How This Briefing Works
This report opens with key findings, then maps the gaps between what ActiveCampaign discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Consent Bypass
73.1% pre-consent tracking rate detected across monitored sites
Pre-Consent Activity
ActiveCampaign was observed loading and executing before user consent was obtained on 74% of sites where it was detected.
Data Selling
Explicit data selling acknowledged in privacy documentation
CMP Failure
OneTrust CMP fires pre-consent alongside tracking vendors
Vendor Disclosure
20+ vendors detected on site with limited disclosure
Claims vs. Observed Behavior
Consent Bypass
“GDPR-friendly platform”
73.1% pre-consent tracking rate detected across monitored sites
BLACKOUT runtime scans show 73.1% of vendors fire before consent
Data Selling
“Start with trust company value”
Explicit data selling acknowledged in privacy documentation
Privacy policy discloses data sale practices
CMP Failure
“OneTrust CMP deployed for consent management”
OneTrust CMP fires pre-consent alongside tracking vendors
Runtime detection shows CMP loading pre-consent
Vendor Disclosure
“Privacy policy vendor disclosure”
20+ vendors detected on site with limited disclosure
Runtime scan detected 20+ third-party vendors vs limited privacy policy list
Certification Gap
“Enterprise marketing platform”
No SOC2 or ISO 27001 certifications unlike competitors
No compliance certifications listed on trust center
Session Recording Disclosure
“Privacy-respecting analytics”
Session replay tools deployed without clear disclosure to users
Session replay detected on site without prominent user notice
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use ActiveCampaign
- →Request explicit written clarification on how GDPR compliance is achieved with 73.1% pre-consent tracking on their own properties
- →Review what happens to your subscriber engagement data — their privacy policy admits selling identifiers to data enrichment providers
- →Demand SOC2 Type II report or explanation for why none exists despite processing 4 billion weekly interactions across 170+ countries
- →Audit whether your subscriber data enters the data enrichment ecosystem where competitors may purchase engagement insights
- →Consider alternatives that do not participate in data broker networks if data sale is incompatible with your privacy commitments
If You're Evaluating ActiveCampaign
- →Note the gap between 'Start with trust' messaging and explicit data sale admissions in their privacy policy
- →Request SOC2 Type II and ISO 27001 certifications — ActiveCampaign does not appear to hold either despite enterprise scale
- →Ask specifically how subscriber data is isolated from their data enrichment provider relationships
- →Compare against alternatives like Mailchimp, Customer.io, or Klaviyo that do not admit to selling subscriber data
- →Require contractual data sale prohibition before signing — their default terms allow selling your audience intelligence
Negotiation Leverage
- →Data sale prohibition: ActiveCampaign explicitly admits selling identifiers and network activity to data enrichment providers. Require contractual prohibition on selling, sharing, or enriching data derived from your subscriber interactions, with quarterly audit rights.
- →Security certification requirement: ActiveCampaign displays no SOC2 or ISO certifications despite processing 4 billion weekly interactions. Require SOC2 Type II certification as a contract condition or negotiate significant liability indemnification.
- →Pre-consent SLA: 73.1% pre-consent tracking on their own website contradicts GDPR-friendly claims. Require contractual guarantee that their SDK and tracking code respects your CMP signals with zero pre-consent data processing.
- →Data enrichment opt-out: ActiveCampaign both buys from and sells to data enrichment providers. Require written confirmation that your account data is excluded from all enrichment partnerships and data marketplace activity.
- →Subprocessor transparency: 20+ vendors detected on activecampaign.com with limited disclosure. Require complete subprocessor list with 30-day advance notice before additions affecting your data processing.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
102 detection signatures across scripts, domains, cookies, and network endpoints