmitted securely. If not needed, remove entirely. Identify the purpose and document in privacy policy.

Legal Reference

ePrivacy Directive Art. 5(3)

Raw Data

{
  "expiry": "1 years",
  "secure": false,
  "vendor": "unknown",
  "purpose": "unknown",
  "http_only": false,
  "same_site": "Lax",
  "cookie_name": "_scid",
  "cookie_domain": "kokkeloren.no",
  "is_long_lived": true,
  "is_third_party": false
}

Detail

First-party cookie from kokkeloren.no, expires: 1 years, purpose: Unrecognized cookie.

Remediation

Secure this cookie with HTTPS-only flag, ensure consent before setting, or remove if not essential. Document purpose in privacy policy.

Legal Reference

ePrivacy Directive Art. 5(3)

Raw Data

{
  "expiry": "1 years",
  "secure": false,
  "vendor": "unknown",
  "purpose": "unknown",
  "http_only": false,
  "same_site": "Lax",
  "cookie_name": "_scid_r",
  "cookie_domain": "kokkeloren.no",
  "is_long_lived": true,
  "is_third_party": false
}

Detail

First-party cookie from kokkeloren.no, expires: 6 days, purpose: Unrecognized cookie.

Remediation

Identify the purpose of this cookie, secure it properly, and ensure it's only set after appropriate consent if used for tracking.

Legal Reference

ePrivacy Directive Art. 5(3)

Raw Data

{
  "expiry": "6 days",
  "secure": false,
  "vendor": "unknown",
  "purpose": "unknown",
  "http_only": false,
  "same_site": "Lax",
  "cookie_name": "_ScCbts",
  "cookie_domain": "kokkeloren.no",
  "is_long_lived": false,
  "is_third_party": false
}

Detail

4 request(s) to policy.app.cookieinformation.com (unknown).

Remediation

This appears to be your consent management system working normally, but verify that no tracking occurs before consent is given.

Raw Data

{
  "domain": "policy.app.cookieinformation.com",
  "vendor": null,
  "purpose": "unknown",
  "sample_urls": [
    "https://policy.app.cookieinformation.com/uc.js",
    "https://policy.app.cookieinformation.com/cookie-data/kokkeloren.no/cabl.json",
    "https://policy.app.cookieinformation.com/cookiesharingiframe.html",
    "https://policy.app.cookieinformation.com/latest/66273/en.js"
  ],
  "pii_detected": [],
  "request_count": 4,
  "resource_types": [
    "document",
    "xhr",
    "script"
  ]
}

Detail

1 request(s) to js-eu1.hs-scripts.com (unknown).

Remediation

Ensure HubSpot scripts only load after visitor consent. Using EU servers is positive for GDPR compliance.

Legal Reference

GDPR Art. 44-49

Raw Data

{
  "domain": "js-eu1.hs-scripts.com",
  "vendor": null,
  "purpose": "unknown",
  "sample_urls": [
    "https://js-eu1.hs-scripts.com/139580736.js"
  ],
  "pii_detected": [],
  "request_count": 1,
  "resource_types": [
    "script"
  ]
}

Detail

2 request(s) to kokkeloren-snack-runner.kokkeloren.workers.dev (unknown).

Remediation

This appears to be legitimate business functionality. Ensure any personal data handled by Workers complies with your privacy policy.

Raw Data

{
  "domain": "kokkeloren-snack-runner.kokkeloren.workers.dev",
  "vendor": null,
  "purpose": "unknown",
  "sample_urls": [
    "https://kokkeloren-snack-runner.kokkeloren.workers.dev/user/subscription",
    "https://kokkeloren-snack-runner.kokkeloren.workers.dev/user/subscription"
  ],
  "pii_detected": [],
  "request_count": 2,
  "resource_types": [
    "fetch"
  ]
}

Detail

2 request(s) to consentcdn.cookiebot.com (unknown).

Remediation

Verify why you have both Cookiebot and Cookie Information systems. Having multiple consent platforms can confuse visitors and create compliance gaps.

Legal Reference

GDPR Art. 7

Raw Data

{
  "domain": "consentcdn.cookiebot.com",
  "vendor": null,
  "purpose": "unknown",
  "sample_urls": [
    "https://consentcdn.cookiebot.com/sdk/bc-v4.min.html",
    "https://consentcdn.cookiebot.com/consentconfig/722d4d5b-d6d6-4159-8ee4-e23e6a44b532/settings.json"
  ],
  "pii_detected": [],
  "request_count": 2,
  "resource_types": [
    "document",
    "xhr"
  ]
}

Detail

1 request(s) to js-eu1.hs-banner.com (unknown).

Remediation

Using EU servers is good for compliance. Ensure any HubSpot banners or forms only display after appropriate consent.

