CompanyTarget | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what CompanyTarget discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

5 detections across 3 sites20% pre-consent activity

HIGH

Pre-Consent Activity

CompanyTarget was observed loading and executing before user consent was obtained on 20% of sites where it was detected.

GDPRePrivacy

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

Customer Impact

What This Means For You

Customers face GDPR violations from unconsented visitor deanonymization. Risk is elevated if CompanyTarget deployments are used for sales targeting without explicit visitor consent for identification.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use CompanyTarget

→Configure CompanyTarget to activate only after consent for visitor identification collected
→Verify identification occurs server-side (not client-side tracking)
→Limit CompanyTarget use to internal reporting (not visitor-facing personalization without consent)

If You're Evaluating CompanyTarget

→Request DPA confirming visitor IP data is not retained beyond identification process
→Verify CompanyTarget honors consent signals before initiating deanonymization
→Assess whether CompanyTarget deployment is necessary vs. aggregated analytics alternatives

Negotiation Leverage

→CompanyTarget consent bypass (BTI-C09) during identification creates pre-consent deanonymization—require technical controls to delay identification until after consent for visitor tracking
→Clarify IP retention period and whether visitor data is used for CompanyTarget's own analytics products
→Negotiate maximum 24-hour IP data retention with automated deletion

Runtime Detections

2 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Initiates visitor-to-company identification before consent collection, creating automatic legal violations for deanonymization workflows.

BTI-C14Identity Resolution

PII deanonymization

IOC Manifest

9 INDICATORS

Indicators of compromise across 2 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

No indicators in this category

Ecosystem

Ecosystem & Supply Chain

CompanyTarget integrates with CRM platforms and marketing automation to identify company accounts from anonymous website visitors. Data flows include IP-to-company matching and firmographic enrichment.

Commonly Deployed With

Googletagmanager Googleanalytics4 Demandbase Doubleclick Liveramp Rubicon Linkedinads G2 Oktopost Qualified

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

9 detection signatures across scripts, domains, cookies, and network endpoints