How This Briefing Works
This report opens with key findings, then maps the gaps between what Calendly discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Calendly was observed loading and executing before user consent was obtained on 80% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Calendly
- →Implement consent-conditional Calendly widget load to prevent pre-interaction tracking initialization
- →Disable Calendly cross-domain sync and require strict first-party cookie deployment
- →Audit Calendly tracking pixel firing to verify no beacons execute before booking attempt
- →Review DPA for behavioral data sharing restrictions and enforce meeting data isolation
- →Establish session recording controls to prevent booking flow capture without explicit consent
If You're Evaluating Calendly
- →Request Calendly deployment without cross-domain visitor ID synchronization
- →Require contractual prohibition on meeting intent data sharing with demand generation networks
- →Verify Calendly widget does not initialize tracking libraries before user interaction with scheduling interface
- →Assess alternative scheduling vendors (self-hosted Cal.com, Calendly competitors with privacy modes) for comparison
- →Demand pricing concessions reflecting restricted deployment without cross-property tracking
Negotiation Leverage
- →VRS 80 classification with 100% CAC subsidization justifies 40% discount if cross-domain sync is permanently disabled
- →100% legal tail risk demands indemnification for session recording consent failures and biometric data processing violations
- →Require contractual guarantee that Calendly visitor IDs remain property-specific and do not feed cross-customer intelligence
- →Request monthly attestation that booking intent data does not feed external demand networks or Calendly network targeting
- →Negotiate data retention limits (30 days maximum) and right to audit Calendly cross-property visitor graphs for your booking widgets
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Calendly tracking pixels fire before widget interaction, capturing page context and referral data even for visitors who never attempted booking.
Keystroke/mouse tracking
Impact: Mouse movements and scroll patterns captured during booking flow to build engagement scoring and hesitation detection models.
Full session replay
Impact: DOM capture of booking widget interactions including time slot selections, form field entries, and abandoned booking attempts.
Identity stitching
Impact: Calendly visitor IDs synchronized across all customer properties using the platform, enabling cross-site booking behavior correlation.
Ignoring CMP signals
Impact: Calendly widget loads tracking infrastructure before user interaction, bypassing consent controls through pre-consent initialization.
Device identification
Impact: Browser fingerprinting used to reconnect visitors across booking widget deployments and associate abandoned bookings with later conversions.
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
98 detection signatures across scripts, domains, cookies, and network endpoints