Key Findings
- The average law firm homepage loads 10.9 scripts -- 8.7 first-party and 2.2 third-party. Most of the JavaScript weight comes from the firm's own code, not external vendors.
- Google Tag Manager dominates third-party usage at 32.7% adoption, followed by google.com (18.8%) and CallRail (15.8%). These three domains account for the majority of third-party script loads across all sites.
- 89.1% of sites load 5 or fewer third-party scripts. The long tail is thin: only 2% of sites load more than 10 external scripts.
- 123 unique third-party domains were found across 303 sites, but the top 5 domains account for over 80% of all third-party script loads. Most firms rely on the same small set of marketing tools.
- Analytics scripts represent 23.8% of third-party loads, but the "other" category dominates at 69.7% -- a mix of CDN-hosted libraries, widget scripts, and marketing platform code that defies clean categorization.
About This Research
Every third-party script on a law firm's website is a trade-off. It adds functionality (analytics, call tracking, chat widgets) but also adds cost: extra network requests, increased page weight, potential render-blocking, privacy exposure, and an additional attack surface. When a firm loads a script from googletagmanager.com or cdn.callrail.com, it is trusting that domain with its visitors' experience and data.
Despite this, most law firms have no inventory of what third-party code runs on their site. Marketing agencies add tracking pixels. CMS platforms inject their own scripts. CDN-hosted jQuery copies accumulate over redesigns. The result is a stack that nobody fully understands and that directly impacts the metrics Google uses to rank the site.
We wanted to measure the baseline. In March 2026, we scanned 303 law firm homepages from our shared site collection (drawn from Google Maps results across 25 high-growth U.S. markets) and cataloged every script tag, distinguishing first-party from third-party, categorizing each external domain, and mapping the distribution of marketing technology across the legal industry.
Methodology
We fetched the raw HTML of 303 law firm homepages using HTTP requests with a standard browser user-agent string. For each page, we extracted every <script> tag and classified it as either first-party (same domain as the site) or third-party (different domain).
Third-party scripts were further categorized by domain into functional groups: analytics (Google Analytics, Scorpion analytics, Ahrefs), chat (live chat widgets), CMS/platform (WordPress-hosted CDNs, Hibu, GoDaddy), ads (Google Ads, Simpli.fi), social (Facebook, Twitter embeds), legal/consent (cookie consent tools), and other (CDN libraries, call tracking, uncategorized).
We counted unique third-party domains per site rather than raw script tags, since a single domain like googletagmanager.com may appear in multiple script references but represents a single vendor dependency. All data was collected on March 2, 2026.
Important caveats: We analyzed only the initial HTML response, not dynamically injected scripts. Sites using tag managers (like GTM) will have additional scripts loaded at runtime that our method does not capture. The actual third-party footprint for many sites is likely larger than what we report here.
The Numbers at a Glance
Script Count Distribution
The vast majority of law firm sites keep their third-party script count low. Nearly nine in ten sites load five or fewer external scripts. The distribution drops off sharply after that, with only a handful of sites carrying double-digit third-party dependencies.
| Third-Party Scripts | Sites | % of Total |
|---|---|---|
| 0-5 | 270 | 89.1% |
| 6-10 | 27 | 8.9% |
| 11-15 | 4 | 1.3% |
| 16-20 | 1 | 0.3% |
| 20+ | 1 | 0.3% |
The 0-5 bucket is broad, but even within it, the median is low. The average site loads just 2.2 third-party scripts and connects to 1.6 unique external domains. Law firm sites are not, on average, bloated with third-party code in the initial HTML. The real question is what those scripts load after the page renders -- a measurement that requires runtime analysis beyond the scope of this study.
Third-Party Script Categories
We classified each third-party script into functional categories based on its domain. The "other" category is deliberately broad: it captures CDN-hosted libraries (jQuery from cdnjs.cloudflare.com, fonts from googleapis.com), marketing platform scripts, and vendor-specific code that does not fit neatly into a single purpose.
| Category | Script Loads | % of All 3P Scripts |
|---|---|---|
| Other | 468 | 69.7% |
| Analytics | 160 | 23.8% |
| CMS / Platform | 36 | 5.4% |
| Ads | 4 | 0.6% |
| Social | 2 | 0.3% |
| Chat | 1 | 0.1% |
| Legal / Consent | 0 | 0.0% |
Two findings stand out. First, analytics is the single largest identifiable category at 23.8%. Law firms are tracking their visitors, even if they are not doing much else with third-party scripts. Second, the near-total absence of legal consent and cookie banner scripts (0%) suggests that most law firm sites in our sample are not implementing CCPA or GDPR consent mechanisms in their initial page HTML -- a potential compliance gap worth investigating further.
