Tracker Audit Review

Tracker Audit and Categorization Guide

TrustArc recommends that clients review their Tracker Audits on a regular basis. This ensures that Consent Manager instances are kept up to date with relevant tracker data for the sites where they are used. Regularly updated instances allow users to make an informed consent choice. Clients should approve the suggested tracker classification or provide revised categorization before the Tracker Audit is loaded to their Consent Manager instance.

Tracker Categorization

To streamline the consent process, trackers are placed into one of three categories: Advertising, Functional, or Required. The following categorization guidelines are informed by the U.K. International Chamber of Commerce (ICC), European Data Protection Board guidelines, and TrustArc customer feedback.

Required Trackers

Trackers in this category are necessary for the proper functioning of the site and cannot be opted out of by the user. They enable users to navigate the site and use its features — for instance, accessing secure areas, keeping track of user input in online forms, authentication, or trackers present for legal reasons.

European Data Protection Authorities have provided examples of trackers that are essential in nature and may be classified as "Required Cookies" — i.e., exempt from consent requirements under EU ePrivacy Directives. TrustArc strongly recommends that your legal team review any tracker classified as Required to confirm it meets these criteria.

Functional Trackers

Trackers in this category fall into two sub-categories:

Performance

These trackers are generally used to enhance a website's performance. They typically collect visitor usage information such as page views, session information, and bounce rate for purposes of understanding and optimizing site performance. Please note that the Article 29 Working Party supports the interpretation that First Party analytics trackers — such as cookie _ga from Google Analytics when dropped from the first-party domain — are not considered "exempt." As such, TrustArc recommends placing these trackers within this category.

Functionality

These trackers allow for an enhanced user experience, such as retaining previously set site preferences or personalized features. They may also be used to provide services such as playing a video or using a map service.

Trackers in the "Functional" category may be aggregated or anonymized and unusable for cross-site user tracking. Note that some trackers will only fall into this category if properly configured. If you have questions about TrustArc's recommendation for a particular tracker's categorization, please contact your Technical Account Manager.

Advertising Trackers

These trackers are used in Online Behavioral Advertising (OBA), such as in relation to advertising network activities including — but not limited to — targeted ad placement, social media, and/or the building of user profiles. Trackers used by vendors outside of the advertising ecosystem may also be classified as "Advertising" if there is a significant element of data collection for user profiling.

"Advertising" trackers are generally placed by Third-Party vendors, and the data collected may be shared with other organizations. These trackers may be present even if there is no advertising in use on the site.

Note: Your Consent Manager instance may use different names for the above categories. The categorization in your Tracker Audit will reflect the names used in your Consent Manager instance.
Tracker Audit Reports

After each WMM scan, TrustArc will compare the trackers found against those present in the client's Consent Manager instance. All trackers found will be identified and given a suggested classification. As tracker configuration and use may vary, clients should validate that their use of each tracker matches the suggested guidelines in the Tracker Categorization section. The responsibility for how a tracker should be bucketed rests within the client's organization.

Depending on your Consent Manager configuration, you will receive one of the following types of Tracker Audit:

Standard Tracker Audit
Standard Tracker Audit tabs

A Standard Tracker Audit is the basic type used for most Consent Manager instances. It contains the following tabs:

Tab Description
New Third Party Trackers Lists all Third-Party tracking domains found in the supporting scans that are not in the Consent Manager instance.
New First Party Trackers Lists all First Party tracking domains found in the supporting scans that are not in the Consent Manager instance.
Existing CM Trackers-Found Lists all tracking domains found in the supporting scans that are already included in the Consent Manager instance.
Existing CM Trackers-Not Found Lists all tracking domains included in the Consent Manager instance but not found in the supporting scans.

The columns on the New Third Party Trackers, New First Party Trackers, and Existing CM Trackers-Found tabs are:

Column Description
Tracking Domain The tracking domain being categorized.
Consent Category The consent category the tracking domain is assigned.
Preferred Consent Category The new consent category to update when clients want to change it. Available in all tabs.
Root Domain The parent domain of the tracking domain.
Company Name The vendor name.
PSI The TrustArc Privacy Sensitivity Index (PSI) rating of the vendor.
Affiliations Any known Self-Regulatory bodies the vendor is affiliated with.
Tracker Category The business category in which the tracker is included, as indicated by WMM. Based on tracker information and assessed by TrustArc. Refer to Tracker Categories in the Appendix for definitions.
Cookies The number of cookies dropped by the tracking domain.
Local Storage The number of Local Storage (HTML5) trackers used by the tracking domain.
Beacon The number of web beacons used by the tracking domain.
JavaScript The number of JS trackers used by the tracking domain.
ETag The number of ETags used by the tracking domain.

