How This Briefing Works
This report opens with key findings, then maps the gaps between what ConstantContact discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use ConstantContact
- →Implement strict landing page tracking isolation to prevent Constant Contact pixels from firing beyond email-specific pages
- →Disable cross-domain sync between email engagement IDs and website visitor IDs
- →Audit Constant Contact pixel deployment to verify no site-wide tracking after email click-through
- →Review DPA for behavioral data sharing restrictions and enforce email campaign data isolation
- →Establish session recording controls to prevent landing page capture without explicit consent
If You're Evaluating ConstantContact
- →Request Constant Contact deployment without website tracking pixels, restricting surveillance to email engagement only
- →Require contractual prohibition on cross-channel data sharing with demand generation networks
- →Verify Constant Contact pixels do not persist website visitor IDs or enable cross-visit tracking
- →Assess alternative email platforms (Mailchimp with restricted tracking, self-hosted Listmonk) for comparison
- →Demand pricing concessions reflecting email-only deployment without website surveillance integration
Negotiation Leverage
- →VRS 80 classification with 100% CAC subsidization justifies 30% discount if website tracking pixels are permanently disabled
- →75% legal tail risk demands indemnification for cross-channel tracking consent failures and biometric data processing violations
- →Require contractual guarantee that email engagement data remains isolated from website behavior tracking
- →Request quarterly attestation that subscriber data does not feed external demand networks or cross-channel targeting
- →Negotiate email-only deployment without landing page tracking or cross-domain identity synchronization
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Constant Contact tracking pixels fire on all pages after email click-through, capturing site-wide behavior beyond landing page interaction.
Keystroke/mouse tracking
Impact: Mouse movements and scroll depth captured during form fills to build engagement scoring and lead quality models.
Full session replay
Impact: DOM capture of email-driven landing page sessions, recording form interactions and content engagement for campaign optimization.
Identity stitching
Impact: Email engagement IDs synchronized with website visitor IDs via pixel drops, enabling cross-channel behavior correlation.
Device identification
Impact: Browser fingerprinting used to reconnect email subscribers with anonymous website visits, creating cross-channel identity resolution.
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
95 detection signatures across scripts, domains, cookies, and network endpoints