Most Common Third-Party Domains
The top 15 third-party domains paint a clear picture of the standard law firm marketing stack. Google properties dominate, call tracking is widespread, and a handful of legal marketing platforms (Scorpion, Hibu, FindLaw) appear repeatedly.
| Rank | Domain | Sites Using | % of Sites |
|---|---|---|---|
| 1 | googletagmanager.com | 99 | 32.7% |
| 2 | google.com | 57 | 18.8% |
| 3 | cdn.callrail.com | 48 | 15.8% |
| 4 | cdn.trustindex.io | 22 | 7.3% |
| 5 | analytics.scorpion.co | 17 | 5.6% |
| 6 | cdnjs.cloudflare.com | 13 | 4.3% |
| 7 | ajax.googleapis.com | 8 | 2.6% |
| 8 | cdn.jsdelivr.net | 7 | 2.3% |
| 9 | cdn.calltrk.com | 7 | 2.3% |
| 10 | img1.wsimg.com | 6 | 2.0% |
| 11 | code.jquery.com | 6 | 2.0% |
| 12 | static-res-cdn.websites.hibu.com | 5 | 1.7% |
| 13 | dh-static-files.s3.amazonaws.com | 5 | 1.7% |
| 14 | static.cdn-website.com | 5 | 1.7% |
| 15 | analytics.ahrefs.com | 5 | 1.7% |
Note the presence of CDN-hosted libraries in the middle of the list. Sites loading jQuery from code.jquery.com (2.0%), cdnjs.cloudflare.com (4.3%), or ajax.googleapis.com (2.6%) are pulling common JavaScript libraries from shared CDNs rather than self-hosting. While this was once considered a best practice (shared caching across sites), modern browsers partition their cache by site, meaning CDN-hosted scripts offer no caching benefit and add a DNS lookup and TLS handshake to every page load.
The Marketing Stack Pattern
Three vendors form the backbone of law firm third-party infrastructure: Google Tag Manager, Google Analytics (via google.com), and CallRail. Together, they appear on over 67% of all sites that load any third-party script. This is the de facto law firm marketing stack.
Google Tag Manager (32.7%)
GTM is the most common third-party domain by a wide margin. One in three law firm sites loads the GTM container script in their initial HTML. GTM itself is lightweight, but it serves as a gateway: once loaded, it can inject any number of additional scripts (remarketing pixels, heatmaps, A/B testing tools) without requiring changes to the site's source code. The true performance cost of GTM depends entirely on how many tags the firm's marketing team has configured inside it.
CallRail (15.8%) and CallTrackingMetrics (2.3%)
Call tracking appears on nearly one in five sites when combining CallRail (cdn.callrail.com at 15.8%) and CallTrackingMetrics (cdn.calltrk.com at 2.3%). This reflects a fundamental truth about legal marketing: phone calls are the primary conversion event. Unlike e-commerce sites where the transaction happens online, most legal clients make first contact by phone. Call tracking scripts dynamically swap phone numbers on the page to attribute calls to specific marketing channels -- a function that requires JavaScript running on the client.
Scorpion (5.6%)
Scorpion is a legal marketing agency that builds and manages websites for law firms. Sites loading analytics.scorpion.co (5.6%) are typically Scorpion-managed properties. The Scorpion analytics script provides the agency with client performance data, representing a vendor lock-in pattern where the marketing agency controls both the site and the analytics pipeline. This is not inherently problematic, but it means the firm's performance data lives in a third-party system rather than in a platform the firm controls directly.
TrustIndex (7.3%)
TrustIndex (cdn.trustindex.io) is a review aggregation widget that displays Google Reviews, Yelp ratings, and other social proof directly on the site. At 7.3% adoption, it is the fourth most common third-party domain. Review widgets serve a clear conversion purpose for law firms, but they come with a trade-off: the widget script must load and render before the reviews appear, adding latency to the visible page. Self-hosting review content (pulling reviews via API and rendering them as static HTML) would achieve the same social proof without the runtime dependency.
Limitations
This study has several important caveats:
- Static HTML only: We analyzed script tags present in the initial HTML response. Scripts injected dynamically by JavaScript (including everything loaded via Google Tag Manager) are not captured. The actual third-party footprint for most sites is larger than reported.
- No performance measurement: We counted scripts and domains but did not measure their impact on page load time, Total Blocking Time, or Largest Contentful Paint. A single large render-blocking script can be worse than five small async scripts.
- Categorization is approximate: Domains like cdnjs.cloudflare.com host thousands of different libraries. We categorized by the domain's primary purpose, but the actual script loaded may serve a different function.
- Sample composition: Our 303 sites come from Google Maps top results in 25 mid-size markets. These are visible, established firms, not a random sample of all law firm websites.
- Point-in-time: All data was collected on March 2, 2026. Marketing stacks change as agencies add and remove tracking tools.