# Lokker — Full Context Reference

> Lokker is a privacy intelligence platform built to analyze how websites collect, transmit,
> and expose user data at the network and request layer. Rather than relying on documentation,
> vendor disclosures, or static tag audits, Lokker directly observes real network activity to
> determine what data is collected, where it is sent, which technologies introduce it, and
> whether user consent signals are honored. Lokker provides continuous risk scoring,
> real-time browser-side enforcement, automated consent validation, structured training, and
> evidence-grade reports for privacy, legal, insurance, and security teams.

For the concise curated link index of all Lokker pages, see: https://lokker.com/llms.txt

## Platform overview

Lokker is a privacy intelligence platform that continuously monitors how digital properties
behave in practice — not how their documentation claims they behave. Modern websites rely on
dozens or hundreds of third-party technologies: analytics, advertising pixels, session replay
tools, chat systems, A/B testing platforms, video players, and tag managers. These
technologies introduce chains of outbound data flows that are difficult to audit from
documentation alone.

Lokker addresses this by automating simulated user browsing sessions and capturing every
network request those sessions generate. From that raw network telemetry, the platform builds
a detailed map of data flows, identifies the technologies and vendors involved, evaluates
consent behavior, and surfaces findings that match documented regulatory and litigation
patterns.

The platform is designed for continuous, not point-in-time, operation. Scan data is retained
indefinitely so privacy, legal, and security teams can answer historical questions — which
technologies ran on a given date, how consent behavior changed after a deployment, and
whether remediation actually worked.

## Why Lokker exists

Privacy challenges for organizations are significant and growing. Several compounding problems
create risk for enterprises, legal teams, insurers, and the individuals whose data is involved:

- **Fragmented legal landscape.** Privacy laws differ by state and country. California has an
  opt-in default while most US states are opt-out. GDPR governs European residents. HIPAA
  creates specific obligations for healthcare properties. VPPA creates exposure for sites with
  video content and advertising. Legislation is expanding. Organizations need continuous
  monitoring that translates legal complexity into concrete, prioritized action.

- **Consent operations in disarray.** Many consent managers are misconfigured, absent, or set
  and forgotten. There is often no clear owner across engineering, marketing, and legal. Tags
  deploy to production without review. Consent banners display correctly but fail to block
  scripts. The gap between what a banner implies and what data actually flows is the most
  common source of privacy litigation exposure.

- **Invisible third-party activity.** Organizations frequently do not know which vendors
  receive user data, what identifiers are transmitted in network payloads, or whether consent
  choices change tracking behavior at all. Static analysis and vendor documentation do not
  answer these questions reliably.

- **Portfolio complexity.** Large organizations own many digital properties. Maintaining
  consistent privacy posture across dozens or hundreds of sites is an operational challenge
  that requires automation and continuous monitoring.

- **Active enforcement and litigation.** Plaintiffs and regulators actively pursue cases.
  Organizations need both proactive posture improvement and reactive support when incidents
  or claims arise.

## Products

All Lokker products are Generally Available. The platform overview is at
https://lokker.com/products.

### Privacy Edge

Privacy Edge (https://lokker.com/products/privacy-edge) is the core intelligence and discovery platform.
It performs continuous automated scans that replicate real user browsing sessions while
capturing all network activity: requests, cookies, local storage, query parameters, request
payloads, and initiator chains.

**Risk scoring.** Each site receives a risk score from 0 to 1000 and a letter grade.
Scores are derived across seven risk categories:
- Cookies — cookie behavior and consent compliance
- Form Data — data captured from user input
- Session Replay — recording technologies and their scope
- Trackers — third-party tracking presence and behavior
- Consent — CMP presence, functionality, and GPC handling
- Geo — geographic data exposure
- Perimeter — outbound data flows and vendor footprint

**Reason codes.** Every finding is assigned a reason code that identifies the specific
technical behavior observed, maps it to the applicable privacy laws (HIPAA, VPPA, CCPA,
CPRA, GDPR), and classifies it by severity (Critical, High, Medium, Low). Critical findings
appear as a prominent alert banner and match documented litigation or regulatory patterns.

**Remediation.** Every reason code includes step-by-step remediation guidance so engineering
and privacy teams can resolve findings without ambiguity.

**Reports.** Privacy Edge produces evidence-grade outputs including:
- Risk & Remediation PDF: portfolio summary, per-site findings, and remediation steps
- GPC Compliance PDF: Global Privacy Control response analysis
- Payload Explorer Excel: raw network payload data for forensic review
- Digital Objects Excel: full technology and vendor inventory

**Data retention.** All scan data is retained indefinitely. This supports forensic and
litigation use cases where historical evidence of site behavior on a specific date is needed.

**Network visualizations.** Privacy Edge includes two visualization modes:
- Constellation View: interactive 3D graph of request flows and vendor relationships
- Waterfall View: hierarchical tree of initiator chains across a page load

**Portfolio scale.** Privacy Edge is designed for portfolios ranging from a single site to
hundreds of thousands of sites. It supports benchmarking against the S&P 500.

**Guardian integration.** Domains and vendors identified in Privacy Edge can be marked
Trusted or Blocked. Those rules are then enforced in real time by Guardian.

**Alert delivery.** Daily or weekly email digests surface new findings. No immediate push
alerts are generated; digest cadence keeps teams focused without alert fatigue.

### Guardian

Guardian (https://lokker.com/products/guardian) is the real-time enforcement layer. It is deployed as a
single JavaScript snippet placed on any web property. Once deployed, Guardian intercepts
every outbound script load, pixel fire, fetch request, and XMLHttpRequest before it leaves
the browser.

**How enforcement works.** Guardian evaluates each outbound request against trust rules
defined in Privacy Edge. If the destination vendor or script is marked Trusted, the request
proceeds. If it is marked Blocked or Unknown with a restrictive policy, Guardian prevents the
request before data is transmitted. This enforcement happens at the browser level, so it
applies regardless of tag manager configuration or consent platform state.

**Payload awareness.** Guardian can inspect request payloads to detect transmission of PII
or health data, and can apply more restrictive policies when sensitive data is involved.

**Audit trail.** Every allow and block decision is logged, creating a continuous audit trail
of what ran and what was stopped on each page load.

**CMP coexistence.** Guardian is designed to complement, not replace, consent management
platforms. It provides an additional enforcement layer that operates even when CMP
configuration fails or scripts load outside the CMP lifecycle.

**Edge deployment.** Guardian enforcement logic is sub-millisecond and does not introduce
perceptible latency. Rules are served from the edge.

### Consent Validator

Consent Validator (https://lokker.com/products/consent-validator) is the automated consent testing
product. It systematically tests a site across four consent states:
- No interaction (default page load before any consent choice)
- Accept (user accepts all tracking)
- Reject (user rejects optional tracking)
- GPC (Global Privacy Control signal sent)

For each state, Consent Validator captures the full set of technologies and network requests
that fire. Comparing across states reveals whether the consent configuration actually changes
tracking behavior — not just whether the banner displays correctly.

Findings are prioritized P1, P2, and P3 by remediation urgency. Output is delivered as Excel
and PDF reports. Primary users include privacy and compliance teams, legal counsel, and
agencies auditing client properties.

### Privacy Academy

Privacy Academy (https://lokker.com/products/privacy-academy) provides structured web privacy training
from beginner to expert. The curriculum covers how the web works at a privacy level, consent
mechanics, tracking technologies, privacy regulations, CMP configuration and validation, the
ad tech data ecosystem, browser fingerprinting, HIPAA on the web, Privacy by Design, tag
management governance, and privacy risk assessment methodology.

Programs are available self-paced for individual learners or as structured team programs.
The public training tracks are accessible at /training. Privacy Academy is used by privacy
and compliance teams, legal and defense counsel, marketing and digital teams, engineering and
product, insurance underwriters, and program leaders.

### Partner API

The Partner API (https://lokker.com/products/partner-api) is a developer-facing integration layer that
exposes Lokker intelligence programmatically. Primary use cases include:
- Portfolio onboarding: submit lists of domains for automated scanning at scale
- Scan orchestration: trigger scans and receive completion notifications via webhook
- Score retrieval: pull per-site risk scores and grade data for downstream reporting
- Reason code access: retrieve structured findings with law mapping and remediation steps
- Remediation data: export structured finding data into risk management workflows
- Underwriting automation: integrate scan completion and score delivery into insurance workflows

The Partner API is Generally Available and is primarily used by insurance underwriters, risk
platforms, and enterprise teams with large portfolios.

### Privacy Extension

The Privacy Extension (https://lokker.com/products/privacy-extension) is a browser extension that
enables on-demand privacy analysis of any web page directly in the browser. It surfaces
tracking technologies, network requests, and consent behavior without requiring a full
platform scan.

## Services

Lokker offers expert professional services alongside its product suite (https://lokker.com/services).

### Consent Tag Orchestration

Consent Tag Orchestration (https://lokker.com/services/consent-tag-orchestration) is a managed service
for organizations that need hands-on help with CMP configuration, consent banner implementation,
tag governance, and enforcement at scale. This service is suited to organizations with complex
site portfolios, CMPs that are misconfigured, or teams that lack the internal expertise to
implement and maintain consent controls that actually stop data collection when visitors
opt out.

## Solutions

Lokker's solutions pages (https://lokker.com/solutions) describe how the platform is applied to specific
use cases and industries. Each solution maps product capabilities to a concrete business need.

### Litigation & discovery

Network-layer evidence for defense counsel: document what third-party scripts ran and how consent behaved, validate whether remediation changed the behavior, and monitor continuously so the next incident does not come as a surprise.

Page: https://lokker.com/solutions/litigation-discovery

### M&A due diligence

Assess privacy posture of target properties at scale with risk scores, reason codes, and evidence for deal teams.

Page: https://lokker.com/solutions/ma-due-diligence

### Board & risk reporting

Portfolio-level risk, trends, and benchmarks with executive-ready views and remediation status.

Page: https://lokker.com/solutions/board-risk-reporting

### Portfolio monitoring

Ongoing visibility across many sites with automation, cadence, and integration into underwriting or ops tools.

Page: https://lokker.com/solutions/portfolio-monitoring

### Healthcare

Protect patient data on the web. Get HIPAA-aware visibility into trackers and pixels, evidence for audits and incidents, and real-time control so PHI stays private.

Page: https://lokker.com/solutions/healthcare

### Consent Audit & Validation

Test whether your consent banner, CMP configuration, and GPC handling actually stop data collection when visitors opt out, not just whether they display correctly. Get documented evidence of what fires in every consent state.

Page: https://lokker.com/solutions/consent-audit

### Third-Party Script Governance

Every approved tag is an outbound integration that bypasses your firewall. Map your full third-party script inventory, detect shadow IT tags deployed outside review, and enforce trust rules so unauthorized scripts cannot send data from the browser.

Page: https://lokker.com/solutions/third-party-script-governance

## Who Lokker serves

Lokker's audience pages (https://lokker.com/who-we-help) describe the specific teams and roles that
use the platform and how their needs are addressed.

### Privacy Teams

Lokker gives privacy teams a continuous, evidence-based view of what is running on the site, whether consent choices are respected, and what to fix first.

Page: https://lokker.com/who-we-help/privacy-teams

### Legal & Compliance

Defense counsel and law firms use Lokker to document what actually ran on a client's site, validate whether consent controls worked, and confirm that remediation fixed the problem. The engagement model starts with a point-in-time scan and can extend to repeated rescans after fixes and ongoing monitoring to protect against the next incident.

Page: https://lokker.com/who-we-help/legal-compliance

### Insurance & Risk

Underwriters and risk teams use Lokker to quantify website privacy risk, score domains at scale, and support underwriting and portfolio monitoring.

Page: https://lokker.com/who-we-help/insurance

### Agencies

Agencies managing multiple client properties use Lokker to monitor website privacy posture, deliver evidence-ready reporting, and scale privacy services.

Page: https://lokker.com/who-we-help/agencies

### IT & Security Leaders

Web privacy is the client-side blind spot in most security programs. While firewalls guard the backend, marketing tags and third-party scripts ship data directly from the browser to ad networks, analytics vendors, and enrichment services without passing any perimeter control. Lokker gives security and IT leaders network-layer visibility into what leaves the browser, what consent controls actually enforce, and what outbound data flows need governance.

Page: https://lokker.com/who-we-help/it-security-leader

## Training curriculum

The Lokker Privacy Academy training curriculum (https://lokker.com/training) is organized into tracks
that progress from foundational to expert. All public tracks are described below.

### Web Privacy Foundations (Beginner — 6h)

Start here. Learn how the web works, why privacy matters, and what consent really means. No prior technical knowledge required.

Audience: Privacy newcomers and non-technical stakeholders; Marketing, product, and legal teams building baseline literacy

Outcomes:
- Understand how browser behavior and data flow drive privacy risk
- Recognize consent fundamentals and common implementation failures
- Build confidence in privacy vocabulary and decision framing

Modules covered:
- how-the-web-works
- intro-to-web-privacy
- understanding-consent

Page: https://lokker.com/training/web-privacy-foundations

### Privacy Technologies (Intermediate — 10h)

Understand the tools that track you online (analytics, session replay, ad pixels, fingerprinting) and the regulations written to control them.

Audience: Practitioners implementing analytics, adtech, and consent tooling; Privacy and compliance teams reviewing technical controls

Outcomes:
- Map technologies to the data they collect and share
- Connect regulations to practical implementation checks
- Detect and prevent high-risk deployment misconfigurations

Modules covered:
- tracking-technologies
- privacy-regulations
- consent-management-platforms
- adtech-data-ecosystem

Page: https://lokker.com/training/privacy-technologies

### Advanced Privacy (Advanced — 10h)

Deep-dive into browser fingerprinting, HIPAA on the web, and Privacy by Design frameworks.

Audience: Privacy engineers and technical advisors handling high-risk properties; Security, product, and legal leaders designing privacy-forward systems

Outcomes:
- Evaluate advanced tracking threats and control strategies
- Assess HIPAA-sensitive web patterns and remediation priorities
- Operationalize Privacy by Design in delivery workflows

Modules covered:
- browser-fingerprinting
- hipaa-and-health-privacy
- privacy-by-design

Page: https://lokker.com/training/advanced-privacy

### Specialist: Tag Management & Risk (Expert — 8h)

For privacy engineers and practitioners: deep-dive into GTM architecture, consent modes, and privacy risk assessment methodology.

Audience: Senior privacy practitioners and implementation leads; Teams responsible for production tag governance and incident response

Outcomes:
- Design resilient governance for scripts, tags, and partner data flow
- Run repeatable risk assessments with actionable remediation plans
- Communicate technical findings in executive-ready language

Modules covered:
- tag-management
- privacy-risk-assessment

Page: https://lokker.com/training/specialist-tracks

## Resources and documentation

- **Resources** (https://lokker.com/resources): Whitepapers, compliance reports, downloads, and
  checklists covering web privacy, consent, tracking, and regulatory topics.
- **Documentation** (https://lokker.com/docs): Product documentation covering Privacy Edge, Guardian,
  Consent Validator, and the Partner API.
- **Demo** (https://lokker.com/demo): Request a live guided demonstration tailored to your use case.
- **Support** (https://lokker.com/lokker-support): Help resources and support for Lokker customers.
- **Blog** (https://lokker.com/blog): Privacy commentary, product updates, regulatory analysis, and
  thought leadership articles.
- **Press & news** (https://lokker.com/press): Media coverage, press releases, and announcements.
- **Events** (https://lokker.com/events): Privacy conferences and industry events where Lokker
  participates.

## Privacy knowledge library

The /topics section (https://lokker.com/topics) is a library of web privacy concepts. Each article
covers a specific technology, regulation, consent mechanism, or risk pattern at the depth
needed to understand its privacy implications. Topics include tracking technologies (cookies,
pixels, session replay, fingerprinting), consent regulations (GDPR, CCPA, CPRA, US state
laws), consent mechanisms (CMPs, GPC, TCF), ad tech concepts (RTB, identity resolution,
header bidding), and risk patterns (HIPAA on the web, VPPA, wiretapping statutes).

Individual topic articles are accessible at https://lokker.com/topics/{slug}. The full slug list is
available in the XML sitemap at https://lokker.com/sitemap.xml.

The /glossary page (https://lokker.com/glossary) is an alphabetized reference covering key web privacy
and regulatory terms. Each entry provides a plain-language definition and a "Why it matters"
section explaining the practical compliance, risk, or operational significance of the term.
Terms span GDPR, CCPA, CPRA, US state privacy laws, consent technology, tracking methods,
security headers, and enterprise risk vocabulary including PII, PHI, subprocessors, and TIAs.

## MarTech tool comparisons

The /compare section (https://lokker.com/compare) provides side-by-side privacy and compliance comparison
guides for the most widely deployed MarTech tool categories. Each guide covers features,
pricing tiers, HIPAA BAA availability, GDPR data residency options, GPC (Global Privacy
Control) support, cookie-free mode, server-side relay availability, configurable retention,
and a full privacy scorecard. Guides also include Lokker-specific sections explaining how
Privacy Edge, Consent Validator, and Guardian interact with each category.

### Session Replay Tools

Which session replay tools are GDPR compliant with PII masking? Compare Microsoft Clarity, Hotjar, FullStory, LogRocket, Mouseflow, Glassbox, PostHog, and Smartlook on default masking, HIPAA BAA, EU data residency, GPC handling, and consent state behavior.

Tools compared: Microsoft Clarity, Hotjar, FullStory, LogRocket, Mouseflow, Glassbox, PostHog, Smartlook.

Page: https://lokker.com/compare/session-replay-tools

### Web Analytics Tools

Compare Google Analytics 4, Adobe Analytics, Mixpanel, Heap, Amplitude, Plausible, Matomo, and PostHog on consent requirements, EU hosting, HIPAA BAA availability, cookieless modes, and third-party data exposure.

Tools compared: Google Analytics 4, Adobe Analytics, Mixpanel, Heap, Amplitude, Plausible Analytics, Matomo, PostHog.

Page: https://lokker.com/compare/web-analytics-tools

### Marketing Automation Platforms

Compare HubSpot, Adobe Marketo Engage, Braze, Klaviyo, Salesforce Marketing Cloud, ActiveCampaign, Customer.io, and Iterable on consent, HIPAA BAA options, EU data regions, and cross-channel tracking risks.

Tools compared: HubSpot Marketing Hub, Marketo Engage, Braze, Klaviyo, Salesforce Marketing Cloud, ActiveCampaign, Customer.io, Iterable.

Page: https://lokker.com/compare/marketing-automation-platforms

### Customer Data Platforms (CDPs)

Compare Segment, RudderStack, mParticle, Tealium, Hightouch, Lytics, ActionIQ, and Salesforce Data Cloud on consent propagation, EU hosting, HIPAA posture, warehouse-first patterns, and destination forwarding risk.

