How This Briefing Works
This report opens with key findings, then maps the gaps between what ChiliPiper discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
ChiliPiper was observed loading and executing before user consent was obtained on 33% of sites where it was detected.
Claims vs. Observed Behavior
consent
“Pending claims extraction via CDT”
Cross-domain sync, tag manager, behavioral tracking, and consent bypass detected
disclosure
“Pending privacy policy review”
Cross-domain tracking during scheduling observed without disclosure verification
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use ChiliPiper
- →Implement consent-gating before ChiliPiper tracking activates on scheduling forms
- →Configure cross-domain synchronization to require explicit opt-in before linking marketing and CRM data
- →Deploy tag manager allowlisting to prevent unauthorized script injection via ChiliPiper
- →Enable data minimization controls to limit scheduling data retention to completed meeting cycles only
- →Conduct quarterly audits of cross-domain tracking and tag manager behavior
- →Disable behavioral biometrics features in ChiliPiper settings if available
If You're Evaluating ChiliPiper
- →Request DPA with explicit limitations on cross-domain tracking and CRM data synchronization
- →Verify ChiliPiper honors consent signals before initiating cross-domain user matching
- →Demand contractual prohibition on using customer scheduling patterns for ChiliPiper's own benchmarking products
- →Assess alternative scheduling platforms with privacy-preserving architecture
- →Require technical documentation on tag manager script injection and cross-domain sync methodology
- →Negotiate liability protection for GDPR fines arising from unconsented cross-domain tracking
Negotiation Leverage
- →ChiliPiper cross-domain sync (BTI-C08) enables tracking from marketing through booking—require explicit opt-in before cross-platform linking
- →Tag manager (BTI-C15) enables undisclosed script injection—require contractual restrictions on dynamic tag loading
- →Consent bypass (BTI-C09) during scheduling creates regulatory exposure—demand technical implementation of consent verification before tracking
- →Behavioral biometrics (BTI-C06) profiles scheduling urgency—negotiate contractual prohibition on using customer booking patterns for cross-customer insights
- →Request documentation on data retention periods and third-party data sharing via tag manager integrations
- →Negotiate maximum 90-day retention for scheduling behavioral data with automated deletion for incomplete booking cycles
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Impact: Captures form interaction patterns, time-to-booking metrics, and scheduling preferences to profile buyer urgency and deal priority.
Identity stitching
Impact: Synchronizes scheduling data across marketing sites, landing pages, and CRM systems, enabling cross-platform tracking of buyer journey from awareness to meeting booking.
Ignoring CMP signals
Impact: Initializes tracking infrastructure before consent collection during scheduling workflows, creating automatic legal violations.
Container/loader (neutral)
Impact: Deploys tag management infrastructure that can dynamically inject analytics and conversion tracking beyond declared scheduling functionality.
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
43 detection signatures across scripts, domains, cookies, and network endpoints