The Existing CM Trackers-Not Found tab contains only the Tracking Domain, Consent Category, Preferred Consent Category, and Company Name columns.

Tracker Details Page (TDP) Tracker Audit
TDP Tracker Audit tabs

A Tracker Details Page Tracker Audit (TDP Audit) is used for clients who utilize the Tracker Details Page option with their Consent Manager instance. The TDP Audit is more detailed and contains information that you must supply.

A TDP Audit contains the same four tabs as the Standard Tracker Audit: New Third Party Trackers, New First Party Trackers, Existing CM Trackers-Found, and Existing CM Trackers-Not Found.

The columns on each tab depend on your TDP configuration. The default columns are:

Column Description
Tracking Domain The tracking domain being categorized.
Consent Category The consent category the tracking domain is assigned.
Preferred Consent Category The new consent category to update when clients want to change it. Available in all tabs.
Vendor Name The vendor name.
Tracker Type The type of tracking technology used.
Tracker Name The name of the tracker. This field is dynamically populated only when the tracker type is cookies.
Tracker Purpose The purpose of the tracker. Note: This information is client-provided.
Tracker Duration The duration of the tracker, if applicable.
3rd Party Sharing Indicates if the tracking data is shared with a third party. Note: This information is client-provided.
First Found At The website or webpage where the tracker was first detected during the scan.
IAB Tracker Audit
IAB Tracker Audit tabs

An IAB Tracker Audit supports clients who utilize the IAB EU TCF 2.2 framework with their Consent Manager instance, as the IAB EU TCF 2.2 framework uses a separate consent classification system for IAB-affiliated vendors.

An IAB Audit contains the following tabs:

Tab Description
New Third Party Trackers All non-IAB affiliated Third-Party tracking domains found in the scans that are not in the Consent Manager instance.
New First Party Trackers All First Party tracking domains found in the scans that are not in the Consent Manager instance.
Existing CM Trackers-Found All non-IAB affiliated tracking domains found in the scans already included in the Consent Manager instance.
Existing CM Trackers-Not Found All non-IAB affiliated tracking domains in the Consent Manager instance but not found in the scans.
New IAB Trackers All IAB-affiliated tracking domains found in the scans that are not in the Consent Manager instance.
Existing IAB Trackers-Found All IAB tracking domains found in the scans already included in the Consent Manager instance.
Existing IAB Trackers-Not Found All IAB-affiliated tracking domains in the Consent Manager instance but not found in the scans.

The New Third Party Trackers, New First Party Trackers, and Existing CM Trackers-Found tabs share the same columns as the Standard Tracker Audit (Tracking Domain, Consent Category, Preferred Consent Category, Root Domain, Company Name, PSI, Affiliations, Tracker Category, Cookies, Local Storage, Beacon, JavaScript, ETag).

The Existing CM Trackers-Not Found tab contains only the Tracking Domain, Consent Category, Preferred Consent Category, and Company Name columns.

The New IAB Trackers, Existing IAB Trackers-Found, and Existing IAB Trackers-Not Found tabs contain:

Column Description
Tracking Domain The tracking domain being categorized.
Company Name The vendor name.
Processing Purpose The applicable IAB Processing Purpose categorization.
Scan Report
Scan Report tabs

A Scan Report is a crucial tool for website owners seeking to ensure compliance with privacy regulations and safeguard their business from legal and financial risks. This audit provides a comprehensive analysis of all trackers that load on a website before user consent is granted, categorizing them (e.g., Required, Functional, or Advertising Cookies) and identifying the specific pages where they appear.

This audit is useful for organizations that deploy Consent Manager scripts across multiple countries, regions, or brands, where local laws and user expectations can differ. By identifying inconsistencies or gaps in consent framework implementation, the audit enables proactive measures to ensure all tags and trackers honor user preferences across all digital properties.

The findings enable clients to take corrective actions — such as reconfiguring tags and rules for firing them — to ensure full compliance with privacy regulations.

