Did this podcast ~3 years ago. At the time, we were early on what we were building.
https://podcasts.apple.com/us/podcast/ian-cohen-drops-a-dime-on-the-myriad-trackers-stalking-you/
Listening back, I was surprised to see how little the core issue has changed: companies still can’t actually see or control what’s happening on their sites.
That’s surprising given everything that’s happened since, including new privacy laws, more enforcement, and bigger compliance teams. On paper, companies look covered.
In reality, they’re not.
Because when you look at what’s actually happening at the point of collection and execution, across the browser and the network calls it initiates, the gap isn’t just still there, it’s wider than ever.
The Illusion
Most organizations believe they have control over the data shared with third parties.
They have consent banners. Policies. Tag managers. Governance processes. But those systems don’t answer the only question that matters:
What is actually executing in the browser, and what data is being collected and sent (right now)?
Not what was configured. Not what was intended. What is actually happening? What data is being collected and shared with the hundreds of POSTs, Scripts, SDKs and APIs executing where no one sees or tracks what they’re doing?
Where Risk Lives
Modern websites aren’t static. Scripts load other scripts. Tags fire conditionally. Third parties introduce more third parties. Behavior changes constantly.
What you think is happening is almost always wrong.
What’s actually happening at the point of collection and execution is where risk lives. This is where the action is:
- Data collected unintentionally
- Calls firing before consent
- Third parties receiving signals and data they shouldn’t
- Configurations breaking silently over time
This is observable. Most companies just don’t see it.
The Structural Problem
There’s a fundamental disconnect. Legal defines policy. Compliance documents it.
Engineering implements something close to it. Marketing adds to it.
And then everyone assumes it works. It doesn’t.
Policies don’t execute. Code does. And code changes constantly.
Without continuous visibility and control at the point of collection and execution, you’re operating on assumptions, and that’s not defensible anymore.
What Needs to Change
This isn’t a policy problem. It’s an execution problem. Companies need to be able to do the following:
- Find everything running on their sites
- Understand what data is being collected and where it’s going
- Control it in real time
- Continuously verify it
Anything less is a partial solution.
The Reality
Three years later, the core issue hasn’t moved. Most organizations can describe what they intend to do. Very few can demonstrate what’s actually happening.
That gap between intent and execution is where risk and liability now sit.
Until companies can see and control what’s happening at the point of collection and execution, everything else (policies, disclosures, governance, consent) may or may not represent reality.