How This Briefing Works
This dossier opens with key findings, then maps the gap between what CommonRoom discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 10 sites
vendor fires before consent
2 CRIT · 2 HIGH
Briefing
Common Room is a Seattle-based B2B customer intelligence platform offering Person360 identity resolution, web visitor identification, and waterfall enrichment. Despite claiming SOC2 Type II, GDPR, and CCPA compliance, runtime analysis reveals a 91.7% pre-consent tracking rate across detections. Their own website loads 30 third-party vendors including identity resolution providers (Albacross, Demandbase, IDVisitors, Vector), with 19 firing pre-consent. The 2021 privacy policy claims "Common Room does not sell personal information" while simultaneously deploying surveillance vendors designed to identify anonymous visitors. This represents a fundamental contradiction between compliance marketing and operational reality.
What This Means For You
YOUR website visitor data processed through Common Room's Person360 is identified and enriched by a platform that fires 91.7% of its own vendors pre-consent. YOUR buying signals — which pages prospects visit, how long they research, what they download — flow through a visitor identification system built by a company that discloses zero vendor names in its own privacy policy. If YOUR competitors also use Common Room, YOUR prospect research activity may surface in their dashboards through shared identity resolution infrastructure. YOUR SOC2 compliance documentation citing Common Room's certifications overlooks that 19 of 30 vendors fire before consent on their own site.
Risk Channel Breakdown
Common Room corrupts measurement by aggregating signals from multiple identity resolution vendors (Albacross, Demandbase, Vector, IDVisitors) without disclosure. Their Person360 waterfall enrichment creates attribution distortion as it triangulates identity across sources, making it impossible to determine true source of conversion.
Common Room product explicitly designed to capture buying signals and demand intelligence. Web visitor identification exposes which companies are researching what products. This data flows to competitors via shared identity resolution vendors. Installing CommonRoom on your site means your demand signals are visible to CommonRooms other 1000+ customers.
Loading 30 third-party vendors creates massive attack surface. LiveIntent (4 variants), Demandbase, and Albacross each introduce their own supply chains. Pre-consent tracking at 91.7% means visitors are identified before any security review. Person360 waterfall enrichment cascades data through multiple third parties.
Claims GDPR/CCPA compliance and SOC2 Type II while firing 91.7% pre-consent. Privacy policy dated 2021 does not reflect current Person360 identity resolution capabilities. States no data sale while loading identity resolution vendors. Creates significant regulatory exposure for customers who believe compliance claims.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
Behavior contradicts marketing
False certification claims
Collection exceeds disclosed scope
Security claims vs evidence
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed CommonRoom's public claims against observed runtime behavior and identified 5 contradictions.
"SOC2 Type II, GDPR compliant, CCPA compliant"
91.7% pre-consent tracking rate. 19 vendors fire before consent on own website
4 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →