They take your first-party data and monetize it.
Reading first-party cookies, localStorage, or credentials and transmitting to third parties. Includes credential interception. Scripts access document.cookie, localStorage, and sessionStorage to extract first-party identifiers, session tokens, and user data, then transmit it to external endpoints. (Note: C02 was merged into C03)
What It Costs You
CAC Subsidization
Visitor data captured on a site can flow into data broker networks and identity graphs, eventually surfacing in competitor prospecting tools. The original company paid to acquire the traffic; competitors pay pennies to intercept the lead.
Legal Tail Risk
Pre-consent data collection, undisclosed data sharing, and consent signal violations create regulatory exposure. Class actions and regulatory fines can exceed entire annual marketing budgets. Liability sits with the site owner, not the vendor.
GTM Attack Surface
Third-party scripts execute with full privileges on every page load. Dangerous code patterns, external dependencies, and data interception turn marketing infrastructure into attack vectors. One compromised dependency compromises the entire site.
Blackout uses security frameworks to protect AGAINST vendors, not FOR them. We do not notify vendors. We do not provide remediation windows. If you're using a vendor flagged by this code, the advisory is your evidence.