Legal Reference

GDPR Art. 44-49

Raw Data

{
  "domain": "js-eu1.hs-banner.com",
  "vendor": null,
  "purpose": "unknown",
  "sample_urls": [
    "https://js-eu1.hs-banner.com/v2/139580736/banner.js"
  ],
  "pii_detected": [],
  "request_count": 1,
  "resource_types": [
    "script"
  ]
}

Detail

1 request(s) to js-eu1.hs-analytics.net (unknown).

Remediation

EU server usage is good for GDPR compliance. Ensure analytics only start after explicit visitor consent to tracking.

Legal Reference

GDPR Art. 44-49

Raw Data

{
  "domain": "js-eu1.hs-analytics.net",
  "vendor": null,
  "purpose": "unknown",
  "sample_urls": [
    "https://js-eu1.hs-analytics.net/analytics/1773741600000/139580736.js"
  ],
  "pii_detected": [],
  "request_count": 1,
  "resource_types": [
    "script"
  ]
}

Detail

1 request(s) to tr6.snapchat.com (unknown).

Remediation

Remove all Snapchat tracking or ensure comprehensive consent management covers all Snapchat domains and tracking mechanisms.

Legal Reference

GDPR Art. 6

Raw Data

{
  "domain": "tr6.snapchat.com",
  "vendor": null,
  "purpose": "unknown",
  "sample_urls": [
    "https://tr6.snapchat.com/p"
  ],
  "pii_detected": [],
  "request_count": 1,
  "resource_types": [
    "ping"
  ]
}

Advertising & Remarketing

3 findings

Detail

Found Google Ads (via GTM) reference in GTM container GTM-N8S3TGCP. This tracker may fire based on container triggers.

Remediation

Ensure Google Ads tags only fire after explicit consent. Configure GTM triggers to respect consent signals. Consider server-side conversion tracking or first-party data strategies to reduce third-party tracking dependency.

Legal Reference

GDPR Art. 6, ePrivacy Directive Art. 5(3), Schrems II

Raw Data

{
  "via": "raw_js_scan",
  "container_id": "GTM-N8S3TGCP",
  "detected_pattern": "googleadservices\\.com"
}

Detail

Found DoubleClick (via GTM) reference in GTM container GTM-N8S3TGCP. This tracker may fire based on container triggers.

Remediation

Remove DoubleClick tags or ensure they only fire after explicit consent for advertising cookies. DoubleClick is part of Google's advertising ecosystem and requires the same consent controls as Google Ads.

Legal Reference

GDPR Art. 6, ePrivacy Directive Art. 5(3), Schrems II

Raw Data

{
  "via": "raw_js_scan",
  "container_id": "GTM-N8S3TGCP",
  "detected_pattern": "doubleclick\\.net"
}

Detail

1 request(s) to pagead2.googlesyndication.com (Display advertising network).

Remediation

Verify this tracking only occurs after consent. The 'npa=1' parameter suggests non-personalized ads mode, which is good, but the request should still be consent-gated. Review what data is being sent in these requests.

Legal Reference

GDPR Art. 6, ePrivacy Directive Art. 5(3)

Raw Data

{
  "domain": "pagead2.googlesyndication.com",
  "vendor": "Google",
  "purpose": "Display advertising network",
  "sample_urls": [
    "https://pagead2.googlesyndication.com/ccm/collect?frm=0&ae=g&en=page_view&dl=https%3A%2F%2Fkokkeloren.no%2F&scrsrc=sgtm.kokkeloren.no&rnd=1634996513.1773747651&navt=n&npa=1&us_privacy=1YNY&ep.ads_data"
  ],
  "pii_detected": [],
  "request_count": 1,
  "resource_types": [
    "fetch"
  ]
}

Analytics

4 findings

Detail

1 request(s) to o463742.ingest.us.sentry.io (Error monitoring and performance tracking) — PII detected: name in POST body.

Remediation

Either configure Sentry to exclude PII from error reports, implement data residency controls to keep data in EU, or switch to an EU-based error monitoring service like Bugsnag EU or self-hosted Sentry.

Legal Reference

GDPR Art. 44-49, Schrems II

Raw Data

{
  "domain": "o463742.ingest.us.sentry.io",
  "vendor": "Sentry",
  "purpose": "Error monitoring and performance tracking",
  "sample_urls": [
    "https://o463742.ingest.us.sentry.io/api/4508449385807872/envelope/?sentry_version=7&sentry_key=6324798c673cf01315a26377634bb817&sentry_client=sentry.javascript.nextjs%2F9.10.0"
  ],
  "pii_detected": [
    "name in POST body"
  ],
  "request_count": 1,
  "resource_types": [
    "fetch"
  ]
}

Detail

Found Google Tag Manager (Google) loading from https://www.googletagmanager.com/gtm.js?id=GTM-N8S3TGCP&gtg_health=1. Purpose: Tag management system that can load any tracking script.

Remediation

Audit all tags configured in your GTM container (GTM-N8S3TGCP). Document what each tag does and ensure proper consent management. Consider server-side tagging or privacy-focused tag managers like TagCommander.

Legal Reference

GDPR Art. 25, GDPR Art. 5(1)(a)

Evidence

Raw Data

{
  "vendor": "Google",
  "purpose": "Tag management system that can load any tracking script",
  "category": "analytics",
  "script_src": "https://www.googletagmanager.com/gtm.js?id=GTM-N8S3TGCP&gtg_health=1",
  "gdpr_concern": "Container may include any number of tracking tags, often without the site owner's full awareness.",
  "tracker_name": "Google Tag Manager",
  "data_collected": [
    "depends on configured tags"
  ]
}

Detail

GTM container GTM-N8S3TGCP is loaded on this page. It acts as a hub that can load any number of tracking tags.

Remediation

Access your GTM account and review all active tags in container GTM-N8S3TGCP. Implement consent triggers for any tracking tags and ensure no personal data collection happens without consent.

Legal Reference

GDPR Art. 25

Raw Data

{
  "container_id": "GTM-N8S3TGCP"
}

Detail

1 request(s) to www.googletagmanager.com (Tag management system that can load any tracking script).

Remediation

This is expected behavior for GTM. Focus on auditing what tags are loaded through GTM and ensuring proper consent mechanisms are in place before any tracking tags fire.

Legal Reference

GDPR Art. 13

Raw Data

{
  "domain": "www.googletagmanager.com",
  "vendor": "Google",
  "purpose": "Tag management system that can load any tracking script",
  "sample_urls": [
    "https://www.googletagmanager.com/gtm.js?id=GTM-N8S3TGCP&gtg_health=1"
  ],
  "pii_detected": [],
  "request_count": 1,
  "resource_types": [
    "script"
  ]
}

Session Recording

1 finding

Detail

Found Microsoft Clarity (via GTM) reference in GTM container GTM-N8S3TGCP. This tracker may fire based on container triggers.

Remediation

Either remove Microsoft Clarity entirely, or ensure it only loads AFTER visitors give explicit consent through your cookie banner. Configure Clarity to mask all form inputs and sensitive areas. Consider privacy-friendly alternatives like self-hosted session recording tools or conduct user research through surveys instead.

Legal Reference

GDPR Art. 6 (lawful basis), Art. 7 (consent), ePrivacy Directive Art. 5(3)

Raw Data

{
  "via": "raw_js_scan",
  "container_id": "GTM-N8S3TGCP",
  "detected_pattern": "clarity\\.ms"
}

Social Media Tracking

2 findings

Detail

Found Snapchat Pixel (Snap Inc.) loading from https://sc-static.net/scevent.min.js. Purpose: Conversion tracking for Snapchat ads.

Remediation

Remove the Snapchat Pixel script or implement it to load only after explicit consent is given through your consent banner. Consider server-side conversion tracking or first-party analytics for campaign measurement instead.

Legal Reference

GDPR Art. 6 (lawful basis), ePrivacy Directive Art. 5(3), Schrems II

Evidence

Raw Data

{
  "vendor": "Snap Inc.",
  "purpose": "Conversion tracking for Snapchat ads",
  "category": "advertising",
  "script_src": "https://sc-static.net/scevent.min.js",
  "gdpr_concern": "US data transfer for ad tracking.",
  "tracker_name": "Snapchat Pixel",
  "data_collected": [
    "conversions",
    "page views"
  ]
}

Detail

1 request(s) to sc-static.net (Conversion tracking for Snapchat ads).

Remediation

Block these requests until explicit consent is obtained. Implement consent-conditional loading for the Snapchat Pixel script to prevent unauthorized data transfers.

Legal Reference

GDPR Art. 6 (lawful basis), GDPR Art. 44-49 (international transfers)

Raw Data

{
  "domain": "sc-static.net",
  "vendor": "Snap Inc.",
  "purpose": "Conversion tracking for Snapchat ads",
  "sample_urls": [
    "https://sc-static.net/scevent.min.js"
  ],
  "pii_detected": [],
  "request_count": 1,
  "resource_types": [
    "script"
  ]
}

Fingerprinting

1 finding

Detail

Tests which fonts are installed by measuring text rendering differences. Attributed to: https://kokkeloren.no/_next/static/chunks/2d1400c4-80e8491da2619b0b.js

Remediation

Remove the font fingerprinting code from your Next.js application. If you need to detect font availability for design purposes, use CSS font-display properties or web font loading techniques that don't measure installed system fonts. Consider using web fonts exclusively to ensure consistent rendering without fingerprinting.

Legal Reference

ePrivacy Directive Art. 5(3), GDPR Art. 5(1)(a)

Evidence

Raw Data

{
  "technique": "font",
  "match_count": 2,
  "source_script": "https://kokkeloren.no/_next/static/chunks/2d1400c4-80e8491da2619b0b.js",
  "patterns_matched": [
    "measureText\\s*\\(.*?\\).*?width",
    "fontFamily.*?(?:serif|sans-serif|monospace).*?fontFamily"
  ]
}