How This Briefing Works
This report opens with key findings, then maps the gaps between what 5×5 Data discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
compliance_claim_mismatch
Explicitly sells ethnicity data (GDPR special category) and has 67% pre-consent tracking rate
consent_gap
CookieYes CMP fires pre-consent (pre_consent=true in scan data). 67% overall pre-consent rate.
subprocessor_gap
40+ third-party vendors observed including IDVisitors, Intentsify, HockeyStack, RB2B. Zero vendors disclosed by name.
Pre-Consent Activity
5×5 Data was observed loading and executing before user consent was obtained on 67% of sites where it was detected.
disclosure_gap
Cooperative model means unknown number of Members receive shared PI
Claims vs. Observed Behavior
compliance_claim_mismatch
“Trust center displays GDPR badge, states 5×5 is working to meet EU data protection requirements”
Explicitly sells ethnicity data (GDPR special category) and has 67% pre-consent tracking rate
Consumer Privacy Notice admits We have sold or shared your ethnicity data. Trust center text says working to meet not compliant.
consent_gap
“CookieYes consent banner with Reject All option deployed”
CookieYes CMP fires pre-consent (pre_consent=true in scan data). 67% overall pre-consent rate.
intel_detections shows cookieyes vendor_slug with pre_consent=true on 5x5data.com
subprocessor_gap
“Privacy policy mentions service providers and Members generically”
40+ third-party vendors observed including IDVisitors, Intentsify, HockeyStack, RB2B. Zero vendors disclosed by name.
Scan data shows 40+ distinct vendor slugs on 5x5data.com hostname
disclosure_gap
“No subprocessor list published anywhere”
Cooperative model means unknown number of Members receive shared PI
Full site review found no subprocessor list. Privacy policy only mentions AWS and Snowflake as delivery partners.
claims_gap
“SOC 2 Type I certified”
Type I is point-in-time, not ongoing verification. No Type II certification.
Trust center explicitly states SOC 2 Type I, not Type II
disclosure_gap
“No retention period specified”
Privacy policy says data retained until no longer necessary with no specific timeframe
Consumer Privacy Notice Section 5.C states until no longer necessary
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use 5×5 Data
- →URGENT: Audit your consent implementation — 5x5's own CookieYes banner fires before consent, their pixel likely does the same on your property
- →Request complete Member list in writing — your visitors' PII is being shared with unknown cooperative participants
- →Review what data categories have been contributed from your site — 5x5 sells ethnicity data, a GDPR Article 9 special category
- →Document risk acceptance if continuing use — the cooperative model makes it impossible to audit downstream data flows
- →Consider immediate removal given GDPR special category exposure and inability to verify who receives your data
If You're Evaluating 5×5 Data
- →Request Member list disclosure as a pre-contract condition — 5x5 will likely refuse, which tells you everything about transparency
- →Demand GDPR compliance documentation — 'working to meet' requirements is not compliance and creates shared liability for you
- →Ask about ethnicity data: confirm whether your visitors' racial or ethnic data would enter the cooperative pool
- →Note they hold SOC 2 Type I only (point-in-time), not Type II (ongoing verification) — insufficient for enterprise procurement
- →Evaluate alternatives that do not operate cooperative data pooling models where your data subsidizes competitors' intelligence
Negotiation Leverage
- →Member list disclosure: 5x5 Data operates a cooperative model where unknown Members receive pooled PII. Require complete Member list disclosure as a contract precondition — you have a right to know who receives your visitors' data.
- →Ethnicity data prohibition: 5x5 explicitly admits selling ethnicity data, a GDPR Article 9 special category. Require written contractual prohibition on collecting, storing, or sharing any special category data from your visitors.
- →Pre-consent SLA: CookieYes consent banner fires before consent on their own site, producing a 67% pre-consent rate. Require contractual guarantee of 0% pre-consent data collection with independent audit verification quarterly.
- →GDPR compliance timeline: Trust center states they are 'working to meet' GDPR requirements. Require documented GDPR compliance certification with specific deadline and right to terminate without penalty if unmet.
- →Data deletion and portability: Require contractual right to demand immediate deletion of all visitor data from the cooperative pool, with written confirmation from 5x5 that data has been purged from all Member access.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-2025-0024
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
65 detection signatures across scripts, domains, cookies, and network endpoints