FOR GRC // GENERAL COUNSEL // DPO

Your DPA is a claim. Runtime is the evidence.

Privacy policies declare. DPAs declare. Subprocessor lists declare. Runtime executes. We capture the delta and cite the regulations that address it. Your counsel makes the call.

Scan Your Site Track 4 Methodology

DPA Delta

CHEQ · 6sense · RB2B

▸ Vendor declared

“We use 3 subprocessors.”

▸ Runtime observed

13 third-party connections

adnxs.com · demdex.com · doubleclick.net · +7 undisclosed

▸ Delta

undisclosed data sharing relationships

GDPR Art. 28 · 13 / 14HAR archived

How we observe this

01 // OBSERVATION POSTURE

We observe and cite. We never assert.

Blackout is not a legal tool and does not provide legal advice. We document what vendors do, identify the regulations that address that behavior pattern, and hand the artifact to your counsel.

Your General Counsel reads the evidence. Your General Counsel determines what it means. We're the camera, not the judge.

▸ The posture, in two columns

✓ What we say

“observed”
“detected”
“fires”
“transmits”
“addressed under”
“maps to”
“touches”
named clause citations

✕ What we don't

“violation”
“non-compliance”
“breach”
“applicable” (legal)
“counsel review recommended”
“liability”
“penalty” / “fine”
predictions of any kind

Blackout provides evidence. Counsel provides assessment.

02 // DPA vs RUNTIME

The delta is documentable.

Every DPA claim is a string we test against runtime evidence. Each delta becomes a row, with timestamped HAR proof and a SHA-256 chain of custody.

DPA claim

Runtime evidence

Status

“We process data only in the EU”

Beacon destinations include US-hosted endpoints

DISCREPANCY

“We use 3 subprocessors”

13 third-party connections observed

DISCREPANCY

“Data is deleted within 90 days”

Not observable from network traffic

UNVERIFIABLE

“We do not sell personal data”

Data transmitted to known data broker endpoints (LiveRamp, AppNexus)

DISCREPANCY

“All processing requires customer consent”

Pre-consent firing observed across 3-pass scan

DISCREPANCY

Each row carries HAR evidence + SHA-256 hash + scan timestampCounsel-ready export →

03 // CONSENT INTEGRITY

Three passes. One verdict on your CMP.

We load your site three times: pre-consent, post-accept, post-reject. If vendors fire identically across all three, the consent mechanism is not functional. The HAR captures prove it.

01 / Pre-Consent

Before the banner appears

Captures every vendor that fires before any user interaction.

02 / Post-Accept

After explicit consent

Captures the full set of vendors authorized by the user.

03 / Post-Reject

After explicit rejection

Captures any vendor still firing despite a rejection click.

BLACKOUT://CONSENT/3-PASS-COMPAREDRIFT

$ blackout consent diff --vendor 6sense

▸ pass 1 (pre-consent): b.6sc.co · 4 fires · 12 params

▸ pass 2 (post-accept): b.6sc.co · 4 fires · 12 params

▸ pass 3 (post-reject): b.6sc.co · 4 fires · 12 params

● Identical payloads across consent stateCMP non-functional

Touches: GDPR Art. 7 · ePrivacy Directive Art. 5(3)

Pre-consent vs. post-accept payload comparison4 vendors fire identically

04 // SUBPROCESSOR DISCLOSURE GAP

Disclosed: 3. Observed: 13.

When a vendor's privacy policy lists three subprocessors and the scanner detects thirteen third-party connections, the “product functionality” defense collapses.

Each undisclosed subprocessor adds a layer of exposure your DPA never bound, your team never approved, and your visitors never consented to. The chain depth multiplies; accountability approaches zero.

Subprocessor disclosure gap

CHEQ

Disclosed in privacy policy (2026-01-15)

+ AWS · processing
+ Google Cloud · processing
+ Cloudflare · CDN

Observed at runtime

− adnxs.com (AppNexus / Xandr)
− demdex.com (Adobe Audience Manager)
− doubleclick.net (Google Ads)
− liveramp.com (identity graph)
− pubmatic.com (programmatic)
− tiktok.com (pixel)
− 4 additional

TouchesGDPR Art. 28 · 13/14

05 // REGULATORY TOUCHPOINTS

We name the clauses. Counsel names the call.

Each observed behavior maps to specific named clauses across applicable frameworks. No interpretation. No claim of applicability in a legal sense. Citations only.

GDPR

EU / EEA

▸ Art. 6 · lawfulness
▸ Art. 7 · consent
▸ Art. 13 / 14 · transparency
▸ Art. 28 · subprocessors

CCPA / CPRA

California

▸ § 1798.100(b) · disclosure
▸ § 1798.135 · opt-out
▸ “sale” / “share” definitions

ePrivacy Directive

EU member states

▸ Art. 5(3) · cookie consent
▸ Member-state implementations

TCPA

United States

▸ Vendor-initiated tracking
▸ Automated contact patterns

State Privacy Laws

CO · CT · VA · UT · TX · OR · MT

▸ Per-state consent regimes
▸ Sensitive-category collection
▸ Opt-out signal handling

PIPEDA

Canada

▸ Knowledge & consent principles
▸ Data collection without adequate consent

▸ Regulatory ceilings (GDPR 4%, CCPA per-violation, etc.) live on the methodology page as reference. They do not surface in product.

06 // THE COUNSEL EXPORT

The artifact your counsel already knows how to read.

Each finding ships as an evidence package optimized for legal review. No marketing language. No interpretation. Just observed behaviors with timestamped evidence and named clause citations.

▸ counsel-evidence-package.zip

SHA-256 chain of custody · ISO-8601 timestamps · HAR + payload hashes

01_observed_behaviors.jsonPer-vendor runtime evidence with payload samples

02_clause_citations.mdNamed regulatory clauses per behavior, no commentary

03_dpa_runtime_delta.csvClaim vs. observed table, deltas as facts

04_subprocessor_gap.csvDisclosed subprocessors vs. observed third parties

05_consent_integrity.jsonPass-1 / Pass-2 / Pass-3 payload comparison

06_evidence_har/Raw HAR captures with hash verification manifest

Format ready for outside-counsel reviewOne-click export

Capture the delta. Hand it over.

Run a scan. Get the DPA-vs-runtime artifact in 60 seconds. Counsel reads the evidence. Counsel makes the call.

Start the scan or read about the product →

▸ Free · No signup · No credit card · 600+ vendor signatures