How This Briefing Works
This dossier opens with key findings, then maps the gap between what Clearbit discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 48 sites
vendor fires before consent
2 CRIT · 2 HIGH
Briefing
Clearbit (now HubSpot-owned) is a B2B data enrichment and identity resolution provider detected on 39 sites with a 64.7% pre-consent tracking rate. Despite claiming SOC2, GDPR, and CCPA compliance, their own website loads 11 third-party vendors before consent including advertising pixels (Meta, Google, LinkedIn) and identity resolution tools (RB2B, Mutiny). Their privacy policy explicitly states they sell personal information and do not honor GPC/DNT signals, creating material contradictions with compliance certifications. The gap between disclosed subprocessors and observed vendors represents significant undisclosed data sharing.
What This Means For You
If Clearbit is deployed on your site, you are exposed to GDPR Art 6 violations (64.7% pre-consent tracking), GDPR Art 28 violations (16+ undisclosed subprocessors), and CCPA §1798.100 violations (data sale without opt-out). Under these regulations, you as the site operator bear liability for third-party data processing on your property. Clearbit's SOC2 Type II certification applies to their internal infrastructure and does not transfer compliance coverage to your deployment of their client-side JavaScript. GDPR fines for pre-consent tracking start at 4% of global revenue.
Risk Channel Breakdown
Clearbit corrupts measurement by enabling cross-site identity resolution. Their Reveal product deanonymizes website visitors, meaning site owners lose control over who knows their traffic patterns. When Clearbit enriches a lead, that same data may be sold to competitors through their data broker relationships, poisoning the accuracy of first-party attribution.
As an explicit data seller, Clearbit represents direct demand signal leakage. When a company uses Clearbit enrichment, their prospect list composition becomes visible to Clearbit and potentially their customers. The 16+ undisclosed advertising vendors on clearbit.com (Meta, Google, LinkedIn, Twitter pixels) mean visitor intent signals are shared with ad networks.
Clearbit creates attack surface through extensive third-party JavaScript loading. With 11 vendors firing pre-consent and identity resolution capabilities, any compromise of Clearbit or their vendors exposes client visitor data. The presence of RB2B (another identity vendor) on Clearbit own site suggests layered deanonymization creating amplified exposure.
Six BTI-X codes triggered (X01, X02, X05, X07, X08, X09) represent material consent and compliance liability. The explicit statement that GPC is not honored contradicts CCPA compliance claims. SOC2/GDPR certifications are undermined by 64.7% pre-consent tracking. Companies using Clearbit inherit this compliance gap through their subprocessor relationship.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Form data interception
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
Long-lived identifiers
PII deanonymization
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
False certification claims
Tracking continues after opt-out
Collection exceeds disclosed scope
Security claims vs evidence
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Clearbit's public claims against observed runtime behavior and identified 5 contradictions.
"CCPA compliant"
Explicitly sells personal information per privacy policy
4 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 11, observed 12
googletagmanager, googleanalytics4, linkedinads…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →
