All Vendors
deanon
CommonRoom

CommonRoom

Common Room fires 91.7% of its vendors pre-consent while operating a Person360 identity resolution product — and names zero of its 30 detected third-party vendors in its privacy policy.

57 IOCs12 detections92% pre-consent10 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what CommonRoom discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

12 detections across 10 sites92% pre-consent activity2 critical disclosure gaps
CRITICAL

Compliance Claim vs Behavior

91.7% pre-consent tracking rate. 19 vendors fire before consent on own website

GDPR Art 7CCPA 1798.100ePrivacy Directive
CRITICAL

Data Sale Disclosure

Loads identity resolution vendors whose business is selling identified visitor data

CCPA 1798.140(t)CCPA 1798.115
CRITICAL

Pre-Consent Activity

CommonRoom was observed loading and executing before user consent was obtained on 92% of sites where it was detected.

GDPRePrivacy
HIGH

Subprocessor Disclosure

30 specific vendors detected, none named

GDPR Art 28CCPA 1798.110
HIGH

Privacy Policy Currency

Policy predates Person360, web visitor identification, waterfall enrichment products

GDPR Art 13CCPA 1798.100
Disclosure Gaps

Claims vs. Observed Behavior

5 gaps
2 CRIT2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X04BTI-X05BTI-X08BTI-X09

Compliance Claim vs Behavior

GDPR Art 7 · CCPA 1798.100 · ePrivacy DirectiveCRITICAL
They Claim

SOC2 Type II, GDPR compliant, CCPA compliant

Observed Behavior

91.7% pre-consent tracking rate. 19 vendors fire before consent on own website

Runtime scan of commonroom.io shows Albacross, Demandbase, DoubleClick, G2, GoogleAnalytics4, HubSpot, IDVisitors, LinkedIn, LiveIntent (4x), Vector all firing pre-consent

Data Sale Disclosure

CCPA 1798.140(t) · CCPA 1798.115CRITICAL
They Claim

Common Room does not sell personal information

Observed Behavior

Loads identity resolution vendors whose business is selling identified visitor data

Albacross, IDVisitors, Vector detected on site - all commercial identity resolution services

Subprocessor Disclosure

GDPR Art 28 · CCPA 1798.110HIGH
They Claim

Generic service providers and business partners

Observed Behavior

30 specific vendors detected, none named

Privacy policy names zero specific vendors. All 30 observed vendors effectively undisclosed

Privacy Policy Currency

GDPR Art 13 · CCPA 1798.100HIGH
They Claim

Effective Date: March 30, 2021

Observed Behavior

Policy predates Person360, web visitor identification, waterfall enrichment products

Major product launches in 2022-2024 not reflected in 2021 policy

DNT Signal Handling

CCPA 1798.185MEDIUM
They Claim

We do not respond to or honor DNT signals

Observed Behavior

Honest disclosure but contradicts GDPR/CCPA compliance posture

Privacy policy explicitly states DNT not honored

Customer Impact

What This Means For You

YOUR website visitor data processed through Common Room's Person360 is identified and enriched by a platform that fires 91.7% of its own vendors pre-consent. YOUR buying signals — which pages prospects visit, how long they research, what they download — flow through a visitor identification system built by a company that discloses zero vendor names in its own privacy policy. If YOUR competitors also use Common Room, YOUR prospect research activity may surface in their dashboards through shared identity resolution infrastructure. YOUR SOC2 compliance documentation citing Common Room's certifications overlooks that 19 of 30 vendors fire before consent on their own site.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use CommonRoom

  • Audit your consent implementation immediately — Common Room fires pre-consent by default and you are likely non-compliant
  • Review subprocessor agreements — 30 vendors detected on their site likely flow into their product infrastructure
  • Update privacy policy to disclose Common Room and all downstream vendors their product introduces
  • Implement server-side consent gating — do not trust client-side consent with a 91.7% pre-consent rate vendor