A Scan Report contains the following tabs:

Tab Description
Third Parties All Third-Party tracking domains found in the scan.
First Parties All First Party tracking domains found in the scan.
Cookies Information about all cookies found in the scan.
Javascripts Information about all JS tracking objects found in the scan.
Etags Information about all ETags found in the scan.
Beacons Information about all web beacons found in the scan.
Local Storage Information about all Local Storage/HTML5 trackers found in the scan.
Third Parties and First Parties Tabs
Column Description
Domain The tracking domain being categorized.
Consent Category The consent category or bucket the tracking domain is assigned.
Root Domain The parent domain of the tracking domain.
Company Name The vendor name.
PSI The TrustArc PSI rating of the vendor.
Affiliations Any known Self-Regulatory bodies the vendor is affiliated with.
Tracker Category The business category in which the tracker is included, as indicated by WMM, assessed by TrustArc. Refer to Tracker Categories in the Appendix.
Cookies The number of cookies dropped by the tracking domain.
Local Storage The number of Local Storage (HTML5) trackers used by the tracking domain.
Beacon The number of web beacons used by the tracking domain.
JavaScript The number of JS trackers used by the tracking domain.
ETag The number of ETags used by the tracking domain.
Cookies Tab
Column Description
Domain The tracking domain being categorized.
Consent Category The consent category or bucket to which the cookie is assigned.
Type Persistent Cookie (valid beyond the browser session) or Session Cookie (valid for the browser session only).
Name The name of the cookie.
Value The value the cookie dropped when scanned.
Creation Date The date the cookie was created, typically the scan date.
Expiration Date The date the cookie is set to expire.
Duration For persistent cookies, the validity period in days. For session cookies, shows "session".
Creation Page The first page where the cookie was encountered.
Crawl Domain The 'seed' URL being scanned when the tracker was encountered.
Seed Page The starting point in the scan that leads to the Creation Page.
Tracker Category The business category in which the tracker is included, as indicated by WMM, assessed by TrustArc. Refer to Tracker Categories in the Appendix.
Javascripts Tab
Column Description
Domain The tracking domain being categorized.
Consent Category The consent category or bucket to which the Javascript is assigned.
Javascript URL The URL of the Javascript resource.
First seen at page The first page where the Javascript was encountered.
Seed Page The starting point in the scan that leads to the Creation Page.
Category The vendor category from WMM indicating the business category where the vendor is included.
Etags Tab
Column Description
Domain The tracking domain being categorized.
Consent Category The consent category or bucket to which the ETag is assigned.
ETagged URL The ETag resource URL.
First seen at page The first page where the ETag was encountered.
Seed Page The starting point in the scan that leads to the Creation Page.
Tracker Category The business category in which the tracker is included, as indicated by WMM, assessed by TrustArc. Refer to Tracker Categories in the Appendix.
Beacons Tab
Column Description
Domain The tracking domain being categorized.
Consent Category The consent category or bucket to which the Beacon is assigned.
Content Type The HTTP header indicating the request body data type from which the beacon was sent.
Beacon URL The Beacon's resource URL.
Found in page The first page where the Beacon was encountered.
Seed Page The starting point in the scan that leads to the Creation Page.
Tracker Category The business category in which the tracker is included, as indicated by WMM, assessed by TrustArc. Refer to Tracker Categories in the Appendix.
Local Storage Tab
Column Description
Domain The tracking domain being categorized.
Consent Category The consent category or bucket to which the Local Storage/HTML5 tracker is assigned.
Local Storage Key The name of the local storage key.
First seen at page The first page where the Local Storage/HTML5 tracker was encountered.
Seed Page The starting point in the scan that leads to the Creation Page.
Secure Indicates if the Local Storage/HTML5 tracker is secure or not.
Tracker Category The business category in which the tracker is included, as indicated by WMM, assessed by TrustArc. Refer to Tracker Categories in the Appendix.
Mobile App Consent Audit
Mobile App Consent Audit tabs

Mobile App Consent Audits are used by clients using the Mobile App Consent (MAC) version and help identify trackers making network requests in mobile apps. The report provides a list of IAB and non-IAB vendors with a recommended categorization.

A Mobile App Consent Audit contains the following tabs:

Tab Description
New Third Party Trackers All Third-Party tracking domains found in the scan.
New First Party Trackers All First Party tracking domains found in the scan.
Previously Detected Trackers All tracking domains already classified and displayed on the Mobile App Consent.

The columns on the New Third Party Trackers and New First Party Trackers tabs are:

Column Description
Domain This is the tracking domain being categorized.
Bucketing This is the recommended consent category or bucket for the tracker.
Preferred Bucketing This is the consent category or bucket when clients want to change it.
Company Name This is the vendor name associated with the identified tracker.
Tracker Category This refers to the business category in which a tracker is included, as indicated by the Website Monitoring Manager (WMM). This categorization is based on the tracker's information and assessed by TrustArc. (Please refer to Tracker Categories in the Appendix for the definition of each business category).
OS This is the operating system of the device where this tracker was found. The values for this will be Android or IOS.
App Version This is the version of the app scanned.

