Selected finding
Sensitive input surface with third-party tracking context
Benchmark frequency is directional market context only. It is not a compliance benchmark, legal conclusion, or severity score. Rare findings may be top-ranked only when retained evidence is strong; common findings may remain medium when evidence is automated or context-dependent. Rarity is not severity, and prevalence is not compliance risk.
Observed
Retained page and runtime evidence showed a sensitive-input or sensitive-context surface alongside third-party tracking, analytics, advertising, replay, or measurement context in the observed scan scope.
Why this matters
Sensitive forms or flows that also load third-party tracking context may warrant deeper review because field purpose, payload contents, vendor purpose, consent state, and minimization can change the risk assessment. The signal helps teams find shared templates or tag rules that may need page-level exclusions.
Detection methodology
CertScore compares retained page-surface evidence for sensitive input fields, form context, page purpose, and semantic cues with retained runtime evidence for third-party tracking, analytics, advertising, replay, measurement, or vendor requests observed in the same scan scope. The finding is surfaced when a sensitive-input or sensitive-context surface appears alongside third-party tracking context. CertScore treats this co-occurrence as a review signal. The scanner does not determine that sensitive field values were transmitted, captured, read, linked to a third party, or that GDPR Article 9 applies. Financial, identity, contact, location, employment, children, protected-class, or other high-risk context signals require manual review and are not automatically GDPR Article 9 special-category data. Reviewers should consider field purpose, form state, masking, event listeners, payload evidence, vendor category, consent state, page template reuse, and whether the retained evidence reflects the affected user-facing flow.
Confidence semantics: Good when retained page-surface evidence for a sensitive-input or sensitive-context surface co-occurs with retained third-party tracking, analytics, advertising, replay, or measurement context; stronger when retained evidence includes field context, vendor category, timing, consent state, and usable coverage. Manual review is still needed for data sensitivity, payload contents, purpose, necessity, minimization, and remediation quality.
Top-finding calibrationWhat must be retained to surface, top-rank, demote, or suppress this finding.
Minimum to surface
- Retained sensitive surface plus retained third-party tracking on same page or flow.
High confidence requires
- Field/surface context plus vendor category, timing, and coverage.
Top ranking requires
- Sensitive page plus advertising, replay, or measurement plus consent concern or event-capture signal.
Demote or suppress when
- Sensitive field alone.
- Vendor elsewhere on site.
- No same-surface runtime artifact.
These rules describe ranking calibration for already-projected findings. They do not create findings from raw signals.
Example evidence
Sensitive surface tracking context
artifact=sensitive_tracking_001role=finding_supporting_artifacturl=https://example.com/applysurface_context=application_formsensitive_field_context=financial_or_identity [values_not_retained]third_party_request_origin=https://analytics.examplethird_party_request_path=/collect [query_redacted=true]vendor_category=analytics_or_measurementdetected_pattern=third_party_tracking_on_sensitive_surfacereview_caveat=manual review should confirm data sensitivity, payload contents, purpose, consent state, minimization, and page-level exclusions
Review context
possible_source=shared_layout_or_tag_managercontexts_to_review=field_purpose, event_capture, payload_contents, consent_state, vendor_purposepayload_values_retained=falseraw_dom_retained=falsemanual_review_needed=true
What should not count by itself
sensitive_field_label=income [insufficient_without_runtime_tracking_context]third_party_vendor_present=true [insufficient_without_same_surface_context]form_present=true [audit_only_without_sensitive_context]user_entered_value [must_not_be_public_sample_evidence]
View redacted sample JSONHide redacted sample JSON
{
"findingId": "sensitive_data_collection_with_third_party_tracking_present",
"label": "Sensitive input surface with third-party tracking context",
"category": "Third-party tracking",
"criticality": "high",
"evidenceConfidence": "review_signal",
"directVsInferred": "correlated_observation",
"evidence": {
"summary": "Retained page and runtime evidence showed a sensitive-input or sensitive-context surface alongside third-party tracking, analytics, advertising, replay, or measurement context in the observed scan scope.",
"examples": [
{
"title": "Sensitive surface tracking context",
"lines": [
"artifact=sensitive_tracking_001",
"role=finding_supporting_artifact",
"url=https://example.com/apply",
"surface_context=application_form",
"sensitive_field_context=financial_or_identity [values_not_retained]",
"third_party_request_origin=https://analytics.example",
"third_party_request_path=/collect [query_redacted=true]",
"vendor_category=analytics_or_measurement",
"detected_pattern=third_party_tracking_on_sensitive_surface",
"review_caveat=manual review should confirm data sensitivity, payload contents, purpose, consent state, minimization, and page-level exclusions"
]
},
{
"title": "Review context",
"lines": [
"possible_source=shared_layout_or_tag_manager",
"contexts_to_review=field_purpose, event_capture, payload_contents, consent_state, vendor_purpose",
"payload_values_retained=false",
"raw_dom_retained=false",
"manual_review_needed=true"
]
},
{
"title": "What should not count by itself",
"lines": [
"sensitive_field_label=income [insufficient_without_runtime_tracking_context]",
"third_party_vendor_present=true [insufficient_without_same_surface_context]",
"form_present=true [audit_only_without_sensitive_context]",
"user_entered_value [must_not_be_public_sample_evidence]"
]
}
]
}
}Regulatory review context
Sensitive surface with third-party tracking review
Retained page and runtime evidence showed sensitive-input or sensitive-context signals alongside third-party tracking context that may be relevant to privacy, consent, minimization, sensitive-data, and vendor-governance review. Applicability depends on field purpose, payload contents, vendor role, consent state, jurisdiction, and manual review.
View applicability notes
Legal and regulatory frameworks
- GDPR special-category or high-risk context reviewThe retained surface context may involve Article 9 special-category data, such as health, biometric-for-identification, genetic, racial or ethnic origin, political opinion, religious or philosophical belief, trade-union membership, sex-life, or sexual-orientation context, or may otherwise involve sensitive/high-risk fields that require manual review.
- GDPR minimization, security, and transparency reviewThird-party vendor, tracking, or identifier-like signals appear near sensitive data collection surfaces and may require minimization, transparency, or security review.
- ePrivacy cookie/device-access reviewThe sensitive surface may involve cookies, device access, analytics, advertising, or similar tracking technologies depending on retained runtime evidence and manual review.
Jurisdictional contexts
- Health-context online tracking reviewThe observed surface may involve health, telehealth, patient portals, health apps, or consumer health data.
- CCPA/CPRA sensitive personal information reviewCalifornia users and sensitive personal information, sale/share, or cross-context advertising may be in scope.
- EU GDPR special-category or high-risk context reviewEU/EEA users and Article 9 special-category data, sensitive inferences, or high-risk context may be in scope depending on the surface, purpose, and manual review.
- FTC sensitive-data privacy reviewConsumer-facing privacy claims, sensitive information, or third-party sharing practices may be at issue.
This finding does not determine legal status, GDPR Article 9 status, consent validity, sensitive-value transmission, third-party receipt, or compliance status. Financial, identity, contact, location, employment, children, protected-class, or other high-risk context signals require manual review and are not automatically GDPR Article 9 special-category data. Review retained surface context, runtime anchors, payload evidence, vendor purpose, consent state, minimization, and page-level exclusions.
Evidence standard
Strong
- Retained page-surface evidence identifies a sensitive input field, sensitive form, or sensitive page context.
- Retained runtime evidence identifies third-party tracking, analytics, advertising, replay, measurement, or vendor context on the same page or flow.
- Evidence includes page URL, representative selector or field context where safe, vendor or category classification, timing, and redaction of user-entered values, query strings, and payloads.
- Evidence distinguishes co-occurrence from actual sensitive-value transmission where retained.
- Coverage context indicates the page-surface and runtime observations were not materially blocked or unreliable.
Good
- Retained evidence shows sensitive-input or sensitive-context surface co-occurring with third-party tracking context, but payload contents or exact event capture may require manual review.
- The retained example is enough for a reviewer to locate the affected page or form and inspect vendor activity manually.
- The evidence is likely a sensitive-surface tracking review signal, but data sensitivity, purpose, consent state, payload contents, and minimization require manual review.
Audit-only
- Sensitive page or form context exists, but retained third-party runtime evidence is incomplete or not tied to the same observed surface.
- Third-party tracking exists on the site, but retained evidence does not show co-occurrence with the sensitive surface.
- Field names, labels, or page text suggest sensitivity, but no retained runtime tracking artifact supports the observed state.
Insufficient
- Sensitive field label alone without retained page context and runtime tracking evidence.
- Third-party vendor name alone without co-occurrence on the affected surface.
- Screenshot, raw DOM, user-entered value, or full payload as public evidence.
- Tracking observed only on unrelated pages.
- Claims that sensitive values were transmitted, captured, read, or linked to a third party based only on co-occurrence evidence.
Evidence levels explain how CertScore treats retained runtime artifacts. They are not legal conclusions.
Common causes
- Shared layouts load analytics, advertising, replay, or measurement tags on every page.
- Form pages inherit global marketing tags or tag-manager containers.
- Sensitive flows are built on the same templates as general marketing or lead-generation pages.
- Vendor suppression rules do not distinguish sensitive form pages from ordinary content pages.
- Event tracking, pixels, or analytics SDKs are added without page-level exclusions for sensitive-input contexts.
Common remediation approaches
- Teams commonly review page-level tag exclusions for sensitive form pages, account flows, application flows, and other high-review surfaces.
- Session replay and analytics vendors should be reviewed for field masking, event suppression, and page-exclusion settings on sensitive inputs.
- Analytics event tracking should be tested on the specific form page, not only the homepage or shared template.
- Tag-manager rules should be reviewed to confirm that sensitive pages do not inherit unnecessary advertising, replay, or measurement tags.
- Payload and event-name review may help confirm whether only co-occurrence is present or whether field-level transmission requires deeper review.
Recommended review questions
- Which page, form, field, or flow produced the sensitive-input or sensitive-context evidence?
- What made the surface sensitive: health, financial, identity, contact, location, employment, children, protected-class, or other context?
- Which third-party tracking, analytics, advertising, replay, measurement, or vendor context was observed on the same surface?
- Does retained evidence show only co-occurrence, or does it include request payloads, event names, or field-level transmission?
- Could the third-party activity be necessary, security-related, fraud-prevention, support, or otherwise context-dependent?
- Was the activity observed before consent, after consent, after reject, or outside known consent context?
- Does the behavior appear only on one page, or across a shared template, form component, or multi-step flow?
- Are field values, identifiers, payloads, query strings, screenshots, and raw DOM excluded or redacted from public evidence?
- Should manual review confirm data sensitivity, vendor purpose, payload contents, consent state, minimization, and remediation quality?
Limitations and cautions
- This finding is an automated sensitive-surface tracking review signal, not a legal conclusion, certification, compliance determination, or determination of consent validity.
- Co-occurrence of a sensitive-input surface and third-party tracking context does not determine that sensitive field values were transmitted, captured, read, or linked to a third party.
- Automated evidence may not fully determine field purpose, data sensitivity, event capture, payload contents, masking, consent state, vendor necessity, or downstream use.
- Some third-party activity may support security, fraud prevention, support, performance, accessibility, or service delivery depending on context.
- Manual review is needed to confirm data sensitivity, payload contents, vendor purpose, consent state, minimization, page-level exclusions, and remediation quality.
- CertScore redacts or avoids retaining full query strings, payloads, identifiers, screenshots, raw DOM, and user-entered values while preserving stable anchors needed for review.
- Automated findings may contain errors and should be reviewed with the retained evidence.
- Not detected means not observed in the scan scope; it is not proof of absence.
- Findings are runtime evidence and public-surface observations for review, not legal conclusions.