How This Briefing Works
This dossier opens with key findings, then maps the gap between what ClickCease discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 20 sites
vendor fires before consent
2 CRIT · 2 HIGH
Briefing
ClickCease, a CHEQ subsidiary acquired in 2020, markets itself as a click fraud protection solution for Google, Microsoft, and Meta Ads. Despite displaying SOC2, GDPR, and CCPA compliance badges on parent company CHEQ's trust center, runtime analysis reveals a 45.8% pre-consent tracking rate on their own website. The vendor deploys 50+ third-party trackers including identity resolution vendors (ZoomInfo, RB2B, HockeyStack) while disclosing only 3 infrastructure subprocessors (AWS, Azure, Zendesk). This represents a 94% subprocessor disclosure gap and demonstrates the vendor does not practice the privacy standards they claim to enforce for customers.
What This Means For You
YOUR click fraud protection data processed through ClickCease flows through a vendor ecosystem where 94% of vendors are undisclosed. YOUR ad campaign data — which clicks are fraudulent, which are legitimate, what patterns emerge — passes through a platform running ZoomInfo, RB2B, and HockeyStack on its own site. As a CHEQ subsidiary, YOUR data processing relationship extends to CHEQ's broader ecosystem — YOUR subprocessor documentation must account for this corporate structure. YOUR compliance auditors citing 3 subprocessors are dramatically underinformed about actual data flows.
Risk Channel Breakdown
ClickCease corrupts measurement by deploying 50+ tracking vendors on their own site while selling fraud detection to customers. The pre-consent tracking rate of 45.8% means nearly half of their visitor data is collected without proper consent, creating unreliable baselines for any marketing analytics.
ZoomInfo, RB2B, and HockeyStack detected on clickcease.com are B2B intelligence vendors that identify companies and individuals visiting the site. This data flows to competitors intelligence pools, meaning anyone evaluating ClickCease may be exposed to their competitors through these undisclosed data brokers.
The extensive third-party JavaScript (50+ vendors) creates massive attack surface. Each vendor is a potential supply chain vulnerability. Ironically, ClickCease sells protection against invalid traffic while deploying tracking that could be exploited for the same click fraud they claim to prevent.
Six BTI-X violations detected: undisclosed vendors (X01), data to undisclosed parties (X02), privacy marketing mismatch (X04), compliance claim contradiction (X05), undisclosed jurisdictions (X06), and scope exceeding disclosure (X08). GDPR Article 13/14 violations for undisclosed data recipients. CCPA notice requirements not met for identity resolution vendors.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Identity stitching
Ignoring CMP signals
Device identification
Long-lived identifiers
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
Behavior contradicts marketing
False certification claims
Data to undisclosed regions
Collection exceeds disclosed scope
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed ClickCease's public claims against observed runtime behavior and identified 4 contradictions.
"3 subprocessors disclosed (AWS, Azure, Zendesk)"
50+ third-party vendors detected including ad networks, analytics, and B2B intelligence
3 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 3, observed 3
hubspot, googletagmanager, linkedinads…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →