Clipcentric | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Clipcentric discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

31 detections across 30 sites29% pre-consent activity

HIGH

Pre-Consent Activity

Clipcentric was observed loading and executing before user consent was obtained on 29% of sites where it was detected.

GDPRePrivacy

Disclosure Gaps

Claims vs. Observed Behavior

2 gaps

disclosure

MEDIUM

They Claim

“Pending privacy policy review”

Observed Behavior

Video tracking with persistent identifiers observed without disclosure verification

Customer Impact

What This Means For You

Customers face GDPR violations from pre-consent video tracking with persistent identifiers. Behavioral profiling of video engagement creates detailed interest profiles without consent. Tag manager functionality creates undisclosed third-party data sharing liability. Persistent identifiers enable long-term tracking beyond cookie deletion.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Clipcentric

→Implement consent-gating before Clipcentric video tracking activates
→Disable persistent identifier features in Clipcentric settings—use session-based tracking only if required
→Configure tag manager allowlisting to prevent unauthorized script injection
→Enable data minimization controls to limit video engagement data retention to active campaign periods (30 days)
→Conduct quarterly audits of tag manager and persistence mechanism behavior
→Review privacy policy to ensure video tracking and persistent identifiers are disclosed

If You're Evaluating Clipcentric

→Request DPA with explicit limitations on persistent identifier usage and cross-customer video engagement benchmarking
→Verify Clipcentric honors consent signals and respects identifier deletion requests
→Demand contractual prohibition on using customer video engagement patterns for Clipcentric's own analytics products
→Assess alternative video advertising platforms with privacy-preserving measurement
→Require technical documentation on persistent identifier lifecycle and deletion procedures
→Negotiate liability protection for GDPR fines arising from unconsented persistent tracking

Negotiation Leverage

→Clipcentric persistent identifiers (BTI-C13) enable long-term tracking—require technical controls to respect user deletion requests and consent withdrawal
→Tag manager (BTI-C15) enables undisclosed script injection—require contractual restrictions on dynamic tag loading
→Consent bypass (BTI-C09) with video tracking creates regulatory exposure—require technical implementation of consent verification before tracking
→Behavioral video engagement profiling (BTI-C06) creates detailed interest profiles—negotiate contractual prohibition on using customer video data for cross-customer insights
→Request documentation on persistent identifier retention periods and cross-video-player tracking capabilities
→Negotiate maximum 30-day retention for video engagement data with automated deletion for incomplete viewing sessions

Runtime Detections

4 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Captures video engagement patterns including play/pause behavior, completion rates, rewind interactions, and timing to build unique viewer profiles for ad targeting.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Initializes video tracking infrastructure before consent collection, creating automatic legal violations for video advertising.

BTI-C13Persistence Mechanisms

Long-lived identifiers

Impact: Maintains long-lived identifiers across video viewing sessions to enable continuous tracking and profile enrichment over time.

BTI-C15Tag Manager

Container/loader (neutral)

Impact: Deploys tag management infrastructure that can dynamically inject video analytics and conversion tracking beyond declared functionality.

IOC Manifest

80 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

*aka.clipcentric.com/lib/jquery/jquery-3.5.1.js*

Tracking script

TRACK

*aka.clipcentric.com/js/base.js*

Tracking script

TRACK

*aka.clipcentric.com/user-11/galleryPreviewMessaging.js*

Tracking script

TRACK

*aka.clipcentric.com/js/formatGallery_v2.js*

Tracking script

TRACK

*aka.clipcentric.com/lib/kendo-*/js/kendo.cc.s8.js*

Tracking script

TRACK

*aka.clipcentric.com//js/cookiePolicy.js*

Tracking script

TRACK

aka.clipcentric.com/lib/jquery/jquery-3.5.1.min.js

Auto-extracted from scan

TRACK

aka.clipcentric.com/js/base.min.js

Auto-extracted from scan

TRACK

aka.clipcentric.com/lib/kendo-20190514/js/kendo.cc.s8.min.js

Auto-extracted from scan

TRACK

aka.clipcentric.com/user-11/galleryPreviewMessaging.min.js

Auto-extracted from scan

TRACK

aka.clipcentric.com/js/formatGallery_v2.min.js

Auto-extracted from scan

TRACK

aka.clipcentric.com//js/cookiePolicy.min.js

Auto-extracted from scan

Ecosystem

Ecosystem & Supply Chain

Clipcentric integrates with video ad servers, demand-side platforms (DSPs), and video content management systems. The platform may share video engagement data with advertising partners for audience targeting and frequency capping. Tag manager functionality enables integration with analytics platforms and conversion pixels.

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

82 detection signatures across scripts, domains, cookies, and network endpoints