Tools compared: Segment (Twilio), RudderStack, mParticle, Tealium Customer Data Hub, Hightouch, Lytics, ActionIQ, Salesforce Data Cloud.

Page: https://lokker.com/compare/customer-data-platforms

### Chat and Messaging Widget Platforms

Compare Intercom, Drift, Crisp, Tidio, Zendesk, Freshchat, LiveChat, and Olark on cookies, HIPAA BAA options, EU hosting, pre-chat data collection, and whether widgets respect consent and Global Privacy Control.

Tools compared: Intercom, Drift, Crisp, Tidio, Zendesk Messaging, Freshchat, LiveChat, Olark.

Page: https://lokker.com/compare/chat-widget-platforms

### Consent Management Platforms

Compare OneTrust, TrustArc, Cookiebot, Usercentrics, Osano, Ketch, Sourcepoint, and Didomi on TCF and GPC support, EU hosting, cookie scanning, preference centers, DSAR workflows, and real-world tag enforcement gaps.

Tools compared: OneTrust, TrustArc, Cookiebot by Usercentrics, Usercentrics CMP, Osano, Ketch, Sourcepoint, Didomi.

Page: https://lokker.com/compare/consent-management-platforms

### A/B Testing and Experimentation Platforms

Compare Optimizely, VWO, AB Tasty, Statsig, GrowthBook, LaunchDarkly, Split, and Adobe Target on flicker control, consent gating, PII in targeting attributes, EU hosting, and tag-manager delivery risks.

Tools compared: Optimizely, VWO, AB Tasty, Statsig, GrowthBook, LaunchDarkly, Split, Adobe Target.

Page: https://lokker.com/compare/ab-testing-tools

### Tag Management Systems

Compare Google Tag Manager, Tealium iQ, Adobe Experience Platform Tags, Matomo Tag Manager, Piwik PRO, Jentis, and Ensighten on consent mode support, server-side delivery, EU hosting, vendor governance, and the privacy risks of container misconfiguration.

Tools compared: Google Tag Manager, Tealium iQ Tag Management, Adobe Experience Platform Tags, Matomo Tag Manager, Piwik PRO Tag Manager, JENTIS, Ensighten Manage.

Page: https://lokker.com/compare/tag-managers

### Lokker and Freshpaint

Freshpaint is a HIPAA-compliant healthcare marketing proxy that de-identifies data before
forwarding it to analytics and advertising vendors. Lokker validates and enforces privacy
across the full script estate, including the CMP configuration that gates Freshpaint itself.
The two tools address different layers of the privacy stack and are complementary.

Page: https://lokker.com/compare/freshpaint

## Privacy policy disclosure guide

The /privacy-policy-guide section (https://lokker.com/privacy-policy-guide) provides plain-language
guidance for privacy, legal, and marketing teams on how to accurately disclose specific
third-party tools in a privacy policy or cookie notice. Each guide explains what data the
tool collects, the purposes it serves, US and EU jurisdiction notes, illustrative example
language for discussion with counsel, a CMP and tag manager configuration checklist, and
a policy-vs-practice section comparing what policies typically claim versus what Lokker
validates at the network layer.

Important: All example language is educational and not legal advice. Counsel review is
required before finalizing any privacy policy disclosure.

### Google Analytics 4

Example language for disclosing Google Analytics 4 in a privacy policy or cookie notice. Covers data collected, legal basis, opt-out, and how to verify GA4 fires correctly through your CMP.

Trademark owner: Google LLC.

Page: https://lokker.com/privacy-policy-guide/google-analytics-4

### Meta Pixel

Example language for disclosing the Meta Pixel in a privacy policy. Covers data sent to Meta, legal basis, opt-out of targeted advertising, VPPA risk, and CMP category assignment.

Trademark owner: Meta Platforms, Inc..

Page: https://lokker.com/privacy-policy-guide/meta-pixel

### Google Tag Manager

Example privacy policy language for Google Tag Manager. Explains how GTM works, what data it accesses, how to describe it as a tag management container, and how to ensure tags inside GTM are consent-gated.

Trademark owner: Google LLC.

Page: https://lokker.com/privacy-policy-guide/google-tag-manager

### Hotjar

Example language for disclosing Hotjar session replay and heatmaps in a privacy policy. Covers what data Hotjar records, masking limitations, legal basis, and how to verify Hotjar fires only with consent.

Trademark owner: Hotjar Ltd..

Page: https://lokker.com/privacy-policy-guide/hotjar

### FullStory

Example language for disclosing FullStory digital experience intelligence in a privacy policy. Covers session replay, DLP protections, consent requirements, and CIPA wiretapping considerations.

Trademark owner: FullStory, Inc..

Page: https://lokker.com/privacy-policy-guide/fullstory

### HubSpot

Example language for disclosing HubSpot tracking, CRM, and marketing automation in a privacy policy. Covers the HubSpot tracking cookie, lead data, email tracking, and GDPR consent requirements.

Trademark owner: HubSpot, Inc..

Page: https://lokker.com/privacy-policy-guide/hubspot

### OneTrust

Example language for disclosing OneTrust consent management in a privacy policy. Covers cookie banner infrastructure, preference center, vendor lists, and how to reflect OneTrust's role accurately.

Trademark owner: OneTrust, LLC.

Page: https://lokker.com/privacy-policy-guide/onetrust

### CookieYes

Example language for disclosing CookieYes cookie consent management in a privacy policy. Covers what CookieYes stores, how to describe its role, and what to check to ensure consent is technically enforced.

Trademark owner: CookieYes Limited.

Page: https://lokker.com/privacy-policy-guide/cookieyes

### LinkedIn Insight Tag

Example language for disclosing the LinkedIn Insight Tag in a privacy policy. Covers B2B retargeting, Website Demographics, legal basis, GDPR consent, CCPA opt-out, and how to verify LinkedIn tags fire only with consent.

Trademark owner: LinkedIn Corporation.

Page: https://lokker.com/privacy-policy-guide/linkedin-insight-tag

### TikTok Pixel

Example language for disclosing the TikTok Pixel in a privacy policy. Covers conversion tracking, advanced matching, GDPR consent, CCPA opt-out, regulatory scrutiny, and how to verify the Pixel fires only when it should.

Trademark owner: TikTok Inc..

Page: https://lokker.com/privacy-policy-guide/tiktok-pixel

### Microsoft Clarity

Example language for disclosing Microsoft Clarity session replay and heatmaps in a privacy policy. Covers data collected, automatic masking limitations, GDPR consent, CCPA, and how to verify Clarity fires only with consent.

Trademark owner: Microsoft Corporation.

Page: https://lokker.com/privacy-policy-guide/microsoft-clarity

### Segment

Example language for disclosing Segment (Twilio Segment) in a privacy policy. Covers the CDP data pipeline, downstream destinations, consent management integration, GDPR, and how to verify Segment fires only with consent.

Trademark owner: Twilio Inc..

Page: https://lokker.com/privacy-policy-guide/segment

### Mixpanel

Example language for disclosing Mixpanel product analytics in a privacy policy. Covers event tracking, user identification, EU data residency, GDPR consent, CCPA, and how to verify Mixpanel fires only with consent.

Trademark owner: Mixpanel, Inc..

Page: https://lokker.com/privacy-policy-guide/mixpanel

### Klaviyo

Example language for disclosing Klaviyo email and SMS marketing in a privacy policy. Covers website tracking, email pixel tracking, ActiveOnSite events, GDPR consent, CCPA, and how to verify Klaviyo fires only with consent.

Trademark owner: Klaviyo, Inc..

Page: https://lokker.com/privacy-policy-guide/klaviyo

### Intercom

Example language for disclosing Intercom chat and customer messaging in a privacy policy. Covers messenger widget tracking, lead capture, user identity, GDPR consent, CCPA, and how to verify Intercom fires only with consent.

Trademark owner: Intercom R&D Unlimited Company.

Page: https://lokker.com/privacy-policy-guide/intercom

### Cookiebot

Example language for disclosing Cookiebot consent management in a privacy policy. Covers what Cookiebot stores, its auto-blocking mechanism, how to describe its role, and what to verify to ensure technical enforcement.

Trademark owner: Usercentrics A/S.

Page: https://lokker.com/privacy-policy-guide/cookiebot

## Privacy law guidance

The /privacy-law section (https://lokker.com/privacy-law) provides plain-language guidance on US privacy
statutes that generate website-related litigation. The target audience is companies,
in-house counsel, and defense law firms that have received a demand letter or need to
understand the technical exposure created by specific website tracking technologies under
a specific statute. Lokker works alongside defense counsel and can provide warm introductions
to law firms that specialize in these cases.

Each law page covers: statute overview, who it covers, penalties, which website technologies
trigger exposure, what a demand letter looks like, what technical evidence appears in
complaints, and FAQs.

### Video Privacy Protection Act (VPPA)

**Jurisdiction:** Federal (US)

Federal law that prohibits disclosing a consumer's video viewing history without consent. Now widely used in litigation against news, media, and healthcare sites that embed video players alongside ad pixels.

**Penalties:** The VPPA provides for statutory damages of not less than $2,500 per violation, actual damages, punitive damages, attorneys' fees, and other relief. Because the statute provides per-violation statutory damages, class actions can produce aggregate exposure in the hundreds of millions of dollars.

Page: https://lokker.com/privacy-law/vppa
Markdown: https://lokker.com/privacy-law/vppa.md

### California Invasion of Privacy Act (CIPA)

**Jurisdiction:** California

California wiretap law frequently cited in class actions against companies using session replay, chat widgets, and form-capture tools. Section 631 prohibits intercepting communications without consent. Statutory damages are $5,000 per violation.

**Penalties:** CIPA provides statutory damages of $5,000 per violation, civil penalties of up to $2,500 for each violation, injunctive relief, and attorneys' fees. The per-violation framing creates leverage for plaintiffs even in cases involving a small number of named plaintiffs.

Page: https://lokker.com/privacy-law/cipa
Markdown: https://lokker.com/privacy-law/cipa.md

### HIPAA and Website Tracking Technologies (HIPAA)

**Jurisdiction:** Federal (US)

OCR guidance confirms that ad pixels and analytics tools on HIPAA-covered entity websites can constitute impermissible disclosures of ePHI, even on public-facing pages.

**Penalties:** HIPAA civil monetary penalties range from $137 to $68,928 per violation, depending on culpability, up to a maximum of $2,067,813 per violation category per year. Willful neglect violations that are not corrected can reach the statutory maximum. OCR investigations are triggered by breach reports, complaints, and proactive audits. State attorneys general can also bring enforcement actions for HIPAA violations affecting their residents.

Page: https://lokker.com/privacy-law/hipaa-website-marketing
Markdown: https://lokker.com/privacy-law/hipaa-website-marketing.md

### California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)

**Jurisdiction:** California

California's comprehensive consumer privacy law gives residents opt-out rights over the sale and sharing of their personal information. The CPRA created the California Privacy Protection Agency to enforce the law alongside the Attorney General.

**Penalties:** The California Attorney General can impose civil penalties of $2,500 per unintentional violation and $7,500 per intentional violation. The California Privacy Protection Agency (CPPA), created by the CPRA, has independent enforcement authority and has begun issuing enforcement actions. The CCPA also provides consumers with a limited private right of action for data breaches involving certain categories of personal information.

Page: https://lokker.com/privacy-law/ccpa-cpra
Markdown: https://lokker.com/privacy-law/ccpa-cpra.md

### Illinois Biometric Information Privacy Act (BIPA)

**Jurisdiction:** Illinois

Illinois biometric privacy law with a private right of action and statutory damages of $1,000-$5,000 per violation. Active litigation targets facial recognition, device fingerprinting, and behavioral biometrics.

**Penalties:** BIPA provides liquidated damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys' fees and costs. The Illinois Supreme Court held in Cothron v. White Castle that each unlawful scan or transmission constitutes a separate violation. At $5,000 per transmission, per class member, aggregate exposure in BIPA class actions has reached hundreds of millions of dollars.

Page: https://lokker.com/privacy-law/bipa
Markdown: https://lokker.com/privacy-law/bipa.md

### Washington My Health My Data Act (MHMDA)

**Jurisdiction:** Washington State

Washington's health data privacy law with a private right of action. Broader than HIPAA, it covers any entity that handles consumer health data, including websites using advertising pixels on health-related content.

**Penalties:** The MHMDA authorizes the Washington AG to bring enforcement actions and seek civil penalties. Critically, it also provides a private right of action that allows individual consumers to sue for actual damages, statutory damages up to $25,000 per violation, and attorneys' fees. This private right of action makes the MHMDA a significant class-action risk for companies that have not addressed health data tracking on their websites.

Page: https://lokker.com/privacy-law/washington-my-health-my-data
Markdown: https://lokker.com/privacy-law/washington-my-health-my-data.md

### New York Health Information Privacy Act (NYHIPA)

**Jurisdiction:** New York State

New York's consumer health data privacy law, passed in 2025, covers any entity handling health information of New York residents regardless of HIPAA coverage. It includes a private right of action and requirements for affirmative consent before collection or sharing of consumer health data.

**Penalties:** NYHIPA authorizes enforcement by the New York Attorney General and provides for civil penalties. The private right of action allows individual consumers to bring claims for violations. Specific penalty amounts and litigation exposure depend on the implementing regulations and early case law as they develop from the 2025 enactment.

Page: https://lokker.com/privacy-law/nyhipa
Markdown: https://lokker.com/privacy-law/nyhipa.md

## Trust, security, and legal

- **Security** (https://lokker.com/security): Lokker's security practices, infrastructure posture, and
  responsible disclosure policy.
- **Privacy policy** (https://lokker.com/privacy-policy): How Lokker collects, uses, stores, and
  protects data about users of the lokker.com website and platform.
- **Terms of use** (https://lokker.com/terms-of-use): Terms governing use of the Lokker platform and
  website.

Note: Lokker findings represent observable technical behaviors, not legal conclusions or
legal advice. Organizations should consult qualified legal counsel for advice specific to
their situation.

## Engagement model and boundaries

**Who Lokker works with:**
- Enterprises: privacy, legal, compliance, engineering, and IT/security teams
- Defense counsel: law firms and legal teams defending organizations against privacy claims
- Insurance underwriters: cyber and privacy insurance teams assessing and monitoring risk
- Agencies: digital and marketing agencies managing client properties and privacy programs
- Any organization that wants to understand, improve, or maintain its privacy posture

**Who Lokker does not work with:**
- Plaintiff-side counsel. Lokker supports organizations and their defense, not those bringing
  claims against them.

**Engagement entry points:**
- Product demo: https://lokker.com/demo
- Contact: https://lokker.com/contact
- Training inquiry: https://lokker.com/contact?interest=training

## Common questions

The following Q&A pairs are drawn from the same data that powers FAQPage JSON-LD on individual pages.
They are provided here in plain Markdown so LLM pipelines, RAG systems, and AI assistants can
retrieve structured answers without parsing HTML or executing JavaScript.

### Privacy law questions

**What is VPPA (Video Privacy Protection Act)?**

The Video Privacy Protection Act (VPPA) is a federal law that prohibits any company delivering video content online from disclosing a viewer's viewing history to a third party without explicit written consent. Passed in 1988, it now drives a wave of class-action lawsuits against news sites, healthcare providers, and streaming services that run advertising pixels alongside embedded video. Statutory damages are $2,500 per violation, which means class actions can generate enormous aggregate exposure. If your site embeds video and runs Meta Pixel, Google Tag Manager, or similar ad trackers on the same page, you may be in scope. Lokker documents which pixels fire on video pages, what data they transmit, and whether a valid consent mechanism was in place at the time.

Full guidance: https://lokker.com/privacy-law/vppa

**Does the VPPA only apply to video streaming companies?**

No. Courts have applied the VPPA broadly to any website that delivers video content online, including news publishers, healthcare providers, educational institutions, and e-commerce sites with product videos. The threshold question is whether the site delivers video content to consumers and whether a third-party disclosure of viewing records occurred.

**Is the Meta Pixel on a news site definitely a VPPA violation?**

Not automatically. VPPA liability requires disclosure of video viewing records in a form that is personally identifiable. Whether a specific pixel configuration transmits identifiable viewing data depends on the exact events configured, the cookies present in the request, and the user's login state. This is a fact-specific technical analysis that courts have resolved differently in different cases.

**Can consent cure a VPPA claim?**

The VPPA requires specific written consent that clearly describes the types of information to be disclosed, the parties to whom disclosure may be made, and the period of time for which consent is valid. General terms of service or cookie consent that does not specifically address video viewing history may not satisfy the VPPA consent standard. Defense counsel and privacy engineers should review the consent mechanism in detail.

**How does Lokker help with a VPPA defense?**

Lokker produces network-layer forensic documentation of which pixels were active on your video pages, what data they transmitted, and under which consent conditions. That documentation gives defense counsel factual evidence about the technical configuration at issue rather than requiring reconstruction from partial records.

**Does deploying a privacy notice eliminate CIPA liability?**

A privacy notice alone does not satisfy CIPA's all-party consent requirement. CIPA requires that all parties to a communication consent to interception. Courts have generally required that consent be clearly disclosed at or before the time of interception, not buried in a privacy policy. Whether a cookie consent banner or session replay disclosure is sufficient depends on the specific language, placement, and timing.

**Is there a "party exception" that protects session replay vendors?**

CIPA has a party exception that exempts the parties to a communication from liability for receiving that communication. Courts have split on whether a session replay vendor is a "party" to the user's website interaction or a third-party interceptor. The outcome depends on the vendor's relationship with the operator and how the vendor uses the data. This is an active area of litigation with inconsistent results.

**Can turning off the session replay tool moot the case?**

Removing the tool after a demand letter does not moot the existing claims, which are based on past conduct. It may affect injunctive relief arguments. Evidence preservation is the first priority when a demand letter arrives.

**What is HIPAA (HIPAA and Website Tracking Technologies)?**

Common PHI issues in digital marketing for healthcare organizations include advertising pixels that transmit diagnosis-related page URLs (such as /oncology/ or /mental-health/) to ad networks, Google Analytics collecting page-level data that reveals what conditions a user researched, session replay tools recording what patients typed into symptom checkers or appointment forms, and call-tracking numbers that link a caller's phone number to the health topic they browsed. Under HIPAA and the 2022 HHS OCR guidance, these disclosures may be impermissible even on public-facing pages. Lokker scans healthcare websites and surfaces these patterns so privacy and compliance teams can prioritize remediation before an incident or regulatory inquiry.

Full guidance: https://lokker.com/privacy-law/hipaa-website-marketing

**Does the OCR guidance apply only to pages behind the patient portal login?**

No. The OCR guidance explicitly covers public-facing pages on covered entity websites. A symptom checker, a physician directory, a disease-specific resource page, or any other page that reveals a user's health-related interest is in scope, even if the user is not authenticated.

**We have a BAA with Google Analytics. Does that solve the problem?**

A business associate agreement is a necessary but not sufficient control. The BAA governs the vendor's handling of PHI, but it does not change the fact that PHI is being disclosed to the vendor in the first place. The risk assessment question is whether the disclosure is permissible under HIPAA, not just whether a BAA exists.

**Is FreshPaint a complete solution to HIPAA pixel concerns?**

FreshPaint proxies marketing data and strips ePHI before routing events to downstream vendors. It addresses the disclosure risk for the specific vendors it proxies. However, it does not cover other third-party scripts on the page, does not replace your CMP's consent obligations, and does not govern session replay tools, call tracking, or other technologies outside its proxy scope. A complete HIPAA web privacy program requires independent governance of all third-party scripts.

**Is a "Do Not Sell" link sufficient for CCPA compliance?**

No. The link is the disclosure mechanism. Compliance requires that the opt-out request is technically honored, meaning that the data flows that constitute "selling" or "sharing" actually stop when the link is activated. A link that records the preference but does not block pixel and analytics data transmission does not satisfy CCPA.

**Does the CPRA require consent for analytics?**

The CPRA does not generally require opt-in consent for analytics (unlike GDPR in European jurisdictions). However, if analytics data is shared with third parties for cross-context behavioral advertising purposes, the opt-out of sharing obligation applies. The distinction between analytics and advertising data flows matters.

**Is GPC support legally required?**

Yes, under CPRA and regulations adopted by the California Privacy Protection Agency, businesses must treat a valid GPC signal as a consumer's opt-out of sale and sharing of personal information. Technical implementation that recognizes the GPC browser header and applies the opt-out accordingly is required.

**Does BIPA apply to websites, or only to physical devices like fingerprint scanners?**

BIPA applies to any private entity that collects biometric identifiers from Illinois residents, regardless of the collection method. Courts have extended BIPA to software-based collection, including behavioral biometrics and voice prints.

**Is there a facial recognition exemption for security cameras or access control?**

BIPA does not have a broad security or operational exemption. Some courts have recognized narrow exceptions for government actors or specific employment contexts, but website operators do not benefit from a general security exemption.

**Is the MHMDA only relevant to healthcare companies?**

No. The MHMDA applies to any company that handles consumer health data about Washington residents, including general-purpose websites with health-related content, wellness apps, insurance comparison sites, and marketing technology companies that process health-adjacent behavioral data.

**How does MHMDA differ from HIPAA?**

HIPAA applies only to covered entities (healthcare providers, health plans, and clearinghouses) and their business associates. The MHMDA applies to any entity handling consumer health data about Washington residents, regardless of HIPAA coverage status. A tech company that is not a HIPAA covered entity may still be subject to the MHMDA.

**Is NYHIPA only relevant to healthcare companies?**

No. NYHIPA applies to any entity that handles consumer health data about New York residents, regardless of whether it is a HIPAA-covered entity. A general-purpose news site, a wellness app, an insurance comparison platform, or a marketing technology company that processes health-adjacent behavioral data may all be subject to NYHIPA.

**How does NYHIPA compare to HIPAA?**

HIPAA applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates. NYHIPA applies to any entity handling consumer health data about New York residents, regardless of HIPAA status. NYHIPA's definition of consumer health data is also broader than HIPAA's PHI definition, potentially capturing data that HIPAA would not reach, including inferred health data and geolocation near health facilities.

**How does NYHIPA compare to the Washington My Health My Data Act?**

Both laws share a similar structure: broad definition of consumer health data, application beyond HIPAA-covered entities, affirmative consent requirements, and a private right of action. NYHIPA applies to New York residents while MHMDA applies to Washington residents. Organizations with nationwide digital audiences may need to address both laws simultaneously, as well as HIPAA obligations for covered entity properties.

**What consent standard does NYHIPA require?**

NYHIPA requires affirmative opt-in consent before an entity may collect or share consumer health data. This is a higher standard than a general-purpose cookie consent mechanism that does not specifically reference health data collection. The specific requirements of what constitutes valid affirmative consent under NYHIPA will be clarified through implementing regulations and early enforcement actions.

### Privacy tool and vendor questions

**What is OneTrust and what are its privacy implications?**

OneTrust is one of the most widely deployed consent management platforms (CMPs) for enterprise organizations. It provides cookie scanning, consent banner configuration, a preference center, TCF 2.2 publisher support, and integrations with Google Consent Mode v2. OneTrust helps organizations meet GDPR, CCPA/CPRA, and other privacy laws by giving visitors control over which categories of tracking are permitted. The platform does not guarantee compliance by itself: the consent banner must be correctly configured, cookies must be accurately categorized, and the reject and GPC states must actually prevent non-essential tracking at the network layer. Organizations commonly assume OneTrust is configured correctly without independently verifying what scripts fire in each consent state. Lokker validates OneTrust deployments by running automated consent flows and comparing network activity against what the banner configuration would predict.

Full topic: https://lokker.com/topics/onetrust

**What is OneTrust and what does it do?**

OneTrust is a consent management platform (CMP) that provides cookie consent banners, preference centers, and privacy rights management tools. It helps organizations manage GDPR consent, CCPA opt-outs, and Global Privacy Control (GPC) signals. OneTrust scans websites for cookies and tracking technologies, allows administrators to categorize them, and then controls which categories are permitted to load based on visitor consent choices. It also handles data subject access requests and integrates with advertising platforms that require consent signals.

**Is OneTrust GDPR compliant?**

OneTrust is a GDPR-compliant platform in that it provides the tools needed to implement consent management under GDPR requirements, including opt-in consent, granular category control, and data subject rights workflows. However, using OneTrust does not automatically make your website GDPR compliant. Your OneTrust configuration must be correct: cookies must be accurately categorized, the consent banner must appear before non-essential tracking begins, and the reject state must actually prevent non-consented cookies from loading. Misconfigured OneTrust deployments that let cookies fire before or regardless of consent are a common finding in privacy audits.

**Why do cookies still fire after I reject in OneTrust?**

Cookies or tracking scripts firing after a user rejects in OneTrust is typically caused by one of these configuration issues: the tag or cookie is assigned to the wrong OneTrust category and fires as functional when it should be categorized as analytics or advertising; the script loads from a tag manager that is not properly integrated with OneTrust's consent signals; or the OneTrust blocking rules are applied too late in the page load sequence. Diagnosing this requires network-layer inspection comparing what fires in the reject state versus the accept state, not just reviewing the OneTrust workspace configuration.

**What is TrustArc and what are its privacy implications?**

TrustArc is a privacy management platform that provides consent management, cookie banners, privacy risk assessments, and compliance workflows. It is widely deployed by enterprises for GDPR and CCPA compliance. TrustArc's consent management product handles cookie scanning, user consent capture, preference centers, and GPC signal processing. Like all CMPs, TrustArc must be correctly configured to actually block non-consented tracking: a banner appearing on a site is not the same as tracking being stopped. TrustArc is commonly deployed by large organizations with complex multi-property portfolios and multilingual consent requirements.

Full topic: https://lokker.com/topics/trustarc

**What is TrustArc and what does it do?**

TrustArc is a privacy management and consent management platform used primarily by enterprise organizations. It provides cookie consent banners and preference centers for GDPR, CCPA, and other privacy laws, along with tools for privacy risk assessment, data subject rights management, and vendor risk management. TrustArc's consent product categorizes cookies and tracking technologies and controls which categories load based on the user's consent choice. It supports IAB TCF 2.2 and Global Privacy Control.

**How does TrustArc handle GDPR consent requirements?**

TrustArc handles GDPR consent by presenting users with a consent banner that allows them to accept or decline tracking by category before non-essential scripts load. It maintains consent records, supports withdrawal of consent, and integrates with tag managers to prevent non-consented scripts from executing. Proper GDPR use requires that the TrustArc implementation is configured so that non-essential tracking does not start until the user actively accepts it, and that rejecting consent genuinely stops that tracking at the network level.

**What is Cookiebot and what are its privacy implications?**

Cookiebot is a consent management platform (CMP) that scans websites for cookies and tracking technologies, categorizes them, and presents visitors with a consent banner that lets them accept or decline tracking by category. When a visitor rejects non-essential cookies, Cookiebot blocks those technologies from loading. Cookiebot is IAB TCF 2.2 certified, supports Global Privacy Control (GPC), and is widely used by organizations subject to GDPR and CCPA. The platform works by periodically scanning your site's pages and building a cookie declaration. Gaps in coverage can occur if pages are added after the last scan, if cookies are loaded from JavaScript that the scanner did not execute, or if consent category assignments are incorrect. Lokker validates whether Cookiebot's block rules actually stop tracking at the network layer in each consent state.

Full topic: https://lokker.com/topics/cookiebot

**What does Cookiebot scan for?**

Cookiebot scans websites by crawling pages and executing JavaScript to identify cookies, local storage items, tracking pixels, and script loads that originate from third-party domains. It then categorizes what it finds into functional, preferences, statistics, and marketing categories. The scan results are used to build the cookie declaration presented to visitors and to configure which categories Cookiebot blocks when a user rejects non-essential tracking. The scan must be re-run when site content changes, as cookies added after the last scan are not automatically blocked.

**Does Cookiebot support GDPR and Global Privacy Control (GPC)?**

Yes. Cookiebot is a certified CMP under the IAB Transparency and Consent Framework (TCF 2.2) and supports GPC signals. When GPC is detected, Cookiebot can be configured to automatically apply a reject state for non-essential tracking without requiring the user to interact with the consent banner. This is required in California under CCPA/CPRA and recommended under GDPR to respect browser-level privacy preferences. Configuration of GPC handling must be reviewed and tested independently to confirm it works as expected.

**Is Cookiebot enough for GDPR compliance?**

Cookiebot provides the consent banner and blocking infrastructure, but it is not a complete GDPR compliance solution by itself. Compliance also requires accurate categorization of all cookies and scripts, a data retention policy, a Data Processing Agreement with third-party vendors, privacy policy disclosures, and a process for handling data subject access requests. Additionally, Cookiebot's blocking must be verified at the network layer: a consent banner that displays and a CMP that blocks are different things, and the gap between them is where most compliance failures occur.

**What is Usercentrics and what are its privacy implications?**

Usercentrics is a consent management platform (CMP) that focuses on GDPR and CCPA compliance, offering granular consent management at the individual service or vendor level rather than broad cookie categories. It is widely used in Europe and supports IAB TCF 2.2 and Google Consent Mode v2. Usercentrics allows organizations to define which services are permitted by default, which require explicit consent, and which are always blocked. Like all CMPs, Usercentrics must be correctly configured and its blocking behavior must be independently verified: services that bypass the Usercentrics integration, that load from a tag manager without a Usercentrics trigger, or that are miscategorized may fire outside permitted consent states.

Full topic: https://lokker.com/topics/usercentrics

**What is Usercentrics and is it GDPR compliant?**

Usercentrics is a consent management platform that helps websites comply with GDPR and other privacy laws by presenting visitors with consent choices at the individual service level. It is a certified TCF 2.2 CMP and supports Google Consent Mode v2. Using Usercentrics contributes to GDPR compliance but does not guarantee it: the platform must be configured correctly, all services must be included and properly categorized, and the reject state must actually prevent non-consented services from loading. Usercentrics is particularly popular for GDPR-first implementations in the EU and Germany.

**How does Usercentrics block cookies and tracking?**

Usercentrics blocks cookies and tracking by intercepting script loads and preventing non-consented services from initializing. It does this through a combination of script tag blocking, where the Usercentrics snippet loads before other scripts and conditionally allows them based on consent, and integration with tag managers using consent triggers. For the blocking to work correctly, every service that requires consent must be registered in Usercentrics and its script must be loaded through a mechanism that Usercentrics controls.

**What is Google Tag Manager and what are its privacy implications?**

Google Tag Manager (GTM) is a free tag management system that lets marketers deploy tracking scripts, pixels, and analytics tools without direct code changes. GTM itself does not collect user data, but it acts as a deployment channel for tools that do. The privacy risk from GTM comes from what tags it deploys, not from GTM itself. If a tag fires before consent is given, or if a rejected consent state does not actually prevent the tag from loading, the organization bears the compliance exposure. Common issues include tags configured to fire on "All Pages" regardless of consent state, missing trigger conditions that should block tags in GPC or reject states, and tags added by marketing teams that bypass privacy review.

Full topic: https://lokker.com/topics/google-tag-manager

**Is Google Tag Manager a privacy risk?**

Google Tag Manager itself does not collect user data. The privacy risk comes from the tags it deploys. If GTM is used to deploy advertising pixels, session replay tools, or analytics scripts that fire before or regardless of user consent, the organization is exposed to GDPR, CCPA, and CPRA violations. GTM governance, consent trigger conditions, and independent verification of what actually fires in each consent state are the controls that matter.

**Does Google Tag Manager work with consent management platforms?**

Yes. GTM supports consent mode variables and trigger conditions that can pause or activate tags based on the user's consent state from a CMP like OneTrust or Cookiebot. However, the CMP and GTM must be configured correctly together, and the integration must be independently verified. Misconfigured trigger conditions frequently allow tags to fire in reject states even when the configuration appears correct in the GTM workspace.

**What are the main Google Tag Manager security risks?**

The main security risks from GTM include injection of unauthorized scripts (if GTM container access is compromised or shared too broadly), third-party tags that load additional scripts not visible in the GTM workspace, and tags that exfiltrate form data or session information to external servers. From a privacy standpoint, the largest risk is deployment of tracking technologies that fire outside the scope of user consent.

**How do I audit what Google Tag Manager is actually sending?**

GTM's built-in preview mode shows which tags fired on a page load, but it does not show the full network payload each tag sent. A network-layer audit using browser developer tools, a HAR file capture, or a platform like Privacy Edge captures every outbound request including the data each tag transmitted, which third-party domains received the request, and whether the request occurred before or after a consent event.

**What is Hotjar and what are its privacy implications?**

Hotjar can be used in a GDPR-compliant way, but it requires deliberate configuration and consent gating. By default, Hotjar starts session recording as soon as the script loads, which means it can capture visitor activity before consent is given. For GDPR compliance, Hotjar must be blocked from loading until the user accepts analytics cookies, and opt-out signals including GPC must prevent recording entirely. Hotjar provides consent management documentation and supports a suppress recording API, but these features must be implemented and independently verified. Under CCPA, California users can opt out of data sale, and Hotjar offers data deletion and suppression mechanisms. Lokker validates whether Hotjar actually stops recording in reject and GPC states at the network layer, not just in the CMP configuration.

Full topic: https://lokker.com/topics/hotjar

**Is Hotjar GDPR compliant?**

Hotjar can be GDPR-compliant with correct configuration, but it is not compliant by default. Key requirements include: blocking Hotjar from loading until the user consents to analytics tracking, honoring opt-out and GPC signals to prevent session recording, configuring data retention to the minimum required period, and enabling IP anonymization. Hotjar processes data under a Data Processing Agreement (DPA) and supports EU data residency for recordings. Independent network-layer validation is needed to confirm these settings work in practice.

**Does Hotjar record before consent?**

By default, Hotjar begins recording as soon as its script loads. Without explicit consent gating in your CMP or tag manager, Hotjar may capture visitor sessions before a user has accepted or rejected consent. This violates GDPR for European users, who require an opt-in before analytics data collection. The fix is to gate Hotjar's script load on consent acceptance and use Hotjar's suppress recording API or consent mode integration to stop recording when consent is not granted.

**What data does Hotjar collect and does it expose personal data?**

Hotjar collects session recordings of user activity including mouse movements, clicks, scrolls, and keypresses. By default, all text fields are masked, but if masking is not correctly configured, form inputs including names, email addresses, and health information can appear in recordings. Hotjar also collects IP addresses, browser identifiers, and device data. For healthcare organizations or any site handling sensitive data, session replay tools require careful configuration and consent management to avoid PHI exposure.

**What is Google Analytics 4 and what are its privacy implications?**

Google Analytics 4 (GA4) can be used in a GDPR-compliant way, but compliance requires specific configuration steps including Consent Mode v2, data residency settings, and IP anonymization. GA4 is not GDPR-compliant by default. Organizations in the EU or targeting EU users must enable Consent Mode so GA4 adjusts its data collection based on user consent signals, store data in EU data centers where available, configure data retention to the shortest period appropriate, and ensure that no personal data is passed in event parameters or URL paths. Even with Consent Mode enabled, behavioral modeling (where GA4 estimates conversions from non-consenting users) may raise questions under strict interpretations of GDPR. Independent validation of what GA4 actually sends before and after consent is the only way to confirm the configuration works as expected.

Full topic: https://lokker.com/topics/google-analytics-4

**Is Google Analytics 4 GDPR compliant?**

GA4 is not GDPR-compliant by default. To use GA4 in a GDPR-compliant way, you need to implement Consent Mode v2 to adjust data collection based on user consent, configure EU data residency where available, set appropriate data retention periods, and ensure no personal data passes through event parameters or URL paths. Independent verification of what GA4 sends before and after consent is required because configuration in the GA4 interface does not guarantee network-layer compliance.

**What is GA4 Consent Mode and is it enough for GDPR?**

GA4 Consent Mode v2 tells GA4 whether the user has consented to analytics and advertising. When consent is denied, GA4 uses behavioral modeling to estimate conversions rather than tracking individuals. Whether this satisfies GDPR depends on your jurisdiction and interpretation: some data protection authorities have issued guidance that even modeled data creates compliance risk. Consent Mode is a necessary component but not a complete substitute for a privacy review of your full GA4 configuration.

**Does Google Analytics violate GDPR?**

Several European data protection authorities, including those in Austria, France, Italy, and Denmark, have found that using Google Analytics without adequate safeguards violates GDPR, primarily because GA4 sends personal data (IP addresses, cookie values) to US-based Google servers, which does not meet GDPR data transfer requirements without additional safeguards. Google's updated Consent Mode v2 and EU data residency options address some but not all of these concerns.

**What is FullStory and what are its privacy implications?**

FullStory is a session replay and digital experience analytics platform that records visitor interactions including clicks, scrolls, and form inputs. Like all session replay tools, it creates privacy risk when it records before user consent is granted or when masking rules fail to suppress sensitive data. FullStory supports a consent API and allows recording to be suppressed or deferred, but these controls must be configured and independently verified. FullStory can be opted out by adding the "fs-exclude" class to page elements or by calling FullStory.shutdown() when a user rejects consent. GDPR requires opt-in before session recording begins for EU visitors. Under CCPA, users can opt out of data sale. Lokker validates whether FullStory actually stops recording at the network layer after opt-out, not just in the configuration settings.

Full topic: https://lokker.com/topics/fullstory

**How do I opt out of FullStory session recording?**

There are several ways to prevent FullStory from recording a user. For individual users, FullStory provides an opt-out URL (fullstory.com/optout) that sets a browser cookie to prevent recording. For website operators, you can call FullStory.shutdown() programmatically when a user rejects consent in your CMP. You can also add the CSS class "fs-exclude" to specific elements or "fs-block" to mask content within recordings. For complete GDPR compliance, FullStory should not initialize at all before the user grants consent, not merely be paused or suppressed.

**Is FullStory session replay compliant with GDPR?**

FullStory can be used in a GDPR-compliant way with proper configuration, including blocking the FullStory script from loading until analytics consent is granted, configuring masking rules to suppress PII and sensitive inputs, setting data retention to the minimum period, and entering a Data Processing Agreement with FullStory. FullStory supports GDPR compliance features including EU data residency in some plans and a consent mode integration. Independent validation that recording actually stops in reject and GPC states is required.

**What data does FullStory collect in session replays?**

FullStory captures mouse movements, clicks, scroll depth, keypresses, page URLs, browser and device information, and network timing. By default, FullStory applies automatic redaction rules that mask input fields in forms. However, rules can fail if custom input components are used or if the field type is not recognized. For healthcare organizations, any session replay tool that runs on pages where users enter health information creates potential PHI exposure risk under HIPAA if the replay data is transmitted to a third party.

### MarTech category questions

**What is session replay and how does it work?**

Session replay records visitor interactions on a web page including mouse movement, clicks, scrolls, form interactions, and in some cases network requests. The recording script runs in the visitor browser, captures interaction events, and transmits them to the replay vendor server. Teams use the recordings to understand where users struggle, why they abandon forms, and how specific user journeys play out.

**What is the difference between session replay and heatmaps?**

Session replay records individual user sessions as a playable timeline of interactions. Heatmaps aggregate interaction data across thousands of sessions into a visual overlay showing where users click, how far they scroll, and where their cursor moves most frequently. Most session replay tools include both; heatmaps are generated from the same session data.

**Can session replay be classified as strictly necessary under a consent banner?**

No. Session replay is not required to deliver the service the visitor explicitly requested. It is an analytics and product research tool. Classifying it as strictly necessary or essential in a CMP would cause it to load before consent and fire in reject states, creating liability under GDPR, CCPA, and related regulations. It should be placed in an analytics or performance consent category and gated behind consent.

**Is Microsoft Clarity HIPAA compliant?**

No. Microsoft does not offer a HIPAA Business Associate Agreement for Microsoft Clarity. It should not be deployed on any healthcare web page that renders, processes, or could expose protected health information. This includes patient portals, appointment booking, symptom checkers, and any page accessible after login in a healthcare context.

**Which session replay tools offer a HIPAA BAA?**

FullStory, LogRocket (enterprise plans), Glassbox, and PostHog (enterprise cloud or self-hosted) can provide a HIPAA BAA. Even with a BAA in place, you must validate that the tool only loads and transmits data when appropriate consent or authorization exists. A BAA does not eliminate the obligation to gate the tool behind a valid CMP configuration.

**Can I use Hotjar on a healthcare website?**

Hotjar does not offer a HIPAA BAA and is not appropriate for use on pages that display or process PHI. For public-facing marketing pages that do not display any patient data, the HIPAA obligation may not apply directly, but state health data laws and OCR guidance on tracking technologies extend beyond strictly HIPAA-covered contexts. Consult your compliance team for your specific deployment.

**Which session replay tools are GDPR compliant with PII masking?**

The most GDPR-aligned tools with strong default PII masking are Mouseflow, Glassbox, and PostHog. Mouseflow and Glassbox mask all text inputs by default. PostHog self-hosted gives complete data sovereignty with no third-party transfer. FullStory and LogRocket have GDPR-compliant features and EU data residency but require configuration to mask general text fields beyond passwords. Microsoft Clarity and Hotjar do not mask text inputs by default and require explicit configuration. For all tools, GDPR compliance also requires that recording stops completely when a user rejects analytics consent, which must be validated at the network layer: the recording script must not fire, not just produce masked output.

**What does PII masking in session replay actually protect?**

PII masking in session replay replaces sensitive text fields, such as names, email addresses, phone numbers, credit card numbers, and health-related inputs, with placeholder characters in the recorded session. A properly masked session shows layout and interaction patterns but not the actual values typed. However, masking does not prevent the recording script from running, transmitting session metadata (URL, referrer, session ID, timestamps, device fingerprint), or identifying the user through cookies or custom identify calls. Masking reduces but does not eliminate the privacy impact of session replay.

**Is session replay legal under GDPR?**

Session replay can be lawful under GDPR with the right legal basis. For analytics and product improvement purposes, consent is typically the appropriate basis in European jurisdictions. This requires an opt-in consent banner, gating the replay script behind the acceptance state, and confirming through network-layer testing that the script does not load in pre-consent or reject states. Data minimization, retention limits, and vendor DPAs are also required.

**Does session replay comply with VPPA?**

VPPA class actions have alleged that session replay tools capture video viewing history when deployed on pages with embedded video. The legal theory holds that transmitting a record of what video content a visitor watched to a third-party vendor without consent constitutes an unlawful disclosure of video privacy information. The risk applies to news, entertainment, healthcare, and any site with embedded video. Legal review is necessary before deploying session replay on video-containing pages.

**How should session replay be categorized in OneTrust, Cookiebot, or TrustArc?**

Session replay belongs in a performance, analytics, or statistics consent category in your CMP. It must be gated so the recording script does not load in the pre-consent state, the no-interaction state, or the reject state. Use Lokker Consent Validator to confirm that the categorization is actually enforced at the network layer, not just configured in the CMP dashboard.

**How do I validate that session replay stops when a user rejects analytics?**

The only reliable validation is network-layer testing. Lokker Consent Validator runs automated browser sessions in each consent state and captures whether the replay tool makes outbound requests in states where it should be blocked. Dashboard-based confirmation from the CMP provider or the replay vendor is not sufficient because neither captures what actually crossed the wire from the visitor browser.

**How does Lokker work with session replay tools?**

Lokker does not replace session replay tools. Privacy Edge detects every replay vendor on your web properties and surfaces associated privacy risks with reason codes. Consent Validator confirms whether each tool stops operating in reject and GPC states. Guardian enforces blocking at the network layer when consent is not met, acting as a safety net for CMP misconfiguration.

**Does Lokker replace my session replay tool?**

No. Lokker is a privacy intelligence and enforcement platform, not a session replay product. It does not record sessions. Lokker validates that the session replay tool you choose operates within your consent obligations, and gives legal and privacy teams evidence-grade confirmation that the deployment is compliant.

**What is the difference between marketing analytics and product analytics?**

Marketing analytics emphasizes acquisition channels, campaigns, and ROI across sessions, often tied to ad platforms. Product analytics emphasizes in-product events, funnels, retention, and feature usage tied to product releases. Many vendors blur the line; privacy review should follow the data, not the label.

**Is Google Analytics 4 GDPR compliant out of the box?**

GDPR compliance depends on your legal basis, consent design, data processing terms, and whether tags load only after valid consent for non-essential analytics. GA4 provides Consent Mode controls, but you must validate behavior in each locale and property, not assume default embeds are lawful.

**What is GA4 Consent Mode v2 and why does it matter?**

Consent Mode v2 lets GA4 adjust tagging behavior based on consent signals for ads personalization, analytics storage, ad storage, and related flags. It reduces some unauthorized processing, but it is not a substitute for verifying that no analytics network calls occur when visitors reject analytics or assert GPC where applicable.

**Is Plausible always more private than Google Analytics?**

Plausible is designed to minimize identifiers and cookie use, which reduces many common risks. You still need a lawful basis, accurate disclosures, and verification that your integration (proxy, goals, and custom props) matches what you describe to users.

**Can I use Mixpanel or Amplitude on a healthcare website?**

Some vendors offer HIPAA-eligible environments under contract, but standard marketing site deployments often fall outside that scope. Any page that could surface PHI in URLs, events, or traits requires legal review, subprocessors review, and technical controls beyond the analytics UI.

**Does Lokker replace my analytics vendor?**

No. Lokker validates and enforces how analytics tools behave on your sites. You keep GA4, Adobe, Mixpanel, Heap, Amplitude, Plausible, Matomo, or PostHog; Lokker gives evidence that those tools respect your consent configuration and corporate policy.

**Why validate analytics if my CMP already blocks tags?**

CMPs configure intent, but tag order, consent string timing, GTM side containers, and vendor updates routinely cause analytics beacons to fire early. Lokker observes actual network requests so privacy and legal teams can trust the implementation, not only the configuration dashboard.

**What counts as marketing automation versus a CDP?**

Marketing automation focuses on journey execution across channels. CDPs focus on unifying customer profiles and event streams for many downstream tools. In practice, Braze, Iterable, and Salesforce blur the boundary with profile stores and data cloud features.

**Do marketing automation platforms replace my CMP?**

No. They consume consent signals and preference data, but your CMP still governs how web tags load. Misalignment between CMP categories and MAP tracking codes is a common source of silent collection.

**Can I use Klaviyo for patient outreach?**

Klaviyo is generally positioned for commerce, not HIPAA-covered treatment communications. Any PHI in email or SMS requires contractual coverage, minimum necessary design, and suppression of clinical merge fields. Consult counsel before patient journeys.

**How does Salesforce Marketing Cloud interact with Data Cloud?**

Marketing Cloud can sync audiences and events with Salesforce Data Cloud, expanding subprocessors and residency questions. Your privacy review should treat connected clouds as one graph, not isolated SKUs.

**Does Lokker send emails or journeys for me?**

No. Lokker does not replace MAP sending infrastructure. Lokker validates and enforces how tracking and consent behave on the web properties that feed your automation stack.

**Why monitor MAP tags if consent is configured in the vendor UI?**

Vendor dashboards show configuration intent, not browser network reality. Tags delivered through GTM, partial template loads, or single-page app navigations routinely drift from the documented state.

**What is a Customer Data Platforms (CDPs) and how do privacy teams evaluate them?**

A customer data platform (CDP) is software that collects and unifies first-party customer data from websites, apps, and other sources into a single profile, then routes that data to marketing, analytics, and advertising tools. When evaluating CDPs for privacy, key questions include whether the CDP propagates consent signals to all downstream destinations, whether it supports EU data residency for GDPR compliance, whether it has a HIPAA Business Associate Agreement available for healthcare organizations, and how it handles Global Privacy Control (GPC) opt-out signals. The hub-and-spoke architecture of most CDPs means that a single misconfigured event or destination can propagate privacy violations across an entire marketing stack.

Full comparison: https://lokker.com/compare/customer-data-platforms

**What is the difference between a CDP and reverse ETL?**

Traditional CDPs emphasize event collection and identity in the CDP cloud. Reverse ETL starts in the warehouse and syncs modeled rows to SaaS tools. Many vendors now blend both patterns.

**Does a warehouse-first CDP remove GDPR obligations?**

No. You still need a lawful basis for processing, accurate disclosures, subprocessors review, and international transfer safeguards. Moving data into Snowflake does not by itself make downstream ad sync lawful.

**How should consent interact with Segment destinations?**

Use Segment consent objects or upstream filtering so events without appropriate consent never reach sensitive destinations. Validate with network testing because destination filters can drift during catalog updates.

**When should I pick Salesforce Data Cloud over Segment?**

If Salesforce is already your system of record for sales, service, and marketing, Data Cloud reduces integration tax. If you are poly-cloud with many non-Salesforce destinations, Segment or RudderStack may remain in play alongside Data Cloud.

**Does Lokker host customer profiles?**

No. Lokker is not a CDP. Lokker observes how CDP-related tags and APIs behave on your digital properties and enforces rules when they misbehave.

**Can Lokker validate server-side CDP traffic?**

Consent Validator focuses on browser consent states. Server-side pipelines still benefit from Privacy Edge portfolio discovery on any client-side bootstrap and from Guardian for browser-originated calls.

**Should chat widgets be in strictly necessary or marketing consent categories?**

It depends on function. Authenticated support chat tied to service delivery may fit a different category than proactive sales bots that profile visitors. Mixed widgets often need conditional loading or separate snippets per journey.

**Is Intercom HIPAA compliant?**

Intercom offers HIPAA configurations on eligible plans with a BAA, but only for in-scope workflows. You must still avoid PHI in marketing playbooks and validate subprocessors tied to AI features.

**Does Zendesk Messaging load before consent?**

Default embed order depends on your tag manager and CMP. Zendesk publishes integration guidance, but privacy teams should verify actual network behavior after each deployment.

**Are chat transcripts encrypted?**

Major vendors encrypt data in transit and at rest, but encryption does not replace consent, access controls, or retention minimization. Review each vendor security whitepaper against your policy.

**Does Lokker read chat message contents?**

Lokker focuses on whether messenger scripts and endpoints load in authorized consent states and on inventorying related third-party requests. It is not a transcript review tool.

**Can Lokker block chat while leaving analytics allowed?**

Yes. Guardian trust rules can target specific messenger hosts while allowing other categories that your CMP authorizes.

**What is a Consent Management Platforms and how do privacy teams evaluate them?**

A consent management platform (CMP) is software that displays cookie consent banners, captures user consent choices, and controls which tracking technologies are permitted to load based on those choices. CMPs are required for GDPR compliance in the EU and support CCPA/CPRA opt-out requirements for California visitors. Key features to compare include IAB TCF 2.2 support, Global Privacy Control (GPC) signal handling, integration with Google Consent Mode v2, EU data residency for consent logs, and cookie scanning accuracy. The most important thing a CMP must do is actually block non-consented tracking at the network layer, not just display a banner. Most CMP evaluations miss this: a consent banner that displays correctly but fails to stop tracking scripts in the reject state is not providing compliance.

Full comparison: https://lokker.com/compare/consent-management-platforms

**What is a consent management platform?**

A CMP is software that displays cookie and tracking notices, records visitor choices, maintains vendor purposes, and communicates consent signals to tags, ad tech, and analytics tools. It is a control plane, not a complete guarantee that every script obeys the signal.

**Do I need an IAB TCF-certified CMP?**

If you rely on TCF strings for programmatic advertising in the EEA or UK, you generally need a CMP that can participate correctly in TCF 2.2. Pure web analytics sites may not need TCF, but mixed publisher and marketing stacks often do.

**How should CMPs handle Global Privacy Control?**

Under several US state laws, GPC must be treated as a valid opt-out of sale or sharing where applicable. Your CMP should map GPC to the correct downstream signals, and you should verify with network tests that high-risk tags actually stop.

**Does Google Consent Mode remove the need for a CMP?**

No. Consent Mode adjusts how Google tags behave based on signals you supply, but you still need a CMP or equivalent mechanism to capture lawful consent, manage vendors beyond Google, and document your configuration.

**Should I pick OneTrust or Cookiebot or Usercentrics?**

That depends on budget, geography, ad stack complexity, and who will operate rescans. Lokker is agnostic: we validate whichever CMP you choose against what really happens on the wire.

**Does Lokker store consent choices for visitors?**

No. Lokker observes technical behavior and produces evidence. Your CMP remains the store of record for consent strings and preferences.

**What is the difference between feature flags and A/B tests?**

Feature flags control whether code paths are on for segments or percentages, often for release safety. A/B tests measure outcomes between variants with statistical analysis. Many vendors combine both in one SDK.

**Do I need consent to run A/B tests in the EU?**

If the experiment reads or writes storage, assigns visitors using identifiers, or changes marketing content, you typically need a lawful basis such as consent for non-essential processing. Consult counsel for strictly necessary operational tests.

**Is server-side experimentation more private than client-side?**

Server-side assignment reduces some browser exposure, but you still process personal data on your servers and must document purposes, retention, and transfers. It is not automatically lawful without governance.

**How does Adobe Target interact with Adobe Analytics?**

Target frequently shares audiences and metrics with Analytics and Customer Journey Analytics. Consent configuration must cover the combined data flow, not only Target in isolation.

**Does Lokker pick the winning experiment variant?**

No. Lokker does not assign traffic or compute experiment results. Lokker validates whether experimentation traffic complies with your consent posture.

**Can Lokker block only Adobe Target while allowing Analytics?**

Guardian rules can target specific hosts or paths used by Target while leaving other Adobe beacons allowed if your policy permits, but most teams align decisions with counsel because Adobe traffic is often intertwined.

**What is a tag management system?**

A tag management system is a container that loads, configures, and fires vendor scripts from a central interface instead of editing site code for every marketing change.

**Is server-side Google Tag Manager more compliant than web GTM?**

Server-side tagging can reduce browser exposure and help with first-party contexts, but compliance still depends on what you forward, lawful basis, and whether client-side tags were gated correctly before events leave the browser.

**How does Adobe Launch differ from Google Tag Manager?**

Launch is tightly integrated with Adobe Experience Platform, uses extension-based packaging, and often assumes XDM-backed schemas. Migration from GTM requires rethinking data layer contracts, not only retagging pixels.

**Should the tag manager load before or after the CMP?**

Most privacy programs load the CMP first or use synchronous consent stubs so tags read accurate defaults. The right pattern depends on your stack; verify with network testing rather than assumptions.

**Does Lokker replace Google Tag Manager?**

No. Lokker does not edit GTM workspaces. Lokker observes the output of your tag manager and validates it against consent and policy.

**Can Lokker alert when a new tag appears in production?**

Privacy Edge portfolio monitoring surfaces new third-party requests and risk-scored changes so security and privacy teams can review container drift quickly.

## AI discovery

These files and patterns are provided to help AI systems and LLM-powered tools access
Lokker content efficiently:

- Curated index (spec-aligned): https://lokker.com/llms.txt
- Full context reference: https://lokker.com/llms-full.txt
- Sitemap (all indexed URLs, XML): https://lokker.com/sitemap.xml
- RSS feed (blog and press): https://lokker.com/feed.xml

**Markdown page variants (append .md to any supported URL):**
- Product pages: `https://lokker.com/products/{slug}.md`
- Solutions: `https://lokker.com/solutions/{slug}.md`
- Training tracks: `https://lokker.com/training/{slug}.md`
- Blog posts (full article body): `https://lokker.com/blog/{slug}.md`
- Tool comparisons: `https://lokker.com/compare/{slug}.md` (e.g. https://lokker.com/compare/session-replay-tools.md)
- Privacy law pages: `https://lokker.com/privacy-law.md` and `https://lokker.com/privacy-law/{slug}.md`
- Static pages: `https://lokker.com/about.md`, `https://lokker.com/contact.md`, `https://lokker.com/security.md`