Most service-business owners have no idea what their website is actually doing in the background. The contact form is the visible part. The analytics dashboard is the visible part. The third-party trackers loading invisibly on every page, the session-replay scripts watching every mouse move, the ad-network pixels building shadow profiles of every visitor, the cookie banners that exist because of those trackers — none of that is visible.

The Markup, an investigative-journalism nonprofit, built a tool that makes the invisible visible. It is called Blacklight, and it is the cleanest way I have found to see exactly what a website is loading on someone else's behalf. This post walks through what Blacklight does, how to use it, what to do with the findings, and how the same tool fits into my own build process.

What Blacklight is

Blacklight is a real-time website privacy inspector. You paste any URL into the box on themarkup.org/blacklight, and the tool loads the page in a sandboxed browser, watches every network request the page makes, and produces a written report. The whole thing takes about 30 seconds and is completely free.

The report covers seven distinct categories of privacy concern:

  1. Ad trackers. How many third-party trackers were loaded on the page and which networks they belong to (Google, Facebook, Microsoft, Amazon, etc.).
  2. Third-party cookies. Cookies set by domains other than the one being visited, the standard mechanism for cross-site tracking.
  3. Canvas fingerprinting. Whether scripts on the page are using the HTML canvas to generate a unique device fingerprint, which works even when the user blocks cookies.
  4. Session recording. Whether services like Hotjar, Mouseflow, or FullStory are recording the visitor's session to play back later.
  5. Key logging. Whether form fields are being captured before the visitor submits them — a real and growing pattern that lets companies harvest typed-but-not-submitted information.
  6. Facebook tracking. Whether the Facebook pixel is present, what events it is reporting, and what data is being shared with Meta.
  7. Google tracking. Whether Google Analytics, Google Tag Manager, Google Ads, or DoubleClick scripts are running, and whether the IP address is being shared.

Each finding includes a short explanation of what the tracker does, why it might be on the site, and what risks it represents. The tone is neutral and factual; Blacklight is not a hit piece on any specific site.

How to use it

The basic flow is two clicks:

  1. Visit themarkup.org/blacklight.
  2. Paste the URL of the page you want to inspect (the homepage is the standard starting point) and click "Inspect Site."
  3. Wait roughly 30 seconds while Blacklight loads the page in its sandbox.
  4. Read the report.

The report itself is a permanent URL on themarkup.org, which means you can save it, share it with a developer, or send it to a vendor as part of a procurement conversation. The tool keeps the report public for at least a few weeks, which is long enough for most reasonable uses.

What to do with the findings

The Blacklight report is not actionable on its own. The value comes from understanding what the findings mean for your specific situation. A few patterns worth knowing:

If the report shows zero or one tracker

Your site is in good shape. Privacy-respecting by construction. The visitors who reach your site are not being secretly profiled, the cookie banner you may have written off as theater can probably go away (since you do not actually need consent for tracking that does not exist), and your legal exposure under privacy regulations (GDPR, CCPA, Quebec Law 25, the various U.S. state privacy laws coming online) is minimal. This is the goal posture, and it is genuinely achievable.

If the report shows two to four trackers

Likely cause: Google Analytics plus a Facebook pixel, possibly a Google Tag Manager container that pulls in a few more. This is the modal small-business website. The trackers are not catastrophic, but they are doing more than the business owner usually realizes, and they are the reason the cookie banner exists. The honest fix is to switch to privacy-first analytics (Cloudflare Web Analytics or Umami, both of which are cookie-free and produce the same operational reports) and remove the Facebook pixel if you are not actively running paid ads.

If the report shows five or more trackers

The site is leaking visitor data heavily. Common cause: a marketing-agency engagement that bolted on Hotjar for session recording, AdRoll for retargeting, HubSpot for the contact form, and a Google Tag Manager container with a dozen more pixels inside it. The site is slow because of the tracker load, the cookie banner is mandatory, and the privacy exposure is real. The fix here is bigger and worth a conversation with whoever maintains the site.

If the report shows session recording

Worth looking at carefully. Session recording is the tracker pattern that surprises business owners the most when they learn about it. The vendor tells the business owner the tool helps "understand visitor behavior." What is happening technically is that every mouse movement, scroll position, click, and (in many configurations) every key the visitor types into a form field is being recorded and sent to a third-party server, where the business owner can play it back like a video. The visitor has no idea this is happening unless the cookie banner discloses it specifically, which most do not.

The legal posture on session recording is increasingly aggressive. California has been particularly active on session recording as a wiretap-statute violation, and the lawsuits have been expensive. If your Blacklight report shows session recording, talk to a lawyer or remove the tracker. Both options are valid; the third option (do nothing) is the riskiest of the three.

How I run my own builds against Blacklight

Before I launch any client site, I run it through Blacklight as part of a pre-launch checklist. The expected result, every time, is zero ad trackers, zero session recording, zero canvas fingerprinting, and zero Facebook tracking. Most of my sites pass with a clean sweep. Occasionally a Cloudflare Web Analytics line shows up as a "tracker" by Blacklight's definition — which is technically correct, since Cloudflare is a third party from the site's perspective, but Cloudflare's analytics are cookie-free, IP-anonymized, and aggregated at the edge before any data leaves the visitor's session. I disclose that on every site's privacy page and the report stays accurate.

The reason I do this is not theater. Blacklight gives me an independent third-party verification that the privacy posture I claim on the marketing pages is actually what the live site is doing. If a stray tracker ever sneaks in (a CDN switch that suddenly loads a Google Fonts call from googleapis.com, for example), Blacklight catches it before launch. The check is part of the build pipeline, not an afterthought.

For client-side sites I run Blacklight again at every quarterly review. Trackers can drift in over time, especially when a client has another agency add a campaign-tracking script to a landing page. A quarterly Blacklight pass keeps the privacy story honest.

What Blacklight does not catch

Worth being honest about the limits of any single tool:

  • Server-side tracking. Blacklight watches the browser's network requests. If a site sends visitor data from its own server to a third party (like Meta's Conversion API), Blacklight cannot see it. The trend in 2026 is increasingly toward server-side tracking precisely because tools like Blacklight have made client-side tracking visible.
  • Email-based tracking. Pixels in marketing emails, link redirects, unsubscribe-page tracking. All happen outside the browser.
  • App tracking. Blacklight is web-only. Mobile app trackers (the SDKs companies like Adjust, Branch, and Singular sell) are a separate world with different inspection tools.
  • The intent behind a tracker. Blacklight tells you what is loading. It does not tell you whether the business has a legitimate reason for it (some companies genuinely need conversion-attribution pixels) or whether it is a careless mistake (many do).

That said, for a small-business website, Blacklight catches roughly 90 percent of what would matter. It is the right starting tool, and it is free.

How to use it as a buyer

If you are evaluating a web design agency, run their own marketing site through Blacklight before you sign anything. The result tells you something real about how the agency thinks about privacy. An agency that markets themselves on speed and minimalism but loads twelve trackers on their own homepage is selling a posture they do not practice.

The same applies to any vendor whose site you are about to put your visitors on. Hosting providers, form backends, scheduling tools, payment processors. If their own marketing site is heavy with trackers, the product they sell is likely heavier still.

One small request

The Markup is a nonprofit, and Blacklight is funded by donations. If you find the tool useful, consider supporting them. Independent journalism is the reason this tool exists at all, and the same independence is what makes the tool credible.

The tool is at themarkup.org/blacklight. Run it on your own site first. The result usually tells you what to do next.

Share this article
Privacy by construction

I run Blacklight against every site I build.

Custom-coded sites with privacy-first analytics by default — no Facebook Pixel, no Google Tag Manager, no cookie-banner tax. $175 a month, flat.

Start a Conversation → See what's included