How This Briefing Works
This report opens with key findings, then maps the gaps between what ConstantContact discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
ConstantContact was observed loading and executing before user consent was obtained on 83% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use ConstantContact
- →Implement strict landing page tracking isolation to prevent Constant Contact pixels from firing beyond email-specific pages
- →Disable cross-domain sync between email engagement IDs and website visitor IDs
- →Audit Constant Contact pixel deployment to verify no site-wide tracking after email click-through
- →Review DPA for behavioral data sharing restrictions and enforce email campaign data isolation
- →Establish session recording controls to prevent landing page capture without explicit consent
If You're Evaluating ConstantContact
- →Request Constant Contact deployment without website tracking pixels, restricting surveillance to email engagement only
- →Require contractual prohibition on cross-channel data sharing with demand generation networks
- →Verify Constant Contact pixels do not persist website visitor IDs or enable cross-visit tracking
- →Assess alternative email platforms (Mailchimp with restricted tracking, self-hosted Listmonk) for comparison
- →Demand pricing concessions reflecting email-only deployment without website surveillance integration
Negotiation Leverage
- →VRS 80 classification with 100% CAC subsidization justifies 30% discount if website tracking pixels are permanently disabled
- →75% legal tail risk demands indemnification for cross-channel tracking consent failures and biometric data processing violations
- →Require contractual guarantee that email engagement data remains isolated from website behavior tracking
- →Request quarterly attestation that subscriber data does not feed external demand networks or cross-channel targeting
- →Negotiate email-only deployment without landing page tracking or cross-domain identity synchronization
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Constant Contact tracking pixels fire on all pages after email click-through, capturing site-wide behavior beyond landing page interaction.
Keystroke/mouse tracking
Impact: Mouse movements and scroll depth captured during form fills to build engagement scoring and lead quality models.
Full session replay
Impact: DOM capture of email-driven landing page sessions, recording form interactions and content engagement for campaign optimization.
Identity stitching
Impact: Email engagement IDs synchronized with website visitor IDs via pixel drops, enabling cross-channel behavior correlation.
Device identification
Impact: Browser fingerprinting used to reconnect email subscribers with anonymous website visits, creating cross-channel identity resolution.
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
33 detection signatures across scripts, domains, cookies, and network endpoints