Privacy Policy Guide

How to disclose third-party tools in your privacy policy

Plain-language guidance for disclosing analytics, advertising, session replay, and CMP tools in a privacy policy or cookie notice. Includes illustrative example language, jurisdiction notes, and a checklist for verifying that technical controls match your disclosure.

Not legal advice GDPR and CCPA context CMP configuration checklist

Policy vs practice

A privacy policy describes. Technical controls enforce.

An accurate privacy policy is necessary. But the legal risk from third-party tools is not primarily a documentation problem. The risk is operational: tools that fire before consent, pixels that activate after opt-out, tag managers that ignore GPC signals.

Teams often review compliance only inside each SaaS console: the CMP dashboard shows categories assigned, the tag manager preview looks clean, the analytics vendor reports consent settings enabled. That view is incomplete. What matters is whether the visitor's browser actually loads the third party through your consent and tag stack, whether anything is listening to the consent signal, and whether the vendor still fires after opt-out.

Those questions can only be answered by testing the whole chain from the outside. Lokker Consent Validator runs real browser sessions across accept, reject, no-interaction, and GPC states and reports what reaches the network, not what each tool's admin UI claims.

Step 1

Privacy policy

Describes what tools you use, what data they collect, and what rights visitors have.

Step 2

Consent management platform

Records visitor consent decisions and categorizes which tools are permitted under each choice.

Step 3

Tag manager

Deploys tools conditionally based on consent state signals from the CMP.

Step 4

Network validation

Tests the live site from the outside: whether the CMP, tag manager, and each third party actually honor accept, reject, and GPC together. This is what Lokker does.

Vendor disclosure guides

Browse by tool category

Each guide covers what data the tool collects, where in a privacy policy to disclose it, example language for discussion with counsel, and a CMP configuration checklist.

Analytics and Measurement

Google Analytics 4 logo

Google Analytics 4

Google Analytics 4 is a web and app analytics platform from Google that tracks page views, events, user journeys, and conversions using cookies, device signals, and the Google Analytics Measurement Protocol.

See disclosure guide
Segment logo

Segment

Segment by Twilio is a Customer Data Platform (CDP) that collects behavioral and identity data from web, mobile, and server sources and routes it to connected downstream tools including analytics, advertising, CRM, and email platforms.

See disclosure guide
Mixpanel logo

Mixpanel

Mixpanel is a product analytics platform that tracks user interactions at the event level for web and mobile applications. It supports anonymous and identified user tracking, funnel analysis, retention cohorts, and A/B experiment measurement.

See disclosure guide

Advertising and Targeting

Meta Pixel logo

Meta Pixel

The Meta Pixel is a JavaScript snippet from Meta that tracks visitor behavior on your website, including page views, clicks, purchases, and custom events, for use in targeted advertising, lookalike audiences, and conversion attribution on Facebook and Instagram.

See disclosure guide
LinkedIn Insight Tag logo

LinkedIn Insight Tag

The LinkedIn Insight Tag is a JavaScript snippet from LinkedIn that collects behavioral data from your website visitors for use in LinkedIn advertising campaigns, conversion tracking, retargeting, and Website Demographics reporting that connects aggregate visitor data to professional attributes.

See disclosure guide
TikTok Pixel logo

TikTok Pixel

The TikTok Pixel is a JavaScript snippet that tracks website visitor behavior for TikTok advertising, including page views, add-to-cart, purchase, and custom events, for conversion measurement, retargeting, and audience building on TikTok.

See disclosure guide

Session Replay and UX Research

Hotjar logo

Hotjar

Hotjar is a product analytics and user behavior platform that provides session recording, heatmaps, funnel analysis, and visitor feedback tools. It captures DOM snapshots and interaction data to reconstruct visitor sessions for analysis.

See disclosure guide
FullStory logo

FullStory

FullStory is a digital experience intelligence platform that provides session replay, heatmaps, funnel analysis, and user journey analytics. It captures a detailed record of every user interaction to help product and UX teams understand digital experience quality.

See disclosure guide
Microsoft Clarity logo

Microsoft Clarity

Microsoft Clarity is a free behavioral analytics tool from Microsoft that provides session recordings, heatmaps, scroll maps, and rage-click analysis. It captures a visual record of visitor interactions to help teams understand how users experience a website.

See disclosure guide

CRM and Marketing Automation

HubSpot logo

HubSpot

HubSpot is a CRM and marketing platform that provides website visitor tracking, lead management, email marketing, forms, live chat, and customer journey analytics. It tracks visitors through the HubSpot tracking code and associates behavioral data with contact records in the HubSpot CRM.

See disclosure guide
Klaviyo logo

Klaviyo

Klaviyo is an email and SMS marketing platform focused on e-commerce and direct-to-consumer brands. It combines contact-level email and SMS campaign delivery with website behavioral tracking and automated flows triggered by visitor actions.

See disclosure guide
Intercom logo

Intercom

Intercom is a customer communications platform that provides a website chat messenger, email outreach, product tours, and customer support tools. When deployed on a website, the Intercom messenger loads a behavioral tracking script and creates or retrieves a contact record when a visitor interacts.

See disclosure guide

Consent Management Platforms

OneTrust logo

OneTrust

OneTrust is an enterprise privacy and consent management platform that deploys cookie banners, preference centers, and consent frameworks for GDPR, CCPA/CPRA, and other regulations. It controls which third-party tools load based on visitor consent decisions.

See disclosure guide
CookieYes logo

CookieYes

CookieYes is a consent management platform (CMP) for small and medium-sized websites that provides GDPR, CCPA, and other regulatory cookie banners, automated cookie scanning, and a preference center. It classifies cookies by category and controls which cookies are set based on visitor choices.

See disclosure guide
Cookiebot logo

Cookiebot

Cookiebot is a consent management platform that presents GDPR and CCPA-compliant cookie banners, automatically scans and classifies cookies on your website, and uses script blocking to prevent non-essential technologies from loading before visitor consent is given.

See disclosure guide

Tag Management

Google Tag Manager logo

Google Tag Manager

Google Tag Manager (GTM) is a tag management system from Google that lets organizations deploy, update, and manage website tracking scripts and pixels without modifying page code directly. GTM itself collects limited data, but the tags it fires may collect significant personal information.

See disclosure guide

Common questions

Privacy policy and disclosure FAQ

Do I need to list every sub-processor in my privacy policy?
Requirements vary by law. GDPR generally requires disclosure of categories of recipients and, under some interpretations, named sub-processors that handle personal data on your behalf. CCPA requires disclosure of categories of third parties to whom personal information is disclosed or sold. Most practitioners recommend a level of specificity that helps visitors understand what companies receive their data and for what purposes, without exhaustively listing every infrastructure vendor. Third-party marketing and analytics tools with their own data controller role should generally be named.
What is the difference between a cookie policy and a privacy policy?
A privacy policy covers all personal data processing: how you collect, use, store, and share data, and what rights individuals have. A cookie policy or cookie notice focuses specifically on cookies and similar tracking technologies, describing their names, purposes, durations, and opt-out mechanisms. Under the GDPR and ePrivacy Directive, a cookie notice or consent banner is required in addition to a privacy policy. Some organizations combine them; others keep them separate. The important point is that the disclosures are accurate and the consent mechanism is technically enforced.
What if my CMP says reject but pixels still fire?
This is one of the most common compliance gaps. A CMP records the rejection in its own system, but the actual blocking of tags depends on your tag manager reading that signal and on each vendor tag respecting it. If consent-based triggers are missing, if the CMP and tag manager are not wired together, or if a script loads outside the stack entirely, tags will fire regardless of visitor choice. A green status inside the CMP admin does not prove the browser behaved the same way. Lokker Consent Validator tests the full stack from the outside and shows which endpoints still receive data after reject.
Why is checking settings inside my CMP or tag manager not enough?
Each vendor tool shows you its own configuration, not the end-to-end behavior on your site. Your CMP can list GA4 under Analytics while GTM still fires the tag on every page. Consent Mode can be enabled in Google's UI while your tag manager never passes the signal. The only reliable test is holistic: run the site as a visitor would, change consent state, and observe whether the third party loads, whether the consent signal was received, and whether anything still calls out on opt-out. That is the network-layer view Lokker provides. Policy text and in-product checklists are inputs; they are not proof on their own.
Is a privacy policy update required every time I add a new tool?
Generally yes, if the new tool collects or processes personal data in a way not already covered by your policy. Under the GDPR, material changes to data processing require updating the privacy notice and, where the original legal basis was consent, potentially re-obtaining consent. Under the CCPA, material changes that affect the categories of data collected or the third parties to whom it is disclosed require a policy update. Keeping your CMP vendor list and your privacy policy synchronized is an ongoing compliance obligation.
Does example policy language make me compliant?
No. Example language is a starting point for discussion with your counsel. Compliance requires that the policy accurately reflects your actual technical practices and that those practices conform to applicable law. A policy can accurately describe a compliant implementation, or it can describe a compliant implementation that is not actually running that way. Both text accuracy and technical accuracy are required. Lokker validates the technical accuracy; your counsel validates the legal accuracy.

Explore further

Related privacy resources

Privacy Law Guidance

US state laws, GDPR, HIPAA, and litigation context for privacy practitioners.

Privacy Stack Topics

Consent risk, tag behavior, and network-layer analysis for each major third-party tool.

Tool Comparisons

Side-by-side privacy and compliance comparisons across MarTech categories.

Privacy Glossary

Plain-language definitions of 60+ privacy, consent, and web tracking terms.

Close the gap

Verify that your policy and your technical controls agree

Consent Validator runs automated browser sessions across accept, reject, no-interaction, and GPC states and reports which third-party tools fire in each state. Confirm that the tools described in your policy are actually gated the way the policy claims.

See Consent Validator Request a demo