How This Briefing Works
This dossier opens with key findings, then maps the gap between what Blackwoodseven discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 1 sites
vendor fires before consent
2 HIGH
Briefing
Blackwood Seven (acquired by Kantar in 2022) provides AI-powered marketing mix modeling via its HamiltonAI platform, helping brands optimize media spend. Despite positioning as a sophisticated analytics provider and claiming GDPR/CCPA compliance, the vendor's own website deploys 37 third-party tracking vendors with 8 firing pre-consent (4.3% rate), including undisclosed parties like Bytemine, Leadfeeder, Scoreplex, and Scrapemagic. The cookie policy significantly undercounts actual tracking by approximately 4x, creating a material gap between stated and actual data practices.
What This Means For You
YOUR marketing attribution data processed through Blackwood Seven's HamiltonAI platform flows through a vendor ecosystem 4x larger than disclosed. YOUR budget optimization recommendations may be influenced by undisclosed data flows to vendors like Leadfeeder, which fires pre-consent and identifies YOUR corporate visitors. As a Kantar subsidiary owned by Bain Capital, YOUR data is processed within a conglomerate with extensive data aggregation capabilities — YOUR marketing performance data could inform Kantar's broader intelligence products. Under GDPR, YOUR records of processing must account for Blackwood Seven's actual 37-vendor chain, not their disclosed 9.
Risk Channel Breakdown
As a marketing attribution vendor, Blackwood Seven's core business is measuring and optimizing marketing ROI. The irony of deploying 37+ trackers on their own site while selling measurement solutions creates measurement pollution. Their HamiltonAI platform promises clean attribution but their website behavior suggests tolerance for chaotic tracking ecosystems.
Leadfeeder (B2B visitor identification) fires pre-consent, potentially exposing corporate visitor data to competitors or third parties. The presence of multiple audience and intent data vendors (Firmable, HG Insights, Versium) suggests demand signal leakage from their own prospect pipeline.
Attack surface includes 37 third-party scripts from diverse vendors including Scrapemagic (web scraping), Scoreplex, and multiple ad networks. As a Kantar subsidiary handling marketing data for enterprise clients, this exposure creates risk propagation to the parent organization.
Material consent divergence: cookie policy lists ~9 vendors but 37 detected. 8 vendors fire pre-consent including HubSpot and YouTube. GDPR/CCPA compliance claims are contradicted by runtime behavior. Cookie retention periods up to 10 years (visitor_id cookies) may exceed reasonable expectations.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Device identification
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
False certification claims
CMP vendor list vs runtime
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Blackwoodseven's public claims against observed runtime behavior and identified 3 contradictions.
"GDPR/CCPA compliant with cookie consent mechanism"
8 vendors fire pre-consent including Bytemine, Leadfeeder, Scoreplex, HubSpot, YouTube
2 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 9, observed 9
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →