Executive Summary
Common Room is a Seattle-based B2B customer intelligence platform offering Person360 identity resolution, web visitor identification, and waterfall enrichment. Despite claiming SOC2 Type II, GDPR, and CCPA compliance, runtime analysis reveals a 91.7% pre-consent tracking rate across detections. Their own website loads 30 third-party vendors including identity resolution providers (Albacross, Demandbase, IDVisitors, Vector), with 19 firing pre-consent. The 2021 privacy policy claims "Common Room does not sell personal information" while simultaneously deploying surveillance vendors designed to identify anonymous visitors. This represents a fundamental contradiction between compliance marketing and operational reality.
Revenue Threat Profile
4 COLLAPSE VECTORSHow this vendor creates financial exposure. Each score (0-100) reflects observed runtime behavior and documented business practices.
CAC Subsidization
Common Room corrupts measurement by aggregating signals from multiple identity resolution vendors (Albacross, Demandbase, Vector, IDVisitors) without disclosure. Their Person360 waterfall enrichment creates attribution distortion as it triangulates identity across sources, making it impossible to determine true source of conversion.
Signal Corruption
Common Room product explicitly designed to capture buying signals and demand intelligence. Web visitor identification exposes which companies are researching what products. This data flows to competitors via shared identity resolution vendors. Installing CommonRoom on your site means your demand signals are visible to CommonRooms other 1000+ customers.
Legal Tail Risk
Loading 30 third-party vendors creates massive attack surface. LiveIntent (4 variants), Demandbase, and Albacross each introduce their own supply chains. Pre-consent tracking at 91.7% means visitors are identified before any security review. Person360 waterfall enrichment cascades data through multiple third parties.
GTM Attack Surface
Claims GDPR/CCPA compliance and SOC2 Type II while firing 91.7% pre-consent. Privacy policy dated 2021 does not reflect current Person360 identity resolution capabilities. States no data sale while loading identity resolution vendors. Creates significant regulatory exposure for customers who believe compliance claims.