I am going to tell you about the scariest line item I have ever found on a hotel website, and it was not on the balance sheet. It was buried in the property’s Google Tag Manager container: a session-replay script that had been quietly recording every keystroke guests typed into the booking form, including the field where they entered their name and the page where they typed a special request. Nobody at the hotel knew it was there. A previous marketing vendor had dropped it in eighteen months earlier and moved on.
That little script is exactly the kind of thing now generating lawsuits across hospitality. So let me walk you through what is actually happening, which scripts on your site create the exposure, and how to audit your own tag manager this afternoon without a lawyer on retainer.
I am not a lawyer, and nothing here is legal advice. I am an SEO guy who spends his days inside hotel tag managers, and I have watched this category of risk go from “theoretical” to “my client got a demand letter.” That is enough reason to write this.
Why pixels became a legal problem
For two decades, the unspoken deal of the web was simple: you put tracking scripts on your site, they fed data back to ad platforms and analytics tools, and nobody read the privacy policy. That deal is unraveling, and hotels are an unusually juicy target.
Here is the mechanism. A wave of lawsuits has revived decades-old state wiretapping and eavesdropping statutes, the kind written long before anyone had a website, and applied them to modern web tracking. The argument goes like this: when a third-party script (say, a chat widget or a replay tool or an ad pixel) captures what a visitor types or does on your site and ships it off to that third party in real time, that can be framed as intercepting a communication between the visitor and your business without consent. Some of these old statutes carry fixed statutory damages per violation, which is what makes them attractive to plaintiff firms. Multiply a per-visitor penalty across months of traffic and you understand why the demand letters are showing up.
Hotels make a particularly tempting target for three reasons:
- You collect sensitive-feeling data. Travel dates, who you are traveling with, accessibility needs, room preferences, sometimes health-adjacent details in special requests.
- You run a lot of borrowed scripts. Booking engines, metasearch pixels, chat widgets, review widgets, loyalty tools, OTA connectivity. Every vendor wants a tag on your site.
- You rarely audit any of it. Most independent properties have never opened their tag manager. Things accumulate.
The lawsuits are not really about whether tracking is evil. They are about consent and disclosure. A pixel a visitor agreed to is a very different legal animal than one firing silently on a booking form. Almost every fix in this post is some version of “get consent first, then fire the script.”
The scripts that actually create exposure
Not every tag is a problem. Let me sort the usual suspects by how much they tend to worry me, from “audit this first” to “probably fine but disclose it.”
Tier 1: session replay and form analytics
These are the ones that keep me up at night. Session-replay tools (Hotjar in replay mode, FullStory, Microsoft Clarity, Mouseflow, Lucky Orange, and similar) record a reconstruction of the visitor’s session. Mouse movement, scrolling, clicks, and depending on configuration, the text typed into fields. On a brochure page that is mostly harmless. On a booking flow it is a recording of someone entering personal and trip details. If that recording leaves your control without consent, you have the highest-risk pattern in this whole post.
If you run one of these, two things are non-negotiable: mask all input fields so keystrokes are not captured, and gate the whole tool behind consent.
Tier 2: advertising pixels on transactional pages
The Meta (Facebook) pixel is the headliner of the wiretapping suits, but the same logic reaches the TikTok pixel, the LinkedIn insight tag, Pinterest, and others. The risk is not the pixel existing. It is the pixel sitting on a confirmation or booking page where it can observe parameters tied to a specific transaction and tie them to a profiled individual on the ad platform. Conversion tracking is legitimate marketing. The exposure is doing it without consent and without controlling what the pixel can read.
Tier 3: chat widgets and AI assistants
Third-party chat and AI-concierge widgets process what guests type to your “front desk.” That is, by definition, a communication, and a third party is handling it. Most reputable chat vendors have addressed this with their own terms, but you inherit the configuration. If your widget logs and transmits conversations to a vendor’s servers, that needs to be disclosed, and ideally the vendor needs a data processing agreement with you.
Tier 4: everything else borrowed
Review-display widgets, map embeds, font loaders, A/B testing tools, heatmaps, loyalty integrations. Individually low-risk, collectively the reason your tag manager is a junk drawer. The danger here is less any single tag and more that you have lost track of what is loading and who controls it.
| Script type | Typical risk | First move |
|---|---|---|
| Session replay / form analytics | High | Mask all inputs, gate behind consent |
| Ad pixels (Meta, TikTok, etc.) | High on booking pages | Consent-gate, limit page coverage |
| Chat / AI concierge widgets | Medium | Disclose, get a DPA from the vendor |
| Review / map / font embeds | Low | Inventory them, drop the unused ones |
| Booking engine native tags | Varies | Confirm the vendor’s own compliance posture |
How to audit your tag manager this afternoon
You do not need a developer for the first pass. You need an hour and a willingness to look. Here is the exact walkthrough I run on a new client.
1. Open the container and list everything. Log into Google Tag Manager (or whatever tag manager your site uses). Open your container and look at the Tags list. Write down every single tag, even the ones you recognize. The goal is a complete inventory, because you cannot manage what you have not named.
2. For each tag, answer three questions. What does this tag do? What data can it see from the page it fires on? Did the visitor agree to it before it fired? That third question is the whole ballgame. If the answer is “it fires on page load before anyone clicks anything,” that tag is a candidate for consent gating.
3. Check the triggers, not just the tags. A tag that “only fires on conversions” but is triggered by All Pages is a misconfiguration I find constantly. Look at the firing trigger for every Tier 1 and Tier 2 script and confirm it matches what you think it does.
4. Watch what actually loads. Open your site in a browser, open the developer tools network tab, and watch the requests fire as you move through the booking flow. You will often catch a script that is not even in your tag manager because a vendor hardcoded it into the site template years ago. Those orphans are the ones nobody can account for.
5. Hunt for the ghosts. Ask your booking engine and your web host what they inject. Ask any current and former marketing vendor what they added. The session-replay script I opened with was a ghost: not in the documented stack, just quietly running.
Once you have the inventory, the remediation is mostly about sequencing. You want a consent management setup that genuinely blocks Tier 1 and Tier 2 scripts until a visitor opts in, not a banner that just says “we use cookies” while everything fires anyway in the background. A banner that does not actually block scripts is theater, and theater is what gets cited in the demand letters.
Will any of this hurt my SEO or my conversions?
This is the question every hotelier actually asks me, so let me answer it straight.
Consent gating done badly can absolutely cost you conversion data and make your analytics messier. Consent gating done well costs you very little and protects the whole business. The trick is configuration: server-side tagging, consent-mode setups that still model conversions, and masking inputs rather than killing tools outright. You keep most of your measurement and shed most of your risk.
On the SEO side, none of this touches your organic rankings directly. Google does not rank you lower for having a consent banner, and a clean, well-disclosed tracking setup is part of the trust signals that increasingly matter for how your brand shows up everywhere, including in AI answers. When I work with properties on their broader content and reputation and brand authority, a defensible privacy posture is part of looking like a legitimate, trustworthy business rather than a sketchy one. That reputation work and the technical hygiene reinforce each other.
The hotels that get burned here are not the ones running tracking. They are the ones who do not know what they are running. The audit is the entire defense.
There is also a direct-booking angle that hoteliers miss. A bloated, sketchy script stack slows your site down and erodes the trust of the exact guest you are trying to convert into a direct booking. Cleaning house is not only a compliance move, it is a book-direct conversion move. Every millisecond and every ounce of trust you claw back on your own booking flow is a guest you did not have to hand to an OTA at a 15 to 25 percent commission. If you have not run the numbers on what those commissions actually cost you, I broke it down in detail in the book-direct math, and it is a bigger number than most owners expect.
A realistic remediation sequence
If I were standing in your office, here is the order I would tackle this:
- Inventory first. Complete tag list plus the network-tab ghosts. No fixes yet, just truth.
- Triage Tier 1. Any session-replay or form-analytics tool gets inputs masked and consent gating today, or gets removed until you can configure it properly. This is the highest-exposure category, so it goes first.
- Gate the ad pixels. Especially on booking and confirmation pages. Move to consent mode so you keep modeled conversion data.
- Disclose the chat and concierge tools and get data processing agreements from those vendors.
- Update the privacy policy to match reality. A privacy policy that describes tracking you do not do, or omits tracking you do, is worse than no policy. It should mirror the actual inventory.
- Stand up a real consent banner that blocks before consent, not after.
- Re-audit quarterly, because vendors add things and the junk drawer refills itself.
I want to be honest about scope. This is genuinely a place where you should loop in a privacy attorney for the legal specifics, especially the statute exposure in your state and your privacy policy language. My job, and the part I can own end to end, is the technical audit: knowing exactly what is on your site, what each script sees, and configuring the stack so the risky scripts respect consent. That technical clarity is also what makes the lawyer conversation cheap, because you walk in with a complete map instead of paying someone to discover it.
If you want a sense of how much of your current visibility and booking funnel runs through borrowed scripts and OTA tooling in the first place, my piece on how OTAs quietly dominate your search presence covers the adjacent dependency problem, and the 2026 hotel SEO starter guide covers the foundations that make your own site strong enough to reduce that dependence over time.
The bottom line
The pixel panic in hospitality is not hype, but it is also not a reason to gut your marketing stack in a fit of fear. It is a reason to finally open the tag manager you have been ignoring and find out what is actually running on your site. Nine times out of ten the fix is not “remove the tool,” it is “make the tool ask permission first.” The exposure lives in the silence, the scripts firing before anyone agreed to them, the ghost tags a vendor left behind, the session replay nobody remembers installing.
Do the inventory. Mask the inputs. Gate the high-risk scripts behind real consent. Match your privacy policy to your actual behavior. That sequence handles the overwhelming majority of the risk, protects your guests, and as a bonus leaves you with a faster, more trustworthy booking flow that wins back more direct reservations.
If you want a second set of eyes on your stack, this is exactly the kind of audit I run as part of getting a property’s technical foundation clean and defensible. Take a look at my hotel SEO services for how the technical audit fits into the bigger picture, or book a call and I will walk your tag manager with you and tell you which scripts to worry about first.