How This Briefing Works
This report opens with key findings, then maps the gaps between what Beehiiv discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Consent Violation
55% of vendors (21/38) fire before user consent is obtained
Disclosure Gap
15 vendors detected at runtime not disclosed in privacy policy
Identity Resolution
ZoomInfo detected loading pre-consent for visitor identification
Undisclosed Party
Not in privacy policy
Undisclosed Sharing
Hidden data recipients
Claims vs. Observed Behavior
Consent Violation
“GDPR and CCPA compliant as stated in privacy policy”
55% of vendors (21/38) fire before user consent is obtained
Runtime scan shows Ada, CHEQ, Clarity, DoubleClick, GA4, HubSpot, MetaPixel, ZoomInfo and 13 others loading pre-consent
Disclosure Gap
“Privacy policy lists data processors”
15 vendors detected at runtime not disclosed in privacy policy
ZoomInfo, CHEQ, TrenDemon, Salesloft, Dreamdata, Pubrio, VWO, Human Security, PerimeterX, NeverBounce, Loom, Typeform, Bitly, Ada, Ahrefs found in runtime but absent from policy
Identity Resolution
“No identity resolution disclosure”
ZoomInfo detected loading pre-consent for visitor identification
ZoomInfo vendor slug detected in runtime scan with pre_consent=true
Fingerprinting Disclosure
“Cookie policy mentions browser fingerprinting”
Browser fingerprinting acknowledged but creates consent complexity - fingerprints cannot be deleted like cookies
Cookie policy states: Browser Fingerprinting creates an identifier based on a device unique combination of characteristics
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Beehiiv
- →Audit your own privacy policy — you may inherit Beehiiv vendor relationships without knowing it
- →Verify consent flows on Beehiiv-hosted pages match your stated compliance posture
- →Request Beehiiv's complete subprocessor list and compare to the 38 vendors detected at runtime
- →Implement additional consent controls for your subscribers beyond what Beehiiv provides by default
If You're Evaluating Beehiiv
- →Request Beehiiv's subprocessor list and compare against 38 detected vendors before committing
- →Verify whether ZoomInfo identity resolution applies to your subscribers' data
- →Compare with Substack, ConvertKit, and Ghost on vendor transparency and pre-consent behavior
- →Require contractual guarantees on audience data isolation and restrictions on identity resolution
Negotiation Leverage
- →55% pre-consent rate: More than half of Beehiiv's vendors fire before consent — use this to negotiate consent architecture improvements or require server-side consent enforcement for your newsletter
- →ZoomInfo integration undisclosed: Identity resolution on beehiiv.com means subscriber data may be enriched and resold — require contractual restrictions on identity resolution for your audience data
- →15 undisclosed vendors: Including fraud detection tools CHEQ, Human Security, and PerimeterX — require complete vendor disclosure and DPA coverage for all detected vendors
- →Publisher inheritance risk: Your newsletter subscribers inherit Beehiiv's vendor relationships — use this to negotiate data isolation for your publication audience
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Identity stitching
Device identification
Long-lived identifiers
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
163 detection signatures across scripts, domains, cookies, and network endpoints