How This Briefing Works
This report opens with key findings, then maps the gaps between what CallRail discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Analysis pending. Findings will appear here once intelligence collection is complete.
Disclosure Gaps
Claims vs. Observed Behavior
2 gaps
pending
UNKNOWN
They Claim
“Awaiting scanner verification”
Observed Behavior
Analysis based on public documentation, CallRail help center articles, and integration specifications
pending
UNKNOWN
They Claim
“DNI cookie scope and duration unverified”
Observed Behavior
Runtime behavior of the DNI JavaScript, actual cookie attributes, and third-party network requests have not been independently observed
Customer Impact
What This Means For You
Organizations using CallRail face revenue risk from two primary vectors. First, the JavaScript DNI system operates as a visitor tracking mechanism that may require consent under privacy regulations. If CallRail's strictly necessary cookie classification is challenged by regulators, retroactive compliance obligations could arise. Second, call recording consent is governed by a patchwork of state and international laws. Businesses operating across multiple jurisdictions must ensure proper consent mechanisms are in place for every recorded call—failure creates exposure under wiretapping statutes that carry per-violation penalties. The integration ecosystem also means call data (including recordings and transcriptions) may flow to multiple third-party platforms, expanding the data governance surface and creating potential for unauthorized data access or breach notification obligations across multiple systems.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
Recommended Actions for CallRail
- →Audit the CallRail JavaScript snippet to understand exactly what data is collected on page load and what cookies are set, including duration and scope.
- →Review call recording consent configuration—ensure proper disclosure plays before recording begins in all jurisdictions where calls originate.
- →Map the full data flow from CallRail to all connected integrations (Google Ads, Meta, CRM) to understand where call data and visitor tracking data propagates.
- →Evaluate whether CallRail's strictly necessary cookie classification aligns with your organization's privacy posture and applicable regulations.
- →Assess AI transcription features for sensitive data exposure—determine whether call recordings containing PII, financial, or health information are being processed and stored by CallRail's conversation intelligence system.
Negotiation Leverage
- →CallRail's value proposition depends on attribution accuracy, which requires the JavaScript snippet and cookie persistence. Leverage points include: requesting a complete data processing inventory that specifies exactly what visitor data is collected, where it is stored, how long it is retained, and which third parties receive it. Ask whether CallRail's AI transcription models are trained on customer call data. Negotiate contractual protections around call recording data—specify retention limits, deletion rights, and restrictions on CallRail's use of recordings beyond the stated service. Request documentation of their strictly necessary cookie legal basis, including any regulatory opinions or certifications supporting this classification. For organizations in regulated industries (healthcare, financial services), require written confirmation of HIPAA BAA availability or equivalent compliance frameworks for call recording data.
IOC Manifest
IOC Manifest
24 INDICATORS
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*cdn.callrail.com/companies/*/*/12/swap.js*
Tracking script
TRACK
*js.callrail.com/companies/*/external_forms.js*
Tracking script
TRACK
*js.callrail.com/companies/*/custom_forms.js*
Tracking script
TRACK
*js.callrail.com/group/0/*/12/swap_session.json*
Tracking script
TRACK
*partners.callrail.com/pr/js*
Tracking script
TRACK
*js.callrail.com/group/0/*/12/icap.js*
Tracking script
TRACK
cdn.callrail.com/companies/297407543/f6b60be971df89061219/12/swap.js
Auto-extracted from scan
TRACK
partners.callrail.com/pr/js
Auto-extracted from scan
TRACK
js.callrail.com/companies/297407543/custom_forms.js
Auto-extracted from scan
TRACK
js.callrail.com/companies/297407543/external_forms.js
Auto-extracted from scan
TRACK
js.callrail.com/group/0/f6b60be971df89061219/12/icap.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
CallRail maintains an extensive integration ecosystem focused on advertising attribution and CRM enrichment. Direct ad platform integrations include Google Ads (bidirectional conversion data), Meta Ads Manager (call/text/form attribution), Microsoft Advertising, and Google Analytics 4. CRM integrations include Salesforce, HubSpot, and Pipedrive. The platform also connects to marketing automation tools, reporting platforms (Google Data Studio, AgencyAnalytics), and communication tools (Slack). CallRail supports Google Tag Manager deployment, Zapier for custom workflows, and a REST API for programmatic access. The bidirectional Google Ads integration is particularly significant—CallRail sends conversion data back to Google for automated bidding optimization, meaning Google receives call outcome data tied to click identifiers.
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
24 detection signatures across scripts, domains, cookies, and network endpoints