Privacy Policy Guide
How to disclose third-party tools in your privacy policy
Plain-language guidance for disclosing analytics, advertising, session replay, and CMP tools in a privacy policy or cookie notice. Includes illustrative example language, jurisdiction notes, and a checklist for verifying that technical controls match your disclosure.
Policy vs practice
A privacy policy describes. Technical controls enforce.
An accurate privacy policy is necessary. But the legal risk from third-party tools is not primarily a documentation problem. The risk is operational: tools that fire before consent, pixels that activate after opt-out, tag managers that ignore GPC signals.
Teams often review compliance only inside each SaaS console: the CMP dashboard shows categories assigned, the tag manager preview looks clean, the analytics vendor reports consent settings enabled. That view is incomplete. What matters is whether the visitor's browser actually loads the third party through your consent and tag stack, whether anything is listening to the consent signal, and whether the vendor still fires after opt-out.
Those questions can only be answered by testing the whole chain from the outside. Lokker Consent Validator runs real browser sessions across accept, reject, no-interaction, and GPC states and reports what reaches the network, not what each tool's admin UI claims.
Privacy policy
Describes what tools you use, what data they collect, and what rights visitors have.
Consent management platform
Records visitor consent decisions and categorizes which tools are permitted under each choice.
Tag manager
Deploys tools conditionally based on consent state signals from the CMP.
Network validation
Tests the live site from the outside: whether the CMP, tag manager, and each third party actually honor accept, reject, and GPC together. This is what Lokker does.
Vendor disclosure guides
Browse by tool category
Each guide covers what data the tool collects, where in a privacy policy to disclose it, example language for discussion with counsel, and a CMP configuration checklist.
Analytics and Measurement
Google Analytics 4
Google Analytics 4 is a web and app analytics platform from Google that tracks page views, events, user journeys, and conversions using cookies, device signals, and the Google Analytics Measurement Protocol.
Segment
Segment by Twilio is a Customer Data Platform (CDP) that collects behavioral and identity data from web, mobile, and server sources and routes it to connected downstream tools including analytics, advertising, CRM, and email platforms.
Mixpanel
Mixpanel is a product analytics platform that tracks user interactions at the event level for web and mobile applications. It supports anonymous and identified user tracking, funnel analysis, retention cohorts, and A/B experiment measurement.
Advertising and Targeting
Meta Pixel
The Meta Pixel is a JavaScript snippet from Meta that tracks visitor behavior on your website, including page views, clicks, purchases, and custom events, for use in targeted advertising, lookalike audiences, and conversion attribution on Facebook and Instagram.
LinkedIn Insight Tag
The LinkedIn Insight Tag is a JavaScript snippet from LinkedIn that collects behavioral data from your website visitors for use in LinkedIn advertising campaigns, conversion tracking, retargeting, and Website Demographics reporting that connects aggregate visitor data to professional attributes.
TikTok Pixel
The TikTok Pixel is a JavaScript snippet that tracks website visitor behavior for TikTok advertising, including page views, add-to-cart, purchase, and custom events, for conversion measurement, retargeting, and audience building on TikTok.
Session Replay and UX Research
Hotjar
Hotjar is a product analytics and user behavior platform that provides session recording, heatmaps, funnel analysis, and visitor feedback tools. It captures DOM snapshots and interaction data to reconstruct visitor sessions for analysis.
FullStory
FullStory is a digital experience intelligence platform that provides session replay, heatmaps, funnel analysis, and user journey analytics. It captures a detailed record of every user interaction to help product and UX teams understand digital experience quality.
Microsoft Clarity
Microsoft Clarity is a free behavioral analytics tool from Microsoft that provides session recordings, heatmaps, scroll maps, and rage-click analysis. It captures a visual record of visitor interactions to help teams understand how users experience a website.
CRM and Marketing Automation
HubSpot
HubSpot is a CRM and marketing platform that provides website visitor tracking, lead management, email marketing, forms, live chat, and customer journey analytics. It tracks visitors through the HubSpot tracking code and associates behavioral data with contact records in the HubSpot CRM.
Klaviyo
Klaviyo is an email and SMS marketing platform focused on e-commerce and direct-to-consumer brands. It combines contact-level email and SMS campaign delivery with website behavioral tracking and automated flows triggered by visitor actions.
Intercom
Intercom is a customer communications platform that provides a website chat messenger, email outreach, product tours, and customer support tools. When deployed on a website, the Intercom messenger loads a behavioral tracking script and creates or retrieves a contact record when a visitor interacts.
Consent Management Platforms
OneTrust
OneTrust is an enterprise privacy and consent management platform that deploys cookie banners, preference centers, and consent frameworks for GDPR, CCPA/CPRA, and other regulations. It controls which third-party tools load based on visitor consent decisions.
CookieYes
CookieYes is a consent management platform (CMP) for small and medium-sized websites that provides GDPR, CCPA, and other regulatory cookie banners, automated cookie scanning, and a preference center. It classifies cookies by category and controls which cookies are set based on visitor choices.
Cookiebot
Cookiebot is a consent management platform that presents GDPR and CCPA-compliant cookie banners, automatically scans and classifies cookies on your website, and uses script blocking to prevent non-essential technologies from loading before visitor consent is given.
Common questions
Privacy policy and disclosure FAQ
- Do I need to list every sub-processor in my privacy policy?
- Requirements vary by law. GDPR generally requires disclosure of categories of recipients and, under some interpretations, named sub-processors that handle personal data on your behalf. CCPA requires disclosure of categories of third parties to whom personal information is disclosed or sold. Most practitioners recommend a level of specificity that helps visitors understand what companies receive their data and for what purposes, without exhaustively listing every infrastructure vendor. Third-party marketing and analytics tools with their own data controller role should generally be named.
- What is the difference between a cookie policy and a privacy policy?
- A privacy policy covers all personal data processing: how you collect, use, store, and share data, and what rights individuals have. A cookie policy or cookie notice focuses specifically on cookies and similar tracking technologies, describing their names, purposes, durations, and opt-out mechanisms. Under the GDPR and ePrivacy Directive, a cookie notice or consent banner is required in addition to a privacy policy. Some organizations combine them; others keep them separate. The important point is that the disclosures are accurate and the consent mechanism is technically enforced.
- What if my CMP says reject but pixels still fire?
- This is one of the most common compliance gaps. A CMP records the rejection in its own system, but the actual blocking of tags depends on your tag manager reading that signal and on each vendor tag respecting it. If consent-based triggers are missing, if the CMP and tag manager are not wired together, or if a script loads outside the stack entirely, tags will fire regardless of visitor choice. A green status inside the CMP admin does not prove the browser behaved the same way. Lokker Consent Validator tests the full stack from the outside and shows which endpoints still receive data after reject.
- Why is checking settings inside my CMP or tag manager not enough?
- Each vendor tool shows you its own configuration, not the end-to-end behavior on your site. Your CMP can list GA4 under Analytics while GTM still fires the tag on every page. Consent Mode can be enabled in Google's UI while your tag manager never passes the signal. The only reliable test is holistic: run the site as a visitor would, change consent state, and observe whether the third party loads, whether the consent signal was received, and whether anything still calls out on opt-out. That is the network-layer view Lokker provides. Policy text and in-product checklists are inputs; they are not proof on their own.
- Is a privacy policy update required every time I add a new tool?
- Generally yes, if the new tool collects or processes personal data in a way not already covered by your policy. Under the GDPR, material changes to data processing require updating the privacy notice and, where the original legal basis was consent, potentially re-obtaining consent. Under the CCPA, material changes that affect the categories of data collected or the third parties to whom it is disclosed require a policy update. Keeping your CMP vendor list and your privacy policy synchronized is an ongoing compliance obligation.
- Does example policy language make me compliant?
- No. Example language is a starting point for discussion with your counsel. Compliance requires that the policy accurately reflects your actual technical practices and that those practices conform to applicable law. A policy can accurately describe a compliant implementation, or it can describe a compliant implementation that is not actually running that way. Both text accuracy and technical accuracy are required. Lokker validates the technical accuracy; your counsel validates the legal accuracy.
Explore further
Related privacy resources
Privacy Law Guidance
US state laws, GDPR, HIPAA, and litigation context for privacy practitioners.
Privacy Stack Topics
Consent risk, tag behavior, and network-layer analysis for each major third-party tool.
Tool Comparisons
Side-by-side privacy and compliance comparisons across MarTech categories.
Privacy Glossary
Plain-language definitions of 60+ privacy, consent, and web tracking terms.
Close the gap
Verify that your policy and your technical controls agree
Consent Validator runs automated browser sessions across accept, reject, no-interaction, and GPC states and reports which third-party tools fire in each state. Confirm that the tools described in your policy are actually gated the way the policy claims.