If You're Evaluating CommonRoom

  • Request complete named subprocessor list — zero vendor names in privacy policy is a disqualifying red flag
  • Compare with Clearbit Reveal and 6sense on pre-consent behavior and vendor disclosure transparency
  • Require consent architecture documentation and independent audit before any deployment
  • Negotiate contractual guarantees that your visitor data will not enrich competitors using the same platform

Negotiation Leverage

  • 91.7% pre-consent rate: Nearly all vendors fire before consent on commonroom.com — use this to negotiate consent architecture guarantees and contractual termination rights if pre-consent behavior is detected on your properties
  • Zero vendor disclosure: 30 vendors detected, zero named in privacy policy — require complete named vendor disclosure as a non-negotiable contract condition
  • Identity resolution risk: Person360 and web visitor identification built by a company with 91.7% pre-consent rate — negotiate data usage restrictions preventing your visitor data from enriching competitors
  • SOC2 certification scope: Claims SOC2 Type II yet 19 vendors fire pre-consent — request the SOC2 report and verify vendor management is within the certification scope
Runtime Detections

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

54 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

EXFIL
*www.commonroom.io/page-data/index/page-data.json*
Data collection endpoint
TRACK
*www.commonroom.io/app-*.js*
Tracking script
EXFIL
*www.commonroom.io/page-data/sq/d/*.json*
Data collection endpoint
TRACK
*www.commonroom.io/*-*.js*
Tracking script
EXFIL
*www.commonroom.io/page-data/app-data.json*
Data collection endpoint
TRACK
*www.commonroom.io/webpack-runtime-*.js*
Tracking script
TRACK
*www.commonroom.io/framework-*.js*
Tracking script
TRACK
*www.commonroom.io/component---src-templates-page-js-*.js*
Tracking script
TRACK
*www.commonroom.io/155-*.js*
Tracking script
TRACK
cr-proxy.com
Tracking script
TRACK
cr-relay.com
Tracking script
TRACK
commonroom.io
Tracking script
TRACK
www.commonroom.io/webpack-runtime-ef65f39569b4e0c3ce99.js
Auto-extracted from scan
TRACK
www.commonroom.io/framework-01a1a9386dea68cd315f.js
Auto-extracted from scan
TRACK
www.commonroom.io/app-c27d87771e9aa4878404.js
Auto-extracted from scan
TRACK
www.commonroom.io/c16184b3-2eb77fa703e2cda28638.js
Auto-extracted from scan
TRACK
www.commonroom.io/ea88be26-b74119a55681329968c0.js
Auto-extracted from scan
TRACK
www.commonroom.io/2cca2479-d3f0f525665499bba04f.js
Auto-extracted from scan
TRACK
www.commonroom.io/0f1ac474-41201e6971748d9dfdb0.js
Auto-extracted from scan
TRACK
www.commonroom.io/59722ad6f658c60091792a85d1f4892b6a923fd5-c3d6dd7ec764bdba5926.js
Auto-extracted from scan
TRACK
www.commonroom.io/d717a405f7906bab91814f82ca5c884714817217-ab27c3bb645a7f6ae7ce.js
Auto-extracted from scan
TRACK
www.commonroom.io/component---src-templates-page-js-517331c246335c3dee5c.js
Auto-extracted from scan
TRACK
www.commonroom.io/155-1c101516678b13e000d1.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Common Room operates as a customer intelligence aggregator in the B2B GTM ecosystem. They are loaded by enterprise customers (Notion, Figma, MongoDB, Atlassian per their customer page) to identify anonymous website visitors and capture buying signals. CommonRoom in turn loads 30+ third-party vendors including: identity resolution providers (Albacross, Demandbase, IDVisitors, Vector), ad networks (DoubleClick, Google Ads, LinkedIn Ads, LiveIntent), and analytics (GA4, Dreamdata, G2). This creates a bidirectional data flow where customers visitor data feeds CommonRooms enrichment engine, which then flows to their identity resolution partners. Person360 waterfall enrichment explicitly cascades through multiple data providers to maximize match rates, meaning customer data touches numerous undisclosed third parties.
Loads (1)
Vector
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

57 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details