QA mode · Tier:PUBLIC(override via ?tier=paid | premium)
← All Vendors
deanon
CommonRoom

CommonRoom

Common Room fires 91.7% of its vendors pre-consent while operating a Person360 identity resolution product — and names zero of its 30 detected third-party vendors in its privacy policy.

54 IOCs observed12 detections92% pre-consent10 sites
80
Vendor Risk Score
Tier: HOSTILE
Observation Coverage

BLACKOUT observes runtime behavior in the browser. This dossier reflects browser-side execution, which is one of five vendor data-egress classes. Server-to-server transfers, backend integrations, and offline data flows are outside this observation boundary.

BLACKOUT observes runtime behavior and cites the regulations that address that behavior pattern. Legal determinations are the customer's counsel's call.

How This Briefing Works

This dossier opens with key findings, then maps the gap between what CommonRoom discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.

Key Findings

At a Glance

Detections
12

across 10 sites

Pre-Consent Rate
92%

vendor fires before consent

Disclosure Gaps
5

2 CRIT · 2 HIGH

Claims-vs-Reality Classified
BTI-X01BTI-X02BTI-X04BTI-X05BTI-X08BTI-X09
Summary

Briefing

Common Room is a Seattle-based B2B customer intelligence platform offering Person360 identity resolution, web visitor identification, and waterfall enrichment. Despite claiming SOC2 Type II, GDPR, and CCPA compliance, runtime analysis reveals a 91.7% pre-consent tracking rate across detections. Their own website loads 30 third-party vendors including identity resolution providers (Albacross, Demandbase, IDVisitors, Vector), with 19 firing pre-consent. The 2021 privacy policy claims "Common Room does not sell personal information" while simultaneously deploying surveillance vendors designed to identify anonymous visitors. This represents a fundamental contradiction between compliance marketing and operational reality.

Customer Impact

What This Means For You

YOUR website visitor data processed through Common Room's Person360 is identified and enriched by a platform that fires 91.7% of its own vendors pre-consent. YOUR buying signals — which pages prospects visit, how long they research, what they download — flow through a visitor identification system built by a company that discloses zero vendor names in its own privacy policy. If YOUR competitors also use Common Room, YOUR prospect research activity may surface in their dashboards through shared identity resolution infrastructure. YOUR SOC2 compliance documentation citing Common Room's certifications overlooks that 19 of 30 vendors fire before consent on their own site.

Collapse Engine

Risk Channel Breakdown

Oracle
Truth Collapse
25

Common Room corrupts measurement by aggregating signals from multiple identity resolution vendors (Albacross, Demandbase, Vector, IDVisitors) without disclosure. Their Person360 waterfall enrichment creates attribution distortion as it triangulates identity across sources, making it impossible to determine true source of conversion.

Broker
Control Collapse
100

Common Room product explicitly designed to capture buying signals and demand intelligence. Web visitor identification exposes which companies are researching what products. This data flows to competitors via shared identity resolution vendors. Installing CommonRoom on your site means your demand signals are visible to CommonRooms other 1000+ customers.

Reaper
Safety Collapse
0

Loading 30 third-party vendors creates massive attack surface. LiveIntent (4 variants), Demandbase, and Albacross each introduce their own supply chains. Pre-consent tracking at 91.7% means visitors are identified before any security review. Person360 waterfall enrichment cascades data through multiple third parties.

Counselor
Legitimacy Collapse
100

Claims GDPR/CCPA compliance and SOC2 Type II while firing 91.7% pre-consent. Privacy policy dated 2021 does not reflect current Person360 identity resolution capabilities. States no data sale while loading identity resolution vendors. Creates significant regulatory exposure for customers who believe compliance claims.

BTI Codes

Threat Indicators

Runtime-observed (BTI-C)

BTI-C01
Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06
Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07
Session Recording

Full session replay

BTI-C09
Consent Bypass

Ignoring CMP signals

BTI-C10
Fingerprinting

Device identification

BTI-C14
Identity Resolution

PII deanonymization

BTI-C15
Tag Manager

Container/loader (neutral)

Claims-vs-Reality (BTI-X)

BTI-X01
Undisclosed Party

Not in privacy policy

BTI-X02
Undisclosed Sharing

Hidden data recipients

BTI-X04
Marketing Mismatch

Behavior contradicts marketing

BTI-X05
Compliance Claim Mismatch

False certification claims

BTI-X08
Scope Creep

Collection exceeds disclosed scope

BTI-X09
Data Security Discrepancy

Security claims vs evidence

6
BTI Consequences Identified

Per-code narrative explanations of what each detected behavior means for your organization

Available in VIDB Subscription

Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →

Disclosure Gaps

Claims vs. Reality

5
Gaps Observed
2 CRITICAL2 HIGH1 MEDIUM

BLACKOUT analyzed CommonRoom's public claims against observed runtime behavior and identified 5 contradictions.

BTI-X01BTI-X02BTI-X04BTI-X05BTI-X08BTI-X09
Featured Gap
Compliance Claim vs Behavior
CRITICAL
They Claim

"SOC2 Type II, GDPR compliant, CCPA compliant"

BLACKOUT Observed

91.7% pre-consent tracking rate. 19 vendors fire before consent on own website

4 more gaps — with regulatory citations and evidence pointers — available with subscription.

Available in VIDB Subscription

Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →

Recommended Actions

What To Do

Recommended Actions
8

4 for current users · 4 for evaluators

Negotiation Leverage
4

contractual leverage points

Available in VIDB Subscription

Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →

Ecosystem

Supply Chain & Pairings

Available in VIDB Subscription

Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →

Profile: commonroomFirst Seen: 2026-01-05Last Updated: 2026-01-22