How This Briefing Works
This report opens with key findings, then maps the gaps between what 6sense discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Consent Bypass
69% pre-consent tracking rate detected across monitored sites
Compliance Claim Mismatch
Pre-consent tracking behavior contradicts GDPR consent requirements
Vendor Disclosure
42+ vendors detected on site with limited disclosure in privacy policy
Pre-Consent Activity
6sense was observed loading and executing before user consent was obtained on 70% of sites where it was detected.
Data Selling
Acknowledged data selling activity as registered Texas data broker
Claims vs. Observed Behavior
Consent Bypass
“Privacy By Design principles”
69% pre-consent tracking rate detected across monitored sites
BLACKOUT runtime scans show 69% of 6sense vendors fire before consent
Compliance Claim Mismatch
“GDPR compliant with TRUSTe validation”
Pre-consent tracking behavior contradicts GDPR consent requirements
TRUSTe badge displayed while 69% pre-consent rate observed
Vendor Disclosure
“Privacy policy vendor disclosure”
42+ vendors detected on site with limited disclosure in privacy policy
Runtime scan detected 42+ third-party vendors
Data Selling
“SOC 2 Privacy Trust Service Criteria”
Acknowledged data selling activity as registered Texas data broker
Texas data broker registration confirms data sale practices
Disclosure Gap
“Trust center compliance badges”
Registered as data broker in Texas despite privacy-first positioning
Texas data broker registry listing
CMP Failure
“Ketch CMP deployed for consent management”
Ketch CMP fires pre-consent alongside other vendors
Runtime detection shows CMP loading pre-consent
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use 6sense
- →Request explicit written clarification on how GDPR compliance is maintained while operating as a registered data broker that sells personal information
- →Review your privacy policy to ensure 6sense's data broker status and intent data sourcing are adequately disclosed to your prospects
- →Audit your subprocessor documentation — 42+ vendors on 6sense.com are not adequately disclosed in their privacy policy
- →Assess whether competitor access to the same 6sense subscriber ecosystem creates strategic risk for your ABM campaigns
- →Document legitimate interest basis for 6sense intent data — their data broker model may not support consent-based processing claims
If You're Evaluating 6sense
- →Note their Texas data broker registration alongside 'Security & Privacy By Design' marketing — reconcile this contradiction before procurement
- →Request SOC 2 report including Privacy TSC and verify how it addresses their acknowledged data selling practices
- →Ask specifically how your target account research signals are isolated from other 6sense subscribers including potential competitors
- →Consider privacy-respecting ABM alternatives that do not operate as registered data brokers (Bombora for aggregate intent, G2 for declared intent)
- →Require contractual data isolation and prohibition on selling data derived from your account activity before signing
Negotiation Leverage
- →Data broker status acknowledgment: 6sense is a registered Texas data broker that explicitly sells personal information. Require contractual prohibition on selling data derived from your account activity, with quarterly audit rights to verify compliance.
- →Consent chain verification: 69% pre-consent rate on their own site plus 'one trillion daily signals' from web, mobile, and exchanges. Require documented consent provenance for all intent data provided to your organization under GDPR Art 5(1)(a).
- →Signal isolation: Multi-tenant intent data model means your target account research may inform competitor campaigns. Require contractual data isolation ensuring your account lists and engagement signals are never used to enrich other subscribers' targeting.
- →Privacy TSC reconciliation: SOC 2 with Privacy TSC alongside acknowledged data selling requires explanation. Request the SOC 2 report and verify how the Privacy TSC addresses their data broker operations.
- →CMP remediation evidence: Their Ketch CMP fires pre-consent on 6sense.com. Require documented evidence of consent architecture remediation with independent audit verification before trusting compliance claims.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
Long-lived identifiers
PII deanonymization
Container/loader (neutral)
IOC Manifest
Indicators of compromise across 6 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
150 detection signatures across scripts, domains, cookies, and network endpoints