The columns on Previously Detected Trackers tab are:

Column Description
Domain This is the tracking domain being categorized.
Bucketing This is the consent category or bucket where the tracking domain is assigned.
Preferred Bucketing This is the consent category or bucket when clients want to change it.
Company Name This is the vendor name associated with the identified tracker.
Tracker Category This refers to the business category in which a tracker is included, as indicated by the Website Monitoring Manager (WMM). This categorization is based on the tracker's information and assessed by TrustArc. (Please refer to Tracker Categories in the Appendix for the definition of each business category).
OS This is the operating system of the device where this tracker was found. The values for this will be Android or IOS.
App Version This is the version of the app scanned.
Mobile App Consent IAB Tracker Audit
Mobile App Consent IAB Tracker Audit tabs

Mobile App Consent IAB Tracker Audit supports clients who utilize the IAB EU TCF 2.2 framework with their Consent Manager instance in mobile apps, as IAB EU TCF 2.2 uses a separate consent classification system for IAB-affiliated vendors.

A Mobile App Consent IAB Tracker Audit contains the following tabs:

Tab Description
New Third Party Trackers All Third-Party tracking domains found in the scan.
New First Party Trackers All First Party tracking domains found in the scan.
New IAB Trackers All IAB-affiliated tracking domains found in the scan that need to be reviewed and approved for inclusion in your Mobile App Consent.
Previously Detected Trackers All tracking domains already classified and displayed on the Mobile App Consent.
Previously Detected IAB Trackers All IAB-affiliated tracking domains already classified and displayed on the Mobile App Consent.

The columns on the New Third Party Trackers, New First Party Trackers, and Previously Detected Trackers tabs are:

Column Description
Domain This is the tracking domain being categorized.
Bucketing This is the consent category or bucket where the tracking domain is assigned.
Preferred Bucketing This is the consent category or bucket when clients want to change it.
Company Name This is the vendor name associated with the identified tracker.
Tracker Category This refers to the business category in which a tracker is included, as indicated by the Website Monitoring Manager (WMM). This categorization is based on the tracker's information and assessed by TrustArc. (Please refer to Tracker Categories in the Appendix for the definition of each business category).
OS This is the operating system of the device where this tracker was found. The values for this will be Android or IOS.
App Version This is the version of the app scanned.
Previous IAB Vendor (in Prev Detected Trackers only) This indicates if the vendor is a previous IAB Vendor.

The New IAB Trackers and Previously Detected IAB Trackers tabs contain: Domain, Bucketing, Company Name, Tracker Category, OS, App Version, Cookie Name, and Current Bucketing (Prev Detected IAB Trackers only).

Tracker Review Steps

When reviewing a Tracker Audit, you are verifying TrustArc's suggested categorization of a tracker against your configuration and use of the tracker. Based on the guidelines in the Tracker Categorization section, if you feel the categorization should be different from TrustArc's suggestion, you can update the report with your desired categorization and return it to your Technical Account Manager for use in updating your Consent Manager instance.

Note: When moving a tracker from the Advertising or Functional category to Required, TrustArc recommends validating this change with your legal team. The Required category is the one category where the European Data Protection Board has provided clear examples of "exempt" trackers. Clients using IAB TCF Tracker Audits should also note that the classification of trackers in New IAB Trackers and Existing IAB Trackers Found cannot be changed.
Reviewing a Tab
1
Identify TrustArc's suggested categorization of each tracker domain and compare it against your configuration and use of the tracker, using the guidelines in the Tracker Categorization section.
2
If you feel the categorization should be different from TrustArc's suggestion, update the Preferred Consent Category column with your desired categorization, then highlight the row as well.

Preferred Consent Category column update example
Note: When reviewing the First Party tab, TrustArc defaults the suggested categorization to Required. However, these trackers should be evaluated against the Tracker Categorization guidelines and categorized appropriately. If you need to categorize any First Party trackers differently from Required, please contact your Technical Account Manager. We can assist in coordinating opt-out details with your Technical Team.

Once you have completed your review of the Tracker Audit tabs, notify your Technical Account Manager. If you have made any changes to the suggested categorization, attach the updated Excel spreadsheet with the suffix '_edit' appended to the file name with your reply.

TrustArc  ·  Consent Manager — Tracker Audit and Categorization Guide  ·  www.trustarc.com