All Vendors
cmp

Complianz

Complianz presents as a privacy compliance tool for WordPress but operates its own data pipeline: it transmits cookie scan results from 350,000+ websites to cookiedatabase.org, sets its own consent-tracking cookies, and integrates deeply with Google Consent Mode to facilitate consent-to-ad-tech signal routing. The consent guardian has its own surveillance footprint.

139 IOCs
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Complianz discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

3 gaps

pending

UNKNOWN
They Claim

Awaiting scanner verification

Observed Behavior

No scanner data available for Complianz runtime behavior

disclosure

MEDIUM
They Claim

Self-hosted with no third-party dependencies

Observed Behavior

Cookie scan data transmitted to cookiedatabase.org external service

Customer Impact

What This Means For You

Organizations deploying Complianz face a consent integrity paradox: the tool designed to manage privacy compliance operates its own data pipeline. Cookie scan telemetry transmitted to cookiedatabase.org means your site's technology stack is inventoried externally — revealing which analytics, marketing, and tracking tools you deploy. Google Consent Mode Advanced Mode default means visitors' data flows to Google before consent is resolved, creating potential regulatory exposure under GDPR's prior consent requirement. For enterprises using WordPress at scale, the 1M+ installation footprint makes Complianz a high-value target for supply chain attacks. The gap between "self-hosted privacy" marketing and actual external data transmission creates procurement risk if privacy teams rely on Complianz's self-description without runtime verification.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for Complianz

  • Verify Complianz runtime behavior: inspect network requests to cookiedatabase.org during cookie scans and quantify what data leaves your infrastructure.\n2. Switch Google Consent Mode from Advanced to Basic Mode to ensure tags do not fire before consent resolution — accept the analytics data loss as the cost of actual compliance.\n3. Audit consent record storage: confirm consent logs are stored locally as claimed and not transmitted to external services.\n4. Review cookiedatabase.org data retention: validate the claimed one-hour retention window and confirm no persistent profiling of your site's technology stack.\n5. Evaluate alternative consent solutions that do not operate external data aggregation services or default to pre-consent tag firing.

Negotiation Leverage

  • Complianz's primary vulnerability in procurement negotiations is the gap between its "self-hosted, no third-party" positioning and the cookiedatabase.org data pipeline. Request written confirmation of exactly what data leaves your server during cookie scans, retention periods, and whether aggregated scan data is used commercially. Demand contractual commitment to Basic Mode as the default Consent Mode configuration, with Advanced Mode requiring explicit opt-in documentation. The plugin's free tier creates vendor lock-in through feature gating (consent statistics, A/B testing, premium integrations are paid) — negotiate for full feature access or evaluate whether the free tier's limitations create compliance gaps. Leverage the 1M+ installation footprint as a security concern: demand SLA commitments for vulnerability disclosure and patching timelines given WordPress plugin supply chain risks.
Runtime Detections

Runtime Detections

7 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Consent signals are routed to Google Ads, Google Analytics, and Tag Manager, translating privacy preferences into optimization signals for the advertising ecosystem rather than enforcing data minimization boundaries.

BTI-C07Session Recording

Full session replay

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Cookie scan telemetry from 350,000+ installations flows to cookiedatabase.org, creating a centralized technology deployment database. Site owners may not fully understand that their cookie scan data is being aggregated externally despite claims of self-hosted operation.

BTI-C10Fingerprinting

Device identification

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

139 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

EXFIL
*complianz.io/wp-includes/js/api-request.js*
Data collection endpoint
TRACK
*complianz.io/wp-content/plugins/code-prettify/prettify/run_prettify.js*
Tracking script
TRACK
*complianz.io/wp-includes/js/jquery/jquery-migrate.js*
Tracking script
TRACK
*complianz.io/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/elementor/assets/lib/font-awesome/js/v4-shims.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/easy-digital-downloads-pro/assets/js/edd-ajax.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/edd-moneybird-beta/assets/js/edd-mb.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/elementor/assets/js/webpack.runtime.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/elementor/assets/js/frontend-modules.js*
Tracking script
TRACK
*complianz.io/wp-includes/js/jquery/ui/core.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/elementor/assets/js/frontend.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.js*
Tracking script
TRACK
*complianz.io/wp-includes/js/dist/hooks.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.js*
Tracking script
TRACK
*complianz.io/wp-includes/js/dist/i18n.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/google-analytics-premium/assets/js/frontend-gtag.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/wp-rocket/assets/js/lazyload/17.8.3/lazyload.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/elementor-pro/assets/js/frontend.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/elementor-pro/assets/js/elements-handlers.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/complianz-gdpr-premium/cookiebanner/js/complianz.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/elementor/assets/lib/swiper/v8/swiper.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/elementor/assets/js/section-frontend-handlers.*.bundle.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/elementor/assets/js/shared-frontend-handlers.*.bundle.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/elementor-pro/assets/js/search-form.*.bundle.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/elementor-pro/assets/js/form.*.bundle.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/elementor-pro/assets/js/popup.*.bundle.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/elementor/assets/js/text-editor.*.bundle.js*
Tracking script
TRACK
*complianz.io/wp-content/plugins/elementor-pro/assets/js/carousel.*.bundle.js*
Tracking script
TRACK
complianz.io/wp-content/plugins/google-analytics-premium/assets/js/frontend-gtag.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-includes/js/jquery/jquery.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-includes/js/jquery/jquery-migrate.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/elementor/assets/lib/font-awesome/js/v4-shims.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/code-prettify/prettify/run_prettify.js
Auto-extracted from scan
EXFIL
complianz.io/wp-includes/js/api-request.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/edd-moneybird-beta/assets/js/edd-mb.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/easy-digital-downloads-pro/assets/js/edd-ajax.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/elementor/assets/js/frontend-modules.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-includes/js/jquery/ui/core.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/elementor/assets/js/frontend.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/elementor/assets/lib/swiper/v8/swiper.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/complianz-gdpr-premium/cookiebanner/js/complianz.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-includes/js/dist/hooks.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-includes/js/dist/i18n.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/elementor-pro/assets/js/frontend.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/elementor-pro/assets/js/elements-handlers.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/wp-rocket/assets/js/lazyload/17.8.3/lazyload.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/elementor/assets/js/section-frontend-handlers.d85ab872da118940910d.bundle.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/elementor/assets/js/shared-frontend-handlers.03caa53373b56d3bab67.bundle.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/elementor-pro/assets/js/search-form.b7065999d77832a1b764.bundle.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/elementor/assets/js/text-editor.45609661e409413f1cef.bundle.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/elementor-pro/assets/js/carousel.3620fca501cb18163600.bundle.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/elementor-pro/assets/js/form.71055747203b48a65a24.bundle.min.js
Auto-extracted from scan
TRACK
complianz.io/wp-content/plugins/elementor-pro/assets/js/popup.f7b15b2ca565b152bf98.bundle.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Complianz operates at the intersection of WordPress infrastructure and the Google advertising ecosystem. Key integration points: Google Tag Manager (consent events as custom triggers), Google Analytics 4 (consent-gated measurement), Google Ads (conversion modeling via Consent Mode), Google Site Kit (WordPress analytics bridge), and cookiedatabase.org (centralized cookie intelligence aggregation). The plugin supports server-side GTM configurations, enabling consent signal routing that bypasses client-side blocking. Compatible with WooCommerce, MonsterInsights, GTM4WP, and other WordPress analytics plugins. As one of 18 Google CMP Partners, Complianz has a privileged integration pathway that positions it as a consent-to-ad-tech translation layer within the WordPress ecosystem, serving 1M+ sites.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

139 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details