A BBC investigation published in February 2026 showed TikTok using a tracking pixel to collect highly sensitive data from websites across the Internet, including disclosures about cancer diagnoses, fertility treatment, and mental health concerns. The BBC found pixel-intercepting data that websites were transmitting to Google, without those sites knowingly authorizing any sharing with TikTok. What was especially troubling was that the tracking included individuals who had never even created a TikTok account. 

The Ubiquity of Third-Party Scripts

While the findings raise serious privacy concerns, they also underscore a broader risk: the lack of visibility and control organizations often have over third-party scripts embedded in their websites. Numerous studies have shown that modern websites can load more than two dozen third and fourth-party scripts, including analytics tags, ad pixels, chat widgets, and A/B testing tools. Often, website owners deploy them to support business needs but rarely implement any controls or oversight.

What many may not realize is that once loaded, a third-party script operates with the same browser-level privileges as the site’s own code. They have access to the entire DOM, meaning a third-party script can read every element in that page in real time, including form fields as users type into them, drop-down and checkbox selections, and any data that a browser might auto-fill on behalf of the user.

Critically, third-party scripts don’t need to wait for the user to submit a form. They simply capture values as a user inputs them, and before the web app itself has had a chance to do anything with the data. Even if an application never transmits the data, a script can capture it independently and send it elsewhere anyway. That's not all. Scripts can also read cookies, access data in the browser's local storage, and fingerprint users by collecting browser and device characteristics that survive cookie deletion and account logout. This form of “cookieless” tracking is becoming an increasingly common way for sites to track users without requiring their consent and without any indication that it is happening.

BBC's investigation of TikTok, for instance, showed website owners had no idea or indication that a user selecting a checkbox, such as “I am a cancer patient”, for instance, could trigger a background network request sending the user’s email address and disclosure to TikTok.  The site owners didn’t approve it and, in many cases, likely didn’t even realize it was happening.

Broad Implications

The implications for website operators are enormous. Under privacy and security regulations such as GDPR, CCPA, HIPAA, and PCI DSS, the website owner is responsible for protecting user data, even if a third-party script collected it in violation of compliance requirements.  If sensitive information is exposed through a third-party script, regulators will hold the site owner accountable. Even TikTok, in comments to the BBC, noted how it is up to the website owners themselves to ensure they comply with privacy requirements and to take advantage of the notifications and tools the company provides to help them do so.

For most website owners, removing all third-party scripts is clearly not an option, as they enable essential capabilities, from logging and analytics to customer engagement. What's needed instead is the ability to continuously monitor script behavior and enforce clear boundaries on what they can do to prevent unauthorized data access or transmission. Monitoring needs to be done without disrupting legitimate functionality.

Governance and Oversight

Fine-grained script governance begins with visibility. Organizations must be able to identify every script running on their pages, understand what data each script accesses, and track where that data is sent. This visibility cannot be limited to development. It must also extend continuously into production, where scripts can change behavior after deployment without notice.

Access controls are equally essential. Scripts should interact with sensitive page elements only when explicitly authorized. A marketing pixel, like TikTok's, for instance, has no legitimate reason to read responses in a medical form, and neither does a chat widget need access to payment fields.  Organizations should implement isolation and behavioral policies to ensure scripts operate within clearly defined boundaries and only access the data necessary for their intended function. Controlling outbound data flows is another critical requirement. Security teams must be able to monitor script communications, restrict connections to approved domains, detect unexpected destinations, and block unauthorized transmissions in real time. 

The TikTok pixel investigation is a reminder that third-party scripts operate as trusted insiders within modern websites, often with far more access than organizations realize. Without continuous visibility and control, these scripts can quietly expose sensitive user data and create significant security, privacy, and regulatory risk.