Skip to main content
EmergentEMERGENT
Emergent SolutionsKnowledge Base

Privacy Audit Guide

A comprehensive framework for auditing your analytics and marketing tracking for privacy compliance.

Audit Overview

Purpose

A privacy audit identifies:

  • Non-compliant tracking implementations
  • Missing consent mechanisms
  • Data leakage risks
  • Documentation gaps
  • Process improvements

When to Audit

| Trigger | Urgency | Scope | |---------|---------|-------| | New regulation | High | Full audit | | After acquisition | High | Full audit | | Annual review | Medium | Full audit | | New vendor | Medium | Vendor-specific | | Complaint received | High | Issue-specific | | Pre-launch | High | New features only |

Phase 1: Discovery

Data Inventory

Document all data collection touchpoints:

┌─────────────────────────────────────────────────────────┐
│                   Data Flow Mapping                      │
├─────────────────────────────────────────────────────────┤
│                                                         │
│  Collection         Processing         Storage          │
│  ─────────────────────────────────────────────────────  │
│  • Website forms    • Analytics        • CRM            │
│  • Tracking pixels  • Enrichment       • Data warehouse │
│  • Mobile app       • Segmentation     • Email platform │
│  • APIs             • Personalization  • Ad platforms   │
│                                                         │
└─────────────────────────────────────────────────────────┘

Data Collection Audit

| Element | Questions to Answer | |---------|---------------------| | What | What data is collected? | | Why | What is the purpose? | | How | Through what mechanism? | | Where | Where is it stored? | | Who | Who has access? | | When | How long retained? |

Technical Discovery

Run these scans:

# Cookie audit (browser console)
document.cookie.split(';').map(c => {
  const [name] = c.trim().split('=');
  return name;
});

# Network requests (DevTools Network tab)
# Filter for: google-analytics, facebook, linkedin, etc.

Phase 2: Tracking Audit

Tag Inventory

Export your GTM container and analyze:

| Tag Name | Type | Trigger | Consent Required | |----------|------|---------|------------------| | GA4 Config | Google Tag | All Pages | analytics_storage | | GA4 Purchase | GA4 Event | Purchase | analytics_storage | | Meta Pixel | Custom HTML | All Pages | ad_storage | | Google Ads Conv | Conversion | Purchase | ad_storage |

Pixel & Script Audit

Identify all tracking scripts:

// Find all script sources
Array.from(document.scripts)
  .filter(s => s.src)
  .map(s => new URL(s.src).hostname)
  .filter((v, i, a) => a.indexOf(v) === i);

// Find all tracking pixels (1x1 images)
Array.from(document.images)
  .filter(img => img.width === 1 && img.height === 1)
  .map(img => img.src);

Hidden Tracking Detection

Check for:

  • Fingerprinting scripts
  • Canvas fingerprinting
  • WebGL fingerprinting
  • Audio fingerprinting
// Check for potential fingerprinting
performance.getEntriesByType('resource')
  .filter(r => r.initiatorType === 'script')
  .map(r => r.name);

Phase 3: Consent Audit

CMP Evaluation

| Criteria | Pass | Fail | |----------|------|------| | Displayed before tracking | All tracking blocked until consent | Any tracking before consent | | Clear language | Plain language, no dark patterns | Confusing or manipulative | | Equal choices | Accept/Reject equally prominent | Reject hidden or harder | | Granular options | Per-category consent available | All-or-nothing only | | Easy withdrawal | One-click revoke option | Difficult to find/use | | Records kept | Consent logs maintained | No audit trail |

Consent Mode Verification

// Test default consent state
// Should show 'denied' for all before user interaction
dataLayer.filter(item =>
  item[0] === 'consent' && item[1] === 'default'
);

// Test consent update after accept
// Should show 'granted' after user accepts
dataLayer.filter(item =>
  item[0] === 'consent' && item[1] === 'update'
);

Cookie Audit

| Cookie | Purpose | Duration | Party | Consent Category | |--------|---------|----------|-------|------------------| | _ga | GA4 user ID | 2 years | First | Analytics | | _gid | GA4 session | 24 hours | First | Analytics | | _fbp | Meta Pixel | 90 days | First | Marketing | | fr | Facebook ads | 90 days | Third | Marketing |

