How This Briefing Works
This report opens with key findings, then maps the gaps between what CallTrackingMetrics discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Analysis pending. Findings will appear here once intelligence collection is complete.
Disclosure Gaps
Claims vs. Observed Behavior
2 gaps
pending
UNKNOWN
They Claim
“Awaiting scanner verification”
Observed Behavior
Analysis based on public documentation, CTM privacy policy, cookie policy, help center articles, and integration specifications
pending
UNKNOWN
They Claim
“DNT non-compliance scope unverified”
Observed Behavior
CTM states they do not honor DNT signals but the full scope of tracking behavior when DNT is set has not been independently observed
Customer Impact
What This Means For You
Organizations deploying CallTrackingMetrics face a multi-layered compliance challenge. The JavaScript tracking code creates standard web tracking obligations, but CTM's explicit refusal to honor Do Not Track signals may conflict with organizational privacy commitments or regulatory expectations. Call recording introduces wiretapping consent requirements that vary by U.S. state (11 states require all-party consent) and by country, with violations carrying statutory damages and potential criminal penalties. The opt-in nature of PII redaction means organizations must proactively configure the feature—otherwise, call recordings containing credit card numbers, social security numbers, and other sensitive spoken data accumulate in CTM's systems and potentially flow to integrated platforms. The Enhanced Conversions integration with Google Ads sends additional customer data to Google beyond standard conversion events, expanding the data sharing footprint in ways that may not be reflected in customer-facing privacy policies.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
Recommended Actions for CallTrackingMetrics
- →Audit the CTM JavaScript tracking code to understand the full scope of data collection—IP addresses, cookies, device fingerprinting—and verify behavior when Do Not Track is enabled in visitor browsers.
- →Enable PII redaction for call transcriptions immediately if not already active—verify that credit card numbers, SSNs, and phone numbers spoken during calls are being automatically detected and removed from recordings and transcriptions.
- →Review call recording consent configuration across all jurisdictions where calls originate—ensure legally compliant disclosure is provided to callers before recording begins.
- →Evaluate the Google Ads Enhanced Conversions integration to understand exactly what customer data elements are being sent to Google beyond standard conversion events.
- →Map all active CTM integrations (CRM, ad platforms, Zapier workflows, API consumers) to create a complete data flow inventory of where call recordings, transcriptions, and visitor tracking data propagate.
Negotiation Leverage
- →CTM's explicit DNT non-compliance and opt-in PII redaction provide concrete leverage points for contractual negotiation. Key demands: require contractual commitment on data retention limits for call recordings and transcriptions, with guaranteed deletion schedules. Request a complete list of data elements sent to Google via the Enhanced Conversions integration and negotiate the ability to opt out of enhanced data sharing while retaining standard conversion tracking. Demand that PII redaction be enabled by default for your account, not as an opt-in feature. Ask CTM to document their position on DNT non-compliance in writing and confirm it does not conflict with your organization's published privacy commitments. For the developer API, negotiate rate limiting and access controls to prevent unauthorized bulk extraction of call data. Request audit rights to verify that PII redaction is functioning correctly and that deleted recordings are actually purged from all systems including backups and integrated platforms.
IOC Manifest
IOC Manifest
93 INDICATORS
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*www.calltrackingmetrics.com/wp-includes/js/jquery/jquery-migrate.js*
Tracking script
TRACK
*www.calltrackingmetrics.com/wp-content/themes/ctm-*/js/scrollmagic/ScrollMagic.js*
Tracking script
TRACK
*www.calltrackingmetrics.com/wp-content/themes/ctm-*/js/scripts.js*
Tracking script
TRACK
*www.calltrackingmetrics.com/wp-content/themes/ctm-*/js/fancybox/jquery.fancybox.js*
Tracking script
TRACK
*www.calltrackingmetrics.com/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*www.calltrackingmetrics.com/wp-content/themes/ctm-*/js/scrollmagic/plugins/animation.gsap.js*
Tracking script
TRACK
*www.calltrackingmetrics.com/wp-content/themes/ctm-*/js/aos.js*
Tracking script
TRACK
*www.calltrackingmetrics.com/wp-content/themes/ctm-*/js/slick/slick.js*
Tracking script
TRACK
*www.calltrackingmetrics.com/wp-content/themes/ctm-*/bootstrap/js/bootstrap.js*
Tracking script
TRACK
*www.calltrackingmetrics.com/wp-content/plugins/attachment-download-on-gravity-form-submission/frontend/js/wot-public-scripts.js*
Tracking script
TRACK
*www.calltrackingmetrics.com/wp-includes/js/wp-emoji-release.js*
Tracking script
TRACK
www.calltrackingmetrics.com/wp-includes/js/jquery/jquery.min.js
Auto-extracted from scan
TRACK
www.calltrackingmetrics.com/wp-includes/js/jquery/jquery-migrate.min.js
Auto-extracted from scan
TRACK
www.calltrackingmetrics.com/wp-content/themes/ctm-2025/js/aos.js
Auto-extracted from scan
TRACK
www.calltrackingmetrics.com/wp-content/themes/ctm-2025/bootstrap/js/bootstrap.min.js
Auto-extracted from scan
TRACK
www.calltrackingmetrics.com/wp-content/themes/ctm-2025/js/fancybox/jquery.fancybox.min.js
Auto-extracted from scan
TRACK
www.calltrackingmetrics.com/wp-content/themes/ctm-2025/js/slick/slick.min.js
Auto-extracted from scan
TRACK
www.calltrackingmetrics.com/wp-content/themes/ctm-2025/js/scrollmagic/ScrollMagic.min.js
Auto-extracted from scan
TRACK
www.calltrackingmetrics.com/wp-content/themes/ctm-2025/js/scrollmagic/plugins/animation.gsap.min.js
Auto-extracted from scan
TRACK
www.calltrackingmetrics.com/wp-content/themes/ctm-2025/js/scripts.js
Auto-extracted from scan
TRACK
www.calltrackingmetrics.com/wp-content/plugins/attachment-download-on-gravity-form-submission/frontend/js/wot-public-scripts.js
Auto-extracted from scan
TRACK
www.calltrackingmetrics.com/wp-includes/js/wp-emoji-release.min.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
CallTrackingMetrics maintains a broad integration ecosystem with over 40 direct integrations. The Google Ads integration is notably deep—CTM was a Google partner in developing bidirectional API connectivity, supporting click-to-call tracking, offline conversion import, and Enhanced Conversions for leads. Additional advertising integrations include Google Analytics, Microsoft Advertising, and Facebook. CRM integrations include Salesforce and HubSpot with direct connectors. The platform supports Google Tag Manager deployment for the tracking JavaScript, Zapier for connecting to hundreds of additional applications, and a full developer API for custom integrations. CTM also integrates with contact center tools for call routing, IVR, and workforce management. The Enhanced Conversions integration is particularly notable—it sends additional first-party customer data (beyond just conversion events) to Google Ads to improve match rates, meaning more customer information flows into Google's advertising infrastructure than with standard conversion tracking.
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
93 detection signatures across scripts, domains, cookies, and network endpoints