All Vendors
data_enrichment
Clay

Clay

Clay aggregates 150+ data sources as a self-admitted $3.1B data broker, while running 44+ third-party vendors on its own site — 15+ of which are advertising and tracking tools absent from its subprocessor disclosure at trust.clay.com.

24 IOCs40 detections30% pre-consent35 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Clay discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

40 detections across 35 sites30% pre-consent activity1 critical disclosure gap
CRITICAL

Undisclosed Data Recipients

44+ third-party vendors detected on clay.com, including 15+ advertising/tracking vendors completely absent from disclosures

GDPR Article 28CCPA 1798.140
HIGH

Pre-Consent Activity

Clay was observed loading and executing before user consent was obtained on 30% of sites where it was detected.

GDPRePrivacy
HIGH

Pre-Consent Tracking

28.2% of detected vendor loads occur before consent, including 13 vendors loading pre-consent

GDPR Article 6ePrivacy Directive
HIGH

Data Broker Disclosure

Data broker status combined with 150+ enrichment providers creates significant secondary use risk for individuals whose data flows through Clay

California SB362 Data Broker RegistryVermont Data Broker Act
HIGH

Undisclosed Party

Not in privacy policy

Disclosure Gaps

Claims vs. Observed Behavior

4 gaps
1 CRIT2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X05BTI-X08BTI-X12

Undisclosed Data Recipients

GDPR Article 28 · CCPA 1798.140CRITICAL
They Claim

Subprocessor list at trust.clay.com discloses 34 vendors

Observed Behavior

44+ third-party vendors detected on clay.com, including 15+ advertising/tracking vendors completely absent from disclosures

Runtime scan detected Meta Pixel, DoubleClick, Google Ads, LinkedIn, RB2B, Amazon Advertising, Adform, Jivox, Sojern, Peer39, HockeyStack, TrenDemon, Dreamdata, Factors.ai - none appear in subprocessor list

Data Broker Disclosure

California SB362 Data Broker Registry · Vermont Data Broker ActHIGH
They Claim

Clay is transparent about being a data broker (Section 13 of privacy policy)

Observed Behavior

Data broker status combined with 150+ enrichment providers creates significant secondary use risk for individuals whose data flows through Clay

Privacy policy Section 13: Yes. Clay is a data broker and complies with the state law obligations that apply to data brokers

DNT/GPC Non-Compliance

CCPA GPC requirements · Colorado Privacy ActMEDIUM
They Claim

Privacy policy Section 10 states no DNT/GPC support

Observed Behavior

Clay explicitly does not honor Do-Not-Track or Global Privacy Control signals

Section 10: we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online

Customer Impact

What This Means For You

YOUR enrichment queries through Clay expose YOUR prospect lists to a platform aggregating data from 150+ sources — every query teaches Clay more about YOUR target accounts and ideal customer profile. YOUR compliance posture is directly affected: as a self-admitted data broker, Clay triggers additional regulatory obligations under CCPA that flow through to YOUR data processing agreements. If YOUR sales team uses Clay for contact enrichment, YOUR organization may be processing personal data without adequate legal basis, since Clay's subprocessor list at trust.clay.com undercounts actual vendors by 10+. YOUR competitive intelligence is at risk — enrichment queries reveal YOUR ICP to a platform serving YOUR competitors.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Clay

  • Audit what data you send to Clay and ensure you have proper consent basis for each enrichment type
  • Review Clay's data broker registration status in all jurisdictions where you operate
  • Negotiate data usage restrictions to prevent your enrichment queries from informing competitor targeting
  • Request Clay's complete subprocessor list and compare against the 34 disclosed at trust.clay.com

If You're Evaluating Clay

  • Understand that Clay is a self-admitted data broker — assess whether your compliance framework accommodates data broker relationships
  • Compare Clay's subprocessor disclosure against runtime vendor detection before signing
  • Request contractual guarantees on query confidentiality and data usage restrictions
  • Evaluate whether server-side enrichment alternatives reduce your regulatory exposure compared to Clay's approach

Negotiation Leverage

  • Data broker disclosure: Clay self-identifies as a data broker — use this to require CCPA data broker registration verification and negotiate enhanced data deletion rights
  • Subprocessor undercount: 44+ vendors detected vs. 34 disclosed at trust.clay.com — leverage this gap to negotiate contractual indemnification for regulatory exposure
  • Competitive intelligence risk: Every enrichment query reveals your ICP to Clay's platform serving competitors — negotiate data usage restrictions and query confidentiality guarantees
  • Advertising vendor exposure: 15+ undisclosed advertising/tracking vendors on clay.com — use this to negotiate restrictions on how your enrichment data feeds advertising systems
Runtime Detections

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

IOC Manifest

IOC Manifest

14 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*rewards.clay.com/rw.js*
Tracking script
TRACK
cdn.claydar.com
Tracking script
TRACK
rewards.clay.com/rw.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Clay operates as a data aggregation layer connecting 150+ data providers to GTM teams. They integrate with CRM systems (Salesforce, HubSpot), enrichment providers (Clearbit, ZoomInfo, Apollo), intent data providers, and AI platforms (OpenAI, Anthropic, Mistral). Clay is loaded indirectly on target sites, typically through GTM or as part of enrichment workflows. On their own site, they deploy Segment for data orchestration, which fans out to advertising platforms. The presence of RB2B suggests Clay uses identity resolution to identify their own visitors, creating a recursive surveillance loop where a data broker surveils potential customers to sell them surveillance tools.
Loads (1)
Segment
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

24 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details