How This Briefing Works
This report opens with key findings, then maps the gaps between what Clearbit discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
69 detections across 40 sites65% pre-consent activity2 critical disclosure gaps
CRITICAL
Data Sale
Explicitly sells personal information per privacy policy
CCPACPRA
CRITICAL
Consent
64.7% pre-consent tracking rate, 11 vendors fire before consent on own site
GDPR Art 6GDPR Art 7ePrivacy Directive
CRITICAL
Pre-Consent Activity
Clearbit was observed loading and executing before user consent was obtained on 65% of sites where it was detected.
GDPRePrivacy
HIGH
Subprocessor Disclosure
16+ additional vendors detected on clearbit.com
GDPR Art 28
HIGH
Signal Honoring
GPC/DNT explicitly not honored
CCPAColorado Privacy Act
Disclosure Gaps
Claims vs. Observed Behavior
5 gaps
2 CRIT2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X05BTI-X07BTI-X08BTI-X09
Data Sale
CCPA · CPRACRITICAL
They Claim
“CCPA compliant”
Observed Behavior
Explicitly sells personal information per privacy policy
Privacy policy states: Clearbit may sell your personal information
Consent
GDPR Art 6 · GDPR Art 7 · ePrivacy DirectiveCRITICAL
They Claim
“GDPR compliant”
Observed Behavior
64.7% pre-consent tracking rate, 11 vendors fire before consent on own site
Runtime scan of clearbit.com shows CustomerIO, Google Ads, MetaPixel, etc. loading pre-consent
Subprocessor Disclosure
GDPR Art 28HIGH
They Claim
“11 subprocessors listed”
Observed Behavior
16+ additional vendors detected on clearbit.com
Subprocessor page lists AWS, GCP, Zendesk etc. but not Meta, Google Ads, LinkedIn, RB2B
Signal Honoring
CCPA · Colorado Privacy ActHIGH
They Claim
“CCPA opt-out available”
Observed Behavior
GPC/DNT explicitly not honored
Privacy policy: We do not currently recognize or respond to browser-initiated Do Not Track signals
Identity Resolution
GDPR Art 5MEDIUM
They Claim
“De-identify information collected”
Observed Behavior
Core product is identity resolution (Reveal) that re-identifies anonymous visitors
Product page describes revealing anonymous website traffic as companies
Customer Impact
What This Means For You
If Clearbit is deployed on your site, you are exposed to GDPR Art 6 violations (64.7% pre-consent tracking), GDPR Art 28 violations (16+ undisclosed subprocessors), and CCPA §1798.100 violations (data sale without opt-out). Under these regulations, you as the site operator bear liability for third-party data processing on your property. Clearbit's SOC2 Type II certification applies to their internal infrastructure and does not transfer compliance coverage to your deployment of their client-side JavaScript. GDPR fines for pre-consent tracking start at 4% of global revenue.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
If You Use Clearbit
- →Audit your consent implementation — their 64.7% pre-consent rate suggests consent may fire after tracking begins
- →Update your privacy policy to disclose Clearbit as a data processor AND their undisclosed subprocessors
- →Document lawful basis for identity resolution (legitimate interest alone likely insufficient under GDPR)
- →Implement server-side enrichment only to avoid client-side data leakage to ad networks
- →Request their full subprocessor list including ad tech vendors visible in runtime
If You're Evaluating Clearbit
- →Request proof that SOC2/GDPR compliance covers their advertising pixel usage
- →Ask how GPC non-compliance aligns with their CCPA certification
- →Clarify data flows between Clearbit and HubSpot (shared infrastructure = shared risk)
- →Evaluate alternatives that do not explicitly sell personal information
- →Consider server-side only integration to minimize third-party script exposure
Negotiation Leverage
- →Liability indemnification: Vendor assumes full liability for the 64.7% pre-consent tracking rate observed across deployments, including GDPR fines (4% global revenue) and class action settlements
- →Subprocessor disclosure requirement: Vendor must provide complete list of ALL third-party data recipients within 10 days. Current gap of 16+ undisclosed vendors (Meta, Google Ads, LinkedIn, RB2B, etc.) must be documented and approved
- →Pre-consent SLA: Vendor guarantees 0% pre-consent activity with liquidated damages of $25,000 per violation detected by independent audit. Current 64.7% rate is material breach
- →Right to independent verification: Customer may engage third-party auditor to verify consent compliance and subprocessor disclosure on live deployment without prior notice
- →Data sale opt-out: Given privacy policy explicitly states Clearbit may sell your personal information, require amendment prohibiting sale of data originating from customer deployment, or provide CCPA-compliant opt-out mechanism that honors GPC signals
Runtime Detections
Runtime Detections
10 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C02Credential Interception
Form data interception
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
BTI-C07Session Recording
Full session replay
BTI-C08Cross-Domain Sync
Identity stitching
BTI-C09Consent Bypass
Ignoring CMP signals
BTI-C10Fingerprinting
Device identification
BTI-C13Persistence Mechanisms
Long-lived identifiers
BTI-C14Identity Resolution
PII deanonymization
BTI-C15Tag Manager
Container/loader (neutral)
IOC Manifest
IOC Manifest
132 INDICATORS
Indicators of compromise across 6 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*clearbit.com/_next/static/fKnLJ1TMXo_zvGehx_ZMw/_ssgManifest.js*
