I did have a similar example to this a year ago. We were partnering with an affiliate marketing agency, and they asked us to include their tracker on our website. When probed about how the tracker worked, they revealed that it worked by scraping everything that looked like an email address and sending it to their servers in order to attribute user signups, and they required it on every page.
I said that was a gross violation of our users' privacy and that we would only implement our own significantly restricted server-side tracking that didn't reveal any user info. Their response implied they really weren't challenged on their practices often at all.
Was this in US or EU? I wouldn't be surprised if it is EU but theoretically this should be so GDPR non-compliant that Merkel personally throws you out.
EU. Absolutely non-compliant and I don't think they could have cared less.
We had to get special sign of from their senior leadership to implement the server-side tracking because it meant they could lose out on revenue if we didn't get it right.
Ironically the server-side version bypassed adblockers/tracking protections (all we did was ping back after checkout with the total order value, no user data), so it was likely that they would make more revenue given than ~50% of users have some sort of blocking in their browsers.
CCPA probably makes that illegal, which gives devs with a conscience a nice out: “that is wildly illegal if we do it to anyone in CA, we will have to develop it my way for them anyways, and it’s cheaper to support only one system”
I said that was a gross violation of our users' privacy and that we would only implement our own significantly restricted server-side tracking that didn't reveal any user info. Their response implied they really weren't challenged on their practices often at all.