How This Briefing Works
This report opens with key findings, then maps the gaps between what Contactout discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Contactout was observed loading and executing before user consent was obtained on 54% of sites where it was detected.
Pending Analysis
6 BTI behavioral codes detected across 50 observations on 47 sites. Full claims extraction required for gap analysis.
Claims vs. Observed Behavior
Pending Analysis
“Claims analysis pending”
6 BTI behavioral codes detected across 50 observations on 47 sites. Full claims extraction required for gap analysis.
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Contactout
- →Verify your privacy policy explicitly discloses visitor deanonymization and the commercial availability of resolved contact data
- →Implement pre-load consent gating — ContactOut must not fire until visitors affirmatively consent to identification
- →Review your ContactOut agreement for data ownership clauses — confirm whether resolved identities from your visitors can be resold
- →Conduct a DPIA (Data Protection Impact Assessment) specifically covering ContactOut's deanonymization processing on your property
If You're Evaluating Contactout
- →Assess whether the sales intelligence value of ContactOut justifies the regulatory exposure of pre-consent deanonymization
- →Request ContactOut's Article 30 records and verify their claimed lawful basis for processing visitor data from your site
- →Evaluate whether first-party lead capture (forms, gated content) could replace ContactOut without the compliance burden
- →Consider the reputational risk if visitors discover they are being deanonymized without consent on your site
Negotiation Leverage
- →54% pre-consent firing rate for a deanonymization tool — this is the highest-risk combination possible: identifying people without asking
- →Identity resolution (C14) is the product, not a side effect — your vendor contract must explicitly address who owns resolved visitor data and restrict resale
- →6 BTI-C codes including defeat device (C01) and consent bypass (C09) — ContactOut actively circumvents the consent controls your legal team relies on
- →Maximum legal tail risk (100) — GDPR per-violation fines apply to each visitor deanonymized without consent, creating uncapped liability
- →Demand a consent-first deployment mode where ContactOut only resolves visitors who have explicitly opted in to identification
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: ContactOut deploys evasion infrastructure that can alter its behavior when auditing tools or consent checks are detected, making it difficult to verify whether deanonymization occurs during compliance reviews.
Keystroke/mouse tracking
Impact: Behavioral tracking augments ContactOut's identity resolution by associating interaction patterns with resolved identities, creating enriched contact profiles that include behavioral signatures beyond basic contact information.
Identity stitching
Ignoring CMP signals
Impact: 54% pre-consent firing rate — the highest in this group — means ContactOut begins identifying visitors before consent mechanisms engage. Deanonymization without consent is a direct violation of GDPR Article 6 and ePrivacy requirements.
Device identification
Impact: Device fingerprinting supports persistent identification across sessions, enabling ContactOut to maintain identity resolution even when users clear cookies or use privacy tools — directly undermining user attempts to remain anonymous.
PII deanonymization
Impact: This is ContactOut's core product: converting anonymous visitors into named individuals with contact details. Every resolved identity becomes a commercial asset in ContactOut's database, available for purchase by any subscriber regardless of the visitor's relationship to the original site.
Container/loader (neutral)
Impact: Container/loader behavior detected — ContactOut uses tag management infrastructure to orchestrate its script deployment, potentially loading additional tracking capabilities dynamically.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
126 detection signatures across scripts, domains, cookies, and network endpoints