Phase 4: Documentation Audit

Required Documentation

| Document | Status | Last Updated | |----------|--------|--------------| | Privacy Policy | ✓/✗ | Date | | Cookie Policy | ✓/✗ | Date | | Data Processing Register | ✓/✗ | Date | | Vendor DPAs | ✓/✗ | Date | | DPIA (if required) | ✓/✗ | Date | | Consent Records | ✓/✗ | Ongoing |

Privacy Policy Checklist

  • [ ] Lists all data collected
  • [ ] Explains purposes of collection
  • [ ] Names third parties receiving data
  • [ ] Describes data subject rights
  • [ ] Provides contact information
  • [ ] States retention periods
  • [ ] Explains international transfers
  • [ ] Updated for current practices

Vendor Assessment

For each analytics/marketing vendor:

| Vendor | DPA Signed | Privacy Shield/SCCs | Sub-processors Listed | |--------|------------|---------------------|----------------------| | Google | ✓/✗ | ✓/✗ | ✓/✗ | | Meta | ✓/✗ | ✓/✗ | ✓/✗ | | LinkedIn | ✓/✗ | ✓/✗ | ✓/✗ |

Phase 5: Data Rights Audit

Right to Access

Test your process:

  1. Submit access request
  2. Time to acknowledge
  3. Time to fulfill
  4. Completeness of data provided
  5. Format usability

Right to Deletion

Test your process:

  1. Submit deletion request
  2. Systems that must be updated
  3. Verification of deletion
  4. Third-party notification

Deletion Capability Matrix

| System | Can Delete | Automated | Manual Steps | |--------|------------|-----------|--------------| | GA4 | No (aggregate) | N/A | N/A | | CRM | Yes | API available | Update workflow | | Email platform | Yes | API available | Verify deletion | | Ad platforms | Partial | Request process | Document |

Phase 6: Security Audit

Access Control Review

| System | Access List Current | MFA Required | Least Privilege | |--------|---------------------|--------------|-----------------| | GTM | ✓/✗ | ✓/✗ | ✓/✗ | | GA4 | ✓/✗ | ✓/✗ | ✓/✗ | | Ad accounts | ✓/✗ | ✓/✗ | ✓/✗ |

Data Transmission Security

| Data Flow | Encrypted | Method | |-----------|-----------|--------| | Browser → Server | ✓/✗ | HTTPS/TLS | | Server → GA4 | ✓/✗ | HTTPS | | Server → Data Warehouse | ✓/✗ | Encrypted connection |

Audit Report Template

Executive Summary

  • Audit scope and date
  • Key findings summary
  • Risk rating (Critical/High/Medium/Low)
  • Recommended actions

Findings

For each finding:

## Finding: [Title]

**Severity:** Critical/High/Medium/Low
**Category:** Consent/Tracking/Documentation/Security

### Description
[What was found]

### Risk
[Potential impact if not addressed]

### Recommendation
[Specific remediation steps]

### Timeline
[Suggested deadline for remediation]

Remediation Tracking

| Finding | Severity | Owner | Due Date | Status | |---------|----------|-------|----------|--------| | Missing consent mode | Critical | Analytics | 2 weeks | Open | | Outdated privacy policy | High | Legal | 4 weeks | In Progress | | Third-party scripts | Medium | Dev | 6 weeks | Open |

Ongoing Monitoring

Regular Checks

| Check | Frequency | Method | |-------|-----------|--------| | Consent functioning | Daily | Automated test | | New scripts detection | Weekly | Script monitoring | | Cookie scan | Monthly | Automated scan | | Policy review | Quarterly | Manual review | | Full audit | Annually | Comprehensive |

Automation Tools

  • Cookie scanners: Cookiebot scan, BuiltWith
  • Tag monitors: ObservePoint, Tag Inspector
  • Network monitoring: DevTools, Charles Proxy
  • GTM monitoring: Version control, alerts

Previous: CMP Integration Related: Privacy Audit Service