Tracking script
TRACK
*clearbit.com/_next/static/chunks/*-*.js*
Tracking script
TRACK
*clearbit.com/_next/static/chunks/pages/index-*.js*
Tracking script
TRACK
*clearbit.com/_next/static/chunks/webpack-*.js*
Tracking script
TRACK
*clearbit.com/_next/static/chunks/722-*.js*
Tracking script
TRACK
*clearbit.com/_next/static/fKnLJ1TMXo_zvGehx_ZMw/_buildManifest.js*
Tracking script
TRACK
*clearbit.com/_next/static/chunks/framework-*.js*
Tracking script
TRACK
*clearbit.com/_next/static/chunks/main-*.js*
Tracking script
TRACK
*clearbit.com/_next/static/chunks/pages/_app-*.js*
Tracking script
EXFIL
*reveal.clearbit.com/v1/companies/reveal*
Data collection endpoint
TRACK
*clearbit.com/_next/static/chunks/*.*.js*
Tracking script
TRACK
*clearbit.com/_next/static/chunks/pages/trust-*.js*
Tracking script
TRACK
*clearbit.com/_next/static/chunks/pages/privacy-policy-*.js*
Tracking script
TRACK
*clearbit.com/_next/static/chunks/pages/legal-*.js*
Tracking script
TRACK
*clearbit.com/_next/static/chunks/57-*.js*
Tracking script
EXFIL
*clearbit.com/_next/data/fKnLJ1TMXo_zvGehx_ZMw/trust.json*
Data collection endpoint
TRACK
*clearbit.com/_next/static/chunks/pages/ccpa-opt-out-*.js*
Tracking script
TRACK
clearbit.com
Tracking script
TRACK
cdn.clearbit.com
Tracking script
TRACK
tag.clearbitscripts.com
Tracking script
TRACK
x.clearbitjs.com
Tracking script
TRACK
clearbit.com/_next/static/chunks/webpack-b7e52176801bb26d.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/framework-f44ba79936f400b5.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/main-949fe9b575e4899e.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/pages/_app-e6f2806a1d55a7b5.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/05d954cf-a67b97b0fe6f1a64.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/9d928d29-b30937b49b9a1e9e.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/9112-0e7f77c13ae4c89a.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/2962-025dd141f7815e28.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/1664-402522dac0871a46.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/9368-66184628b9cd2ac0.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/5959-061951a9ccaa5781.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/722-4235219901640bee.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/7813-39465dc0542ce74f.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/pages/index-539d3642a8e6087e.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/fKnLJ1TMXo_zvGehx_ZMw/_buildManifest.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/fKnLJ1TMXo_zvGehx_ZMw/_ssgManifest.js
Auto-extracted from scan
EXFIL
reveal.clearbit.com/v1/companies/reveal
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/3734.4068c43740afe99a.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/5276.98e57c4c626d5cbf.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/7448.cc886446a288a79c.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/6721.70ac0cad8c44ad0a.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/9070.5c6de4ce6f0e632c.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/a2c29f49-454eb3dcfc57634f.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/7511dfe0-16768cd3a786b20b.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/4a3ea9cd-564654af72d74ddd.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/75fc9c18-2a61f47d21a1bfe0.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/9379-81ceb18fd73b6bc4.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/2217-004edc0e2a33f061.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/4091-69e9fb4a29cd8818.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/57-9b25a3d639ae2f9f.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/pages/privacy-policy-93f0a9d8dfdd45fc.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/pages/ccpa-opt-out-aaed9395f2dbc0bd.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/4786-3f00280fd184f7bc.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/pages/legal-e1044ff4492f7650.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/8764-41917a587df94433.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/4824-7d740493e09d388e.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/8472-5bbc82a37e854f1d.js
Auto-extracted from scan
TRACK
clearbit.com/_next/static/chunks/pages/trust-32725d41a25665f0.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Clearbit occupies a central position in the B2B data ecosystem as both a data provider and data aggregator. As a HubSpot subsidiary, they feed enrichment data into one of the largest CRM/marketing platforms. Their supply chain includes: UPSTREAM - data vendors, data co-ops, web scraping infrastructure; DOWNSTREAM - HubSpot CRM users, Salesforce integrations, Segment CDP customers. When detected on a site, Clearbit is typically loaded via: (1) direct script tag, (2) Segment CDP, (3) HubSpot tracking code. Their presence indicates the site is using visitor identification/enrichment. On their own site, Clearbit loads Segment, HubSpot, and notably RB2B - suggesting they use competitor/complementary identity resolution tools.
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
143 detection signatures across scripts, domains, cookies, and network endpoints
HAR Forensics
HAR Forensics
Email Hash Exfiltration (4)
| Destination | Algorithm |
|---|---|