Surveillance Report

Most Tracked Websites

We measured what websites load before you click anything.

We scanned 5,948 of the most-trafficked websites in a clean, logged-out browser session — no consent click, no scroll, no login — and counted every third-party tracker that loads on first paint.

5,948
Domains scanned
92
Max trackers
47+
Top 10% load
32
Median site

The sites at the top of this list aren't household names. That isn't a gap in the data. It's the result. The sites that track you the most before you act are not the ones you expect — they're the ones that monetize immediately.

Top 100 by Tracker Count

Rankings data is being calculated. Check back soon.

Where the sites you recognize actually fall

Here's where the sites you recognize actually fall:

Site
Trackers
Why
foxnews.com
33
ad-supported, no consent gate
cnn.com
24
ad-supported, US-style banners
washingtonpost.com
22
ad-supported, soft paywall
buzzfeed.com
19
ad-supported
target.com
12
retail with ad inventory
weather.com
9
ad-supported
microsoft.com
8
corporate landing
nytimes.com
7
paywall gate
linkedin.com
5
login wall
bloomberg.com
4
strict EU-style consent gate
google.com
4
minimal SERP shell
youtube.com
3
logged-out homepage
netflix.com
3
login wall
yahoo.com
3
sparse
amazon.com
2
pre-search shell
x.com
2
login wall
tiktok.com
2
login wall
facebook.com
1
login wall
instagram.com
1
login wall
apple.com
1
corporate landing
theguardian.com
0
consent wall blocks scripts entirely
forbes.com
0
consent wall

The pattern repeats:

  • Login walls — Facebook, Instagram, X, TikTok, LinkedIn, Reddit show a sparse landing screen. The tracking stack fires after authentication, which we never trigger.
  • Consent walls — The Guardian, Bloomberg, Forbes gate scripts behind a cookie banner. Strict EU-style flows mean almost nothing loads until you click “accept”.
  • Paywalls — NYT, WSJ render minimal content to unauthenticated visitors.
  • Corporate landing pages — Apple, Microsoft, Google's homepage prioritise speed and design over ad inventory.

Meanwhile, ad-supported regional publishers without strict consent gates load their entire ad and tracking stack on first paint. That is how a site you have never heard of can carry more trackers than Facebook does pre-login. This is not an artefact of measurement. It is a finding.

Understanding Website Tracking: What This Data Means

Third-party trackers are scripts loaded from external domains that monitor user behavior across the web. When you visit a website, these trackers can record which pages you view, how long you stay, what you click, and build a profile of your browsing habits. The websites on this list deploy the highest number of such tracking scripts among the domains we analyze.

Why Tracker Count Matters for Vendor Risk

For vendor risk and compliance teams, the number of third-party trackers on a domain is a proxy for data exposure surface area. Each tracker represents a third-party entity receiving user data from that website. When your employees interact with a heavily tracked vendor portal, their browsing patterns and potentially sensitive business information may be shared with advertising networks, analytics platforms, and data brokers.

Under GDPR, CCPA, and other privacy regulations, organizations can face liability for sharing employee or customer data with third parties through vendor integrations. A vendor with 30+ trackers represents significantly higher compliance risk than one with 5 trackers, regardless of their published privacy policy.

How we measure tracking

This list answers one specific question: how many trackers does a site load before you do anything? It does not measure trackers that fire after consent, login, scroll, or any user interaction. That is deliberate. Different humans interact with the same page in different ways, on different days, with different consent histories. A reproducible measurement has to start from a clean state — same browser, same session shape, every time.

Every site in this list was measured under the same conditions:

  • A real Chromium browser (not just an HTTP fetch)
  • ~30 seconds of page load with no user interaction
  • Network requests classified against EasyPrivacy + EasyList (combined ~94,000 tracker domains)
  • Identical session shape for every site

This makes the results directly comparable across thousands of sites — something interaction-based measurements cannot guarantee. Sites that block automated scanners (some do) are flagged in their report rather than silently absent from the dataset.

How to read the numbers

A high tracker count is not proof of hostile intent. It usually reflects an ad-supported business model and a less restrictive consent flow. A low tracker count is not a free pass either — it can mean strong privacy practices, or it can mean the heavy tracking happens after you log in, accept a banner, or hit a paywall.

What the first-load count gives you: a clean, comparable measurement of what your browser is asked to do before you have made any decisions. That signal is not the whole story, but it is the one signal on this list that is reproducible across every site and every scan.

Common Tracking Technologies Detected

The most frequently detected trackers across our dataset include advertising pixels from major ad networks, social media widgets that enable cross-site profiling, real-time bidding scripts that auction user attention to advertisers, and session replay tools that record mouse movements and keystrokes. Many websites also deploy canvas fingerprinting and WebGL fingerprinting scripts that can identify users without cookies.

Using This Data for Due Diligence

Before onboarding a new vendor, security teams can use this ranking to quickly assess the tracking posture of a vendor's public-facing properties. A domain appearing in the top 100 most tracked should trigger deeper investigation into their data processing agreements, subprocessor lists, and cookie consent mechanisms. This data is updated continuously as our scanner processes new and recurring scans across the monitored domain set.

Frequently Asked Questions

Which websites track users the most?

The websites at the top of this list deploy the highest number of third-party tracking scripts. These typically include major media outlets, e-commerce platforms, and social networks that monetize user data through advertising. Tracker counts can range from 20 to over 100 per page load.

What counts as a third-party tracker?

A third-party tracker is any script loaded from an external domain that monitors user behavior. This includes advertising pixels, analytics beacons, social media widgets, real-time bidding scripts, and fingerprinting code. We identify trackers using community-maintained blocklists and our own detection algorithms.

How many trackers does the average website have?

Among the top 100 most-tracked websites in our dataset, the average is 35.5 trackers loaded on first paint. The median is 32; the top 10% load 47 or more. We measure trackers loaded before user interaction — counts after consent, login, or scroll are typically much higher.

Why aren't familiar sites like Facebook and Google in the top 100?

Big platforms typically sit behind a login wall, consent banner, or paywall. Their tracking stack fires after you authenticate or click "accept" — and our scan never does either. A reproducible measurement has to start from a clean state, which is why aggressive ad-supported regional publishers rank higher than household names. Full pattern in the "Where the sites you recognize fall" section above. This is why the most recognizable brands rarely appear at the very top of this list.

Is a low tracker count proof of privacy?

No. A low first-paint count can mean strong privacy practices, or it can mean the heavy tracking happens after you log in, accept a banner, or interact with the page. Read the rankings as one specific signal — what your browser is asked to do before you've made any decisions — not as a complete privacy verdict.

Can trackers identify me without cookies?

Yes. Browser fingerprinting techniques can identify users without cookies by combining device characteristics like screen resolution, installed fonts, WebGL renderer, and audio context. Our scanner detects canvas fingerprinting, WebGL fingerprinting, and audio fingerprinting techniques.

More Privacy Rankings

Least Private Websites

Domains with the lowest privacy scores

Most Cookies

Domains that set the most cookies

Privacy Index

Top-rated domains for privacy

Check any domain's tracking footprint

Free, instant analysis. No signup required.

Scan a WebsiteAPI Access