Announcing Data Sentry: your frontend data map for website privacy vulnerabilities

Most companies have no idea what data is actually being collected on their websites, and transferred to third parties—and that’s exactly the problem.

Data Sentry, our newest product at Ketch, exists for one reason: to give privacy and security teams real-time, actionable visibility into how data is collected, where it’s going, and whether it’s happening with consent.

Data Sentry is a new kind of tool. Not a checkbox. Not a banner. It’s a frontend data map—a continuous scan of live data collection behavior across all of your digital properties, tuned to the exact kinds of violations that lead to CIPA lawsuits, VPPA claims, and regulatory investigations.

Let’s break it down.

The problem: unknown data collection, unseen risk

Most companies don’t fully understand the scope of data collection happening across their websites and digital properties. It’s usually not nefarious—it’s a challenge in visibility. Between third-party tools, dynamic scripts, and complex tag configurations, it’s easy for data to move in ways that no one on your team intended or approved.

This lack of insight creates real risk. Hundreds of privacy demand letters are sent every month, often focused on exactly these blind spots: tracking technologies that activate post-opt-out, session data quietly sent to analytics vendors, or consent signals that break down midstream.

Legacy tools haven’t kept up. Cookie scanners show what’s being stored, but not what’s being transmitted. Code scanners can help, but they miss what actually happens in the browser when a real user interacts with your site.

Data Sentry fills this gap. It’s a frontend data map that continuously monitors live network traffic from your site, capturing what’s being collected, where it’s going, and whether it aligns with your consent policies. It provides the same visibility that regulators and plaintiff’s attorneys already have—and that most companies urgently need.

CIPA, VPPA, and the new era of privacy litigation

Privacy enforcement is shifting—and fast. What used to be a legal gray area is now a well-lit target, especially for plaintiffs’ attorneys armed with old laws applied to modern tracking.

Two of the most commonly cited statutes in recent privacy litigation are the California Invasion of Privacy Act (CIPA) and the Video Privacy Protection Act (VPPA). These laws weren’t written with pixels and session replay tools in mind, but they’re now being used to challenge digital practices like:

• Recording user sessions without clear consent (CIPA)
• Sharing video viewing behavior with third parties like social platforms (VPPA)
• Continuing to collect or transmit data after a user opts out

Hundreds of demand letters are being issued every month, and plaintiffs’ firms are increasingly aggressive. (Keep reading: Wiretapping laws in the digital era: how to protect your brand.) But it’s not just the plaintiffs getting smarter—regulators are leveling up too.

The New York Attorney General’s office recently published technical guidance for website privacy controls, showing an increased focus on how data flows actually behave in practice—not just what a policy says on paper.

That means in-house privacy leaders need to stay sharp. The bar is rising. Regulatory investigations are getting more sophisticated. And the best defense isn’t reactive—it’s knowing, with certainty, how your site behaves under scrutiny. This is exactly why we built Data Sentry. To provide the kind of technical visibility that helps you catch and correct issues before they escalate into legal or regulatory action. 

‍

‍

Three key capabilities of Ketch Data Sentry

Data Sentry is about avoiding risk, and more—it’s about running a program that’s defensible, auditable, and built for how privacy is enforced today. Here are the three main capabilities we’ve built based on real customer pain and real enforcement patterns.

1. Detect sensitive data transfers to third parties

Data Sentry scans the actual network traffic generated by your website. That means every outbound data packet is analyzed to show you:

• What types of data are being collected—including sensitive data like health info, geolocation, and persistent identifiers
• Where that data is being sent—authorized partners, misbehaving vendors, or unknown destinations
• Whether those transfers match what your consent policies say should be happening

‍

‍

This is critical visibility. Most teams assume their privacy policies and CMP settings are being followed—but they rarely confirm it against the real data leaving the site. Data Sentry gives you proof, not assumptions.

‍

2. Validate consumer opt-out compliance

You’ve got a consent banner. You’ve got “Do Not Sell” toggles. But what’s happening after a user opts out?

Data Sentry runs continuous checks to confirm whether data collection really stops when it’s supposed to. You’ll see:

• Which third-party tags, pixels, or scripts continue to fire post opt-out
• Whether data is still being sent to ad platforms, analytics vendors, or social networks
• How your CMP is executing (or failing to execute) consent rules at runtime

‍

‍

This capability directly reflects how regulators and attorneys evaluate your website. They click “opt out” and watch what still loads. If you’re still leaking data, you’re exposed—and now you can catch it before they do.

‍

3. Verify IAB signal and string passing

It’s not enough to just set consent preferences. You have to ensure those signals are passed and respected across your vendor stack.

‍

‍

Data Sentry verifies signal passing across multiple industry frameworks, including:

• IAB TCF (Transparency and Consent Framework)
• IAB GPP (Global Privacy Platform)
• GPC (Global Privacy Control)

You’ll get:

• A full view of how consent signals are being sent to downstream vendors
• Alerts on vendors who ignore, strip, or mishandle those signals
• Evidence of whether you’re enforcing user preferences all the way through the adtech chain

Think of it as consent enforcement QA: automated, continuous, and ruthlessly objective.

‍

‍

How it’s different from everything else

Most tools in this space are niche and limited at best, woefully inadequate at worst. Here’s what’s different about Data Sentry: 

• Beyond cookie scanning: Cookie scanning was fine five years ago. Today it’s incomplete—US privacy laws require more robust data collection awareness. Cookie scanners simply show you what cookies are being set. They don't show you what data is actually flowing out to third parties.
• Beyond code scanning: Most website data collection activity occurs within website scripts and third-party SaaS configurations—areas that are not visible in the code. 
• Simulates real-world enforcement: This is key. Data Sentry shows you exactly what a regulator or plaintiff’s attorney would see when they visit your site. Best of all, it’s real time. No static, point in time audits that won’t reflect the latest activity from your team and from consumers. 
• Vendor-agnostic: Works with any CMP. Even the best CMP can be misconfigured. Tag classification is a great example of a task that requires some manual oversight, where things can slip through the cracks. Data Sentry helps you make sure trackers are respecting people’s opt-out choices. 

“But don’t we already have a CMP?”

Great. You should! Data Sentry doesn’t replace your CMP—it validates that it’s doing its job.

Think of it like this: your CMP handles the consumer interaction (and depending on your set up, might even handle the passing of consent signals to systems and apps). But what do you have in place to validate that your CMP is performing correctly? That tags are accurately categorized, and stop firing after a consumer opts out?

‍

Get ahead of website vulnerabilities with Data Sentry

You can’t control what privacy lawyers or regulators do next. But you can control how prepared you are.

Data Sentry is about getting proactive. It’s about knowing what’s happening on your site, in real time, and fixing issues before they escalate. Learn more, schedule a demo, and stop flying blind.

‍