Privacy, cookies and analytics

Analytics feels harmless because it does not look like product code.

It is still code that runs in the browser, collects information, talks to third parties and can affect performance, privacy and trust.

Before launch, you should know exactly what tracking runs, when it runs, and whether visitors are told clearly.

Inventory your tracking

Search for common analytics and marketing tools:

rg "gtag|analytics|pixel|posthog|plausible|hotjar|clarity|segment"
rg "cookie|localStorage|sessionStorage|consent"

Then ask:

Create a tracking and cookie inventory for this app.

For each script or storage item:
- name the provider
- explain what it collects
- say whether it is essential, analytics or marketing
- say whether it runs before consent
- identify the page or component that loads it
- note whether the privacy/cookie policy mentions it

Check consent before scripts load

The common bug is not "no banner".

The common bug is a banner that appears after tracking has already fired.

Review:

• analytics scripts in root layouts
• tag manager containers
• embedded videos
• session replay tools
• support chat widgets
• advertising pixels
• A/B testing scripts

If a non-essential script loads before the user has a choice, your consent UX may be cosmetic rather than functional.

Look at performance too

Tracking scripts are also a launch-readiness issue because they add:

• network requests
• JavaScript execution
• third-party failure risk
• cookie prompts
• layout or hydration delays

Ask your agent:

Review third-party tracking and analytics scripts for performance risk.

Identify scripts that load on every page, block rendering, duplicate another tool, or could be delayed until after user interaction or consent.

Keep policies visible

Visitors should be able to find privacy and cookie information before signup or payment.

Check:

• footer privacy link
• cookie policy or cookie section
• contact/support route
• company ownership details
• consent settings link

These pages are not exciting, but missing trust links make a new app feel unfinished.

Related lessons

Read next:

• Protect yourself with privacy, cookies and safe logs
• Page speed checks before launch
• Middleware, proxies and automated attack scanners

What PageLens AI can help with

PageLens AI checks tracking and consent signals on the live site, alongside SEO, accessibility, performance and trust findings.

Use PageLens AI to catch the production surface. Use this checklist to inspect the code and consent logic behind it.