How This Briefing Works
This report opens with key findings, then maps the gaps between what ABMatic discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
ABMatic was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Requires claims extraction via CDT”
Live website analysis pending
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use ABMatic
- →Immediate contract termination - no compliant configuration possible
- →Engage legal counsel for joint controller liability assessment under GDPR Article 26
- →Submit GDPR data deletion request for all historical session recordings
- →Audit data sharing agreements to identify downstream intent data buyers
If You're Evaluating ABMatic
- →Replace with consent-first analytics (Plausible, Simple Analytics, Fathom)
- →Assess first-party intent signal capture via owned events
- →Calculate CAC subsidization cost: (ABMatic fee + leaked intent value to competitors)
Negotiation Leverage
- →Session recording without consent violates GDPR Article 6 and CCPA biometric disclosure - contract is legally unenforceable
- →Behavioral biometrics constitute special category data under GDPR Article 9 - require Data Protection Impact Assessment or cease processing
- →Tag manager deployment without consent governance makes site operator joint controller - demand DPA amendment recognizing shared liability
- →Intent data resale subsidizes competitor targeting - require complete data sharing audit with buyer identification and pricing transparency
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Impact: Captures keystroke dynamics, mouse movement patterns, and scroll behavior for identity resolution. Creates CCPA biometric data disclosure requirements and GDPR Article 9 special category processing violations.
Full session replay
Impact: Records complete user sessions including form inputs and page interactions. Every recording is potential GDPR data breach requiring notification if accessed by unauthorized parties. Creates indefinite data retention liability.
Ignoring CMP signals
Impact: Executes session recording and biometric capture before consent collection. Documented in pre-consent timeline analysis. Creates strict liability under ePrivacy Directive.
Long-lived identifiers
Impact: Maintains visitor profiles across sessions via probabilistic and deterministic matching. Extends GDPR data subject access request scope to all historical sessions.
PII deanonymization
Impact: Links anonymous sessions to known identities via email, form fills, and third-party data. Converts pseudonymous data to personal data, triggering full GDPR obligations.
Container/loader (neutral)
Impact: Deploys via tag management system, enabling dynamic updates without change control. Creates audit trail gaps and prevents technical enforcement of consent requirements.
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
82 detection signatures across scripts, domains, cookies, and network endpoints