How This Briefing Works
This report opens with key findings, then maps the gaps between what Amplitude discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Tracking
41 cookies fire before Civic Cookie Control consent banner renders, including identity-level ad network cookies (sa-user-id, TDID, uuid2, MUID, _fbp)
Privacy Marketing vs Reality
Own website deploys 97 cookies, 90+ third-party domains, canvas/WebGL/navigator fingerprinting, and obfuscated scripts (CHEQ via roundprincemusic.com)
Pre-Consent Activity
Amplitude was observed loading and executing before user consent was obtained on 43% of sites where it was detected.
Undisclosed Vendors
Scanner detected 30+ unique third-party vendor domains including CHEQ, Clearbit, 6sense, ZoomInfo, ClickCease, Inflection, Influ2, Infinigrow, ClickAgy, and ad exchanges (AppNexus, Rubicon, PubMatic)
Subprocessor Disclosure Gap
Data flows observed to 15+ additional vendors not listed as subprocessors, including identity enrichment and programmatic ad platforms
Claims vs. Observed Behavior
Pre-Consent Tracking
“Claims GDPR compliance via EU-US Data Privacy Framework and honors GPC signals”
41 cookies fire before Civic Cookie Control consent banner renders, including identity-level ad network cookies (sa-user-id, TDID, uuid2, MUID, _fbp)
Scanner raw_intel preConsentCookies array: 41 cookies including Google Analytics, LinkedIn, Reddit, Marketo, 6sense, StackAdapt identifiers
Privacy Marketing vs Reality
“Trust center features Privacy by Design program as a core control”
Own website deploys 97 cookies, 90+ third-party domains, canvas/WebGL/navigator fingerprinting, and obfuscated scripts (CHEQ via roundprincemusic.com)
Scanner detected 97 cookies, fingerprinting via canvas/webgl/navigator methods, obfuscation patterns (eval, function_constructor)
Undisclosed Vendors
“Privacy policy cookie table lists 19 vendor integrations”
Scanner detected 30+ unique third-party vendor domains including CHEQ, Clearbit, 6sense, ZoomInfo, ClickCease, Inflection, Influ2, Infinigrow, ClickAgy, and ad exchanges (AppNexus, Rubicon, PubMatic)
Scanner thirdPartyDomains list vs privacy policy Section 14 cookie table comparison
Subprocessor Disclosure Gap
“Trust center lists 5 subprocessors (AWS, Datadog, OpenAI, Snowflake, Wiz)”
Data flows observed to 15+ additional vendors not listed as subprocessors, including identity enrichment and programmatic ad platforms
Trust center Subprocessors tab vs scanner-observed data recipients (Clearbit reveal API, 6sense epsilon, ZoomInfo ws, StackAdapt tags)
GPC Signal Timing
“Amplitude honors the Global Privacy Control (GPC) signal when properly configured and received”
41 cookies including ad network identifiers fire on page load before GPC signal can be processed or consent banner renders
Scanner preConsentCookies timing vs CMP load order in script inventory
Security Documentation Access
“SOC 2 Type II, SOC 1 Type II, ISO 27001/27017/27018 certifications displayed on trust center”
All compliance documentation requires Request access approval, not freely downloadable
Trust center documentation section: Request access buttons on all reports
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Amplitude
- →Audit your consent implementation to verify Amplitude scripts do not fire before consent is obtained (40.9% pre-consent rate observed across deployments)
- →Request a complete list of all third-party services that Amplitude's client-side code communicates with, beyond the 5 subprocessors listed on their trust center
- →Review your DPA to confirm subprocessor notification requirements cover runtime data recipients, not just infrastructure providers
- →Implement server-side event forwarding where possible to reduce client-side script exposure from Amplitude's multi-module deployment (analytics + experiment + session replay + engagement)
- →Request SOC 2 Type II report and verify scope explicitly includes client-side JavaScript behavior, not just server infrastructure
If You're Evaluating Amplitude
- →Request access to SOC 2 Type II report and penetration test results before signing -- these are behind an approval gate on the trust center
- →Require contractual commitment that pre-consent tracking rate will be 0% on your deployment, with liquidated damages for violations
- →Compare Amplitude's multi-product bundle (analytics + experiment + session replay) against best-of-breed alternatives that may have simpler client-side footprints
- →Negotiate right-to-audit clause covering runtime behavior monitoring on your deployment, not just Amplitude's internal infrastructure
- →Verify that Amplitude's EU data residency option (Frankfurt) covers all data processing, including the Experiment and Engagement Browser modules
Negotiation Leverage
- →Pre-consent liability exposure: Scanner data shows 40.9% pre-consent tracking rate across Amplitude deployments. Require contractual indemnification for regulatory fines arising from pre-consent cookie activity, with an SLA guaranteeing zero pre-consent tracking and liquidated damages of $10,000 per documented violation.
- →Subprocessor transparency gap: Trust center lists 5 infrastructure subprocessors while their own website shares data with 30+ third-party vendors. Require comprehensive disclosure of all runtime data recipients within 30 days, with contractual obligation for 30-day advance notice and written approval before adding new data processors.
- →Right to independent verification: Amplitude's SOC 2 and ISO certifications cover server-side infrastructure. Require contractual right to conduct independent runtime compliance audits on your deployment at any time without prior notice, with Amplitude bearing the cost if violations are discovered.
- →GPC implementation verification: Privacy policy claims GPC signal compliance, but pre-consent tracking occurs before signal processing. Require technical documentation proving GPC signal is processed before any tracking initiates, with independent third-party verification.
- →Security documentation access: All compliance reports are access-gated on the trust center. Negotiate automatic access to current SOC 2, penetration test, and ISO certification reports as part of your contract, updated within 30 days of renewal.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
IOC Manifest
Indicators of compromise across 6 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
186 detection signatures across scripts, domains, cookies, and network endpoints