-->
  • December 20, 2024
  • By Ian Cohen, founder and CEO, LOKKER

The Hidden Drivers of Website Data Collection—and How to Take Control

Article Featured Image

Online privacy has been rapidly gaining more attention in the U.S. due to a rapid increase in new regulations and enforcement actions. In 2025, eight new state privacy laws will take effect, bringing the total to 19 comprehensive state privacy laws. And this push for data regulation is critical—much more data is shared than the general population (and even people working in tech) realize. A big issue is that many people don’t fully understand how data collection technologies work or if their controls are effective at preventing oversharing.

Let’s break down how pixels, cookies, and scripts collect and share data, how they interact, and how to stop your website from oversharing while staying compliant with evolving privacy laws.

How Third Parties Share Data: Pixels, Cookies, and JavaScript

Third-party tools are often used to enhance websites—whether to make development easier, allow for interactive features, performance tracking, or to serve targeted advertising. However, these tools come with privacy risks, making it crucial to understand how they share data. Here’s how each works and how they work together:

Pixels Share Data

A pixel (or tracking pixel) is a tiny, transparent image embedded on a webpage that sends user data back to a server owned by the pixel provider (typically a third-party service). Active only during user interaction, pixels track behavior, measure conversions, and enable retargeting. For example, a Facebook Pixel tracks visitors on a website and then sends that information back to Facebook, allowing the ability to retarget visitors with ads related to their behavior on the website on Facebook. While pixels collect and share data, they don’t store information themselves.

In simple terms, pixels share info about site visits with third-party platforms like analytics or advertising services but don’t retain any information after a user leaves the site. 

Cookies Store Data

A cookie is a small text file stored on a user’s device, holding data like session IDs or preferences. Cookies help websites remember returning users, manage sessions, and personalize experiences. For example, they can save login credentials or items in a shopping cart for future visits. Websites use JavaScript to create and manage cookies, which can persist across sessions or expire when the browser closes.

Simply put, cookies store user activity and preferences for future visits in the user’s browser. Even when a user leaves the website, cookies can retain information about their preferences for future visits.

JavaScript Enables Setting Pixels and Sharing Webpage Interactions

JavaScript powers dynamic website functionality—updating content (like pop-ups), tracking interactions (clicks, form submissions), and collecting data. It reads and updates cookies, sends data to servers, and works with pixels to gather event data (e.g., add-to-cart actions).

In simple terms, JavaScript sets and updates pixels and cookies on a page.

An example of how they can all work together is when JavaScript embeds a tracking pixel on a website, which sets a cookie with user data (e.g., a unique identifier). JavaScript then reads the cookie to track users across sessions and websites, enabling personalized experiences or targeted ads.

Together, these tools create a seamless system for tracking, personalizing, and optimizing online experiences.

How Trackers Can Proliferate Privacy Risks When Not Managed Properly

But this doesn’t come without privacy risks. There are a couple of key points to consider here.

The first is sensitive data. Consumers prefer to keep many types of information private. While payment details are an obvious example, more personal data—such as medical conditions, symptoms, or location—are also highly sensitive. For instance, a woman researching pregnancy tests online might not want that information shared. If she starts seeing ads for related products or health services without consenting to share her data, she could feel uncomfortable and decide not to shop with that company again. Health data, in particular, is subject to strict legal protections, so website owners must be extra cautious about collecting or sharing patient-related information.

Another consideration is that data sharing multiplies. It’s not just that data goes to one third party—it often gets passed along to other third parties as well. The Federal Trade Commission (FTC) recently reviewed the data privacy practices of the top social media companies and found that none could track all the places their data was being shared. Data proliferation can quickly spiral out of control.

Ultimately, it’s the website owner’s responsibility to protect visitor data. They are held accountable if that data is shared without consent, so it’s crucial to ensure proper safeguards are in place.

How to Prevent Unauthorized Data Sharing

There’s no way around it; preventing unauthorized data sharing is challenging. However, there are actions you can take, and here are a few safeguards we recommend. 

Implementing a consent management solution and configuring it to require users to opt in to data sharing is a great first step. This ensures that cookies are blocked by default and only allows them to store data once the user gives explicit permission. This approach helps mitigate some common issues with consent tools. Because websites are dynamic—trackers are frequently added and removed by external parties beyond the website owner’s control. They don’t always make it into the consent banner, meaning web visitors can’t opt out. Or they are incorrectly categorized as essential when they're not. Opting for an opt-in method ensures that new trackers are blocked by default. Other steps include regularly scanning for new technologies, ensuring your consent banner loads before other technologies on the site, and checking for other common issues: like making sure the banner isn’t missing from any web pages, checking that it’s working across devices and browsers, and that the privacy policy link is visible.

It’s also worth noting that most consent banners focus primarily on cookies but not on pixels or other tracking tools like JavaScript. Understanding the limitations of your consent tool is crucial, and you may need to implement additional blocking technologies to fully comply.

By obtaining consent and ensuring your platform is properly configured, you’ll significantly reduce the risk of unauthorized data sharing and ensure compliance with the new laws going into effect.

Ian Cohen is founder and CEO of LOKKER, provider of solutions that empower companies to take control of their privacy obligations. Before founding LOKKER in 2021, Cohen served as CEO for Credit.com and CPO for Experian, where he focused on consumer-permissioned data. 

CRM Covers
Free
for qualified subscribers
Subscribe Now Current Issue Past Issues
Buyer's Guide Companies Mentioned