Pixel and Policy
HARstack
Audit your stack. Start with the HAR.
HARstack v2.0 | License MIT | Signatures 200+ | Regulations ECPA, CIPA, US State Privacy, GLBA | Data Collected None Capture Guide MIT Open Source
The Problem

Your privacy policy is the plaintiff's exhibit. This tool checks it before they do.

In August 2025, a federal judge in the Northern District of California let a federal wiretapping claim survive against a shoe retailer. The evidence was the company's own privacy policy. It said the site did not collect personally identifiable information. Third-party tracking pixels said otherwise.

That ruling established a replicable formula. Plaintiffs' attorneys are using it in demand letters and class actions across every industry. The evidence they rely on comes from a HAR file. You can run one yourself.

The HARstack reads your HAR file, identifies what is firing on your site, and tells you exactly where the gaps between your data flows and your disclosures are. No account. No data transmission. Runs entirely in your browser.

235%
Increase in ECPA tracking-tech lawsuit filings in 2025, with another 60% year-over-year increase projected for 2026
Source: Troutman Pepper Locke, April 2026
Run in Browser Download HTML File View Source on GitHub
Run directly in your browser, or download the single HTML file and open it locally. No install. No account.
"The plaintiffs do not need to prove harm. They need to find a gap between your privacy policy and your actual data flows."
Phil Barnhart, CIPP/US — Pixel and Policy
200+ tracker signatures with specific regulatory framing

Every finding includes a plain-language description of what the technology does, which regulations apply, and what a policy disclosure gap looks like in practice. Not general privacy law. Specific citations to the cases and enforcement actions being used in active litigation.

Session Replay
Microsoft Clarity
Microsoft operates as an independent data controller, not a service provider. Its published terms reserve the right to create user profiles for advertising. That distinction changes who bears the ECPA exposure.
ECPA CIPA US State Privacy
Advertising
Enhanced Conversions (Google)
Hashed PII (SHA-256 email, phone) transmitted to Google. The FTC BetterHelp consent order established that hashing does not satisfy deletion obligations when the recipient can re-identify the value.
ECPA US State Privacy
Consent Management
GPC Signal Verification
The tool checks whether Sec-GPC: 1 appears in actual request headers, not just in self-reported settings. A CMP that reports GPC compliance without the header is a documented CPPA enforcement concern.
US State Privacy CPPA
CDP / Server-Side
RudderStack CNAME Detection
CNAME deployments are first-party from the browser's perspective. They share cookies with the parent domain and bypass third-party cookie restrictions. That changes the consent enforcement model.
US State Privacy
PII Scanning
POST Body Analysis
Scans outbound POST bodies for raw and hashed PII. Distinguishes first-party from third-party endpoints. Flags SHA-256 email transmitted to ad platforms with the BetterHelp citation.
US State Privacy ECPA
Financial Services
GLBA-Regulated Pages
Detects tracking on pages handling non-public personal information. Pages with session replay surfaced a Safeguards Rule exposure.
GLBA 16 CFR § 313
Three buckets. Help discover where to start.
High Severity
Escalate
Session replay on authenticated or financial pages. Advertising pixels with GPC non-compliance. GLBA or HIPAA-regulated contexts. Route to legal immediately.
Medium Severity
Needs Review
Standard advertising and analytics configurations with policy disclosure gaps. CDP routing without consent propagation verification. Route to privacy and martech teams.
Low Severity
Likely OK
Infrastructure, tag management, and analytics with appropriate consent gating and accurate policy disclosure. Document and maintain.
Legal Citations Built Into Every Finding
18 U.S.C. § 2511(2)(d)
ECPA Crime-Tort Exception
The one-party consent defense fails if interception serves a criminal or tortious purpose. The August 2025 ECPA Privacy Policy Order made privacy policy misrepresentation a sufficient predicate.
FTC File No. 2023-169, Docket C-4796
BetterHelp Consent Order
Hashing does not satisfy data deletion obligations when the recipient already possesses the underlying value. Applies directly to Enhanced Conversions and Customer Match implementations.
Cal. Pen. Code § 631(a)
CIPA Wiretapping
California courts have applied the phone wiretapping statute to real-time browser data interception. Session replay carries CIPA exposure in California regardless of downstream data use.
16 CFR § 313.3(o)
GLBA Non-Public Personal Information
NPI includes payee names, transaction amounts, and account data. Session replay on banking or financial services pages captures this by default and may not satisfy the Safeguards Rule.
A HAR file is your tracking stack in motion

Open your browser's developer tools, record a page load, export the HAR. Drop it in the tool. The analysis runs in your browser. Nothing leaves your machine.

01
Record
Open DevTools, go to Network tab, load your page, export HAR. Chrome, Firefox, or Edge all work.
02
Upload
Drop the HAR file into the tool. Answer two context questions: did you accept cookies, and do you use GPC.
03
Review
Read findings with severity, confidence level, owner routing, and specific legal citations.
04
Export
Download sanitized HAR and structured JSON. Share with outside counsel or security teams without raw PII.
PB
Built By
Phil Barnhart
I'm both a web marketer and web developer, and been building and auditing martech stacks for decades. Working both sides of the fence, I've had to keep up with both the compliance and technology challenges today's marketing efforts require. A lot of the privacy compliance issues I've run into over the years were the result of a stack that nobody had examined end to end, with a privacy policy written at a different point in time, with no systematic process for checking whether the two still matched. Long ago, I discovered using HAR files to troubleshoot problems in development environments and in web code standard audit tools couldn't reach easily. I built this tool to make it easier and safer for others to use HAR analysis for compliance troubleshooting. It is free and open source because the problem it solves is not a competitive advantage. It is a baseline.
HARstack surfaces the issues. Remediating them is a different conversation. If you need help interpreting findings, closing policy disclosure gaps, or building a remediation plan, reach out.
Pixel and Policy LinkedIn
Run in Browser Download HTML Pixel and Policy
Infrastructure Transparency

This page is served through Cloudflare. Cloudflare receives connection metadata for each request -- including IP addresses, timestamps, and request paths -- as part of normal CDN operation. You can review Cloudflare's privacy policy at cloudflare.com/privacypolicy.

The tool itself downloads directly from GitHub. GitHub (Microsoft) receives the download request. You can review GitHub's privacy statement at docs.github.com. Once downloaded, the tool runs entirely in your browser. No data leaves your machine during analysis.

This page loads no advertising pixels, no analytics platform, and no session replay tools. The only third-party request is Google Fonts for typography. You can verify this yourself: download the tool, record a HAR on this page, and drop it in. The findings should come back Likely OK.