How This Briefing Works
This report opens with key findings, then maps the gaps between what ContentSquare discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
12 detections across 10 sites67% pre-consent activity2 critical disclosure gaps
CRITICAL
Subprocessor Disclosure
52 vendors detected, only 16 infrastructure/support processors disclosed. Marketing and analytics vendors completely absent.
GDPR Art 28CCPA 1798.140
CRITICAL
Compliance Certification
66.7% pre-consent tracking rate on own website. 21 vendors load before consent.
GDPR Art 6ePrivacy Directive Art 5(3)
CRITICAL
Pre-Consent Activity
ContentSquare was observed loading and executing before user consent was obtained on 67% of sites where it was detected.
GDPRePrivacy
HIGH
Identity Resolution
Identity resolution vendors (Apollo.io, Clearbit, Demandbase, RB2B) actively de-anonymizing visitors
GDPR Art 13GDPR Art 14
HIGH
DNT/GPC Handling
Explicitly states: we currently do not respond to such Do Not Track signals
CCPA 1798.135Colorado Privacy Act
Disclosure Gaps
Claims vs. Observed Behavior
5 gaps
2 CRIT2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X04BTI-X05BTI-X06BTI-X08BTI-X10
Subprocessor Disclosure
GDPR Art 28 · CCPA 1798.140CRITICAL
They Claim
“Subprocessor list identifies data processors”
Observed Behavior
52 vendors detected, only 16 infrastructure/support processors disclosed. Marketing and analytics vendors completely absent.
Runtime scan vs https://contentsquare.com/privacy-center/subprocessors/
Compliance Certification
GDPR Art 6 · ePrivacy Directive Art 5(3)CRITICAL
They Claim
“SOC2 Type II, ISO 27001 certified”
Observed Behavior
66.7% pre-consent tracking rate on own website. 21 vendors load before consent.
Trust Center certifications vs runtime detection data
Identity Resolution
GDPR Art 13 · GDPR Art 14HIGH
They Claim
“Experience intelligence platform (analytics)”
Observed Behavior
Identity resolution vendors (Apollo.io, Clearbit, Demandbase, RB2B) actively de-anonymizing visitors
Vendor detection on contentsquare.com
DNT/GPC Handling
CCPA 1798.135 · Colorado Privacy ActHIGH
They Claim
“Cookie policy provides opt-out mechanisms”
Observed Behavior
Explicitly states: we currently do not respond to such Do Not Track signals
https://contentsquare.com/privacy-center/cookie-policy/
Pre-Consent Tracking
ePrivacy Directive Art 5(3) · CNIL GuidelinesMEDIUM
They Claim
“CNIL Exemption Mode available”
Observed Behavior
21 third-party vendors loading before consent including identity resolution
Runtime scan pre_consent=true detections
Customer Impact
What This Means For You
YOUR experience analytics data processed through Contentsquare flows through a platform with 52 undisclosed vendor dependencies. YOUR user session replays, heatmaps, and behavioral analytics — the most granular user data you collect — pass through a vendor ecosystem that includes demand-side platforms and identity resolution services. Through acquisitions of Hotjar, Heap, Clicktale, and Loris.ai, Contentsquare has consolidated behavioral analytics across 1.3+ million websites — YOUR user behavior data contributes to this aggregated intelligence. YOUR compliance documentation citing Contentsquare's SOC2 and ISO certifications may provide false assurance given the gap between certified controls and actual vendor practices.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
If You Use ContentSquare
- →Audit your Contentsquare implementation for pre-consent loading behavior — verify your CMP gates all Contentsquare scripts
- →Review what third-party scripts Contentsquare deploys on your properties beyond their core analytics
- →Verify your CMP configuration accounts for all Contentsquare-introduced vendors, not just Contentsquare itself
- →Request clarity on data flows between Contentsquare, Hotjar, Heap, and other acquired platforms
If You're Evaluating ContentSquare
- →Request the SOC2 Type II report and verify the scope covers third-party vendor management controls
- →Compare Contentsquare's actual vendor footprint against certifications before making compliance assumptions
- →Test implementation in staging and audit all network requests beyond Contentsquare's core domain
- →Negotiate data isolation guarantees preventing your session data from contributing to cross-customer analytics
Negotiation Leverage
- →Certification gap: SOC2 Type II and ISO 27001 certifications coexist with 52 undisclosed vendors — use this to question the scope of certifications and negotiate audit rights
- →Acquisition consolidation: Hotjar, Heap, Clicktale, and Loris.ai data consolidated under one entity serving 1.3M+ sites — negotiate data isolation guarantees preventing cross-customer analytics
- →Subprocessor disclosure gap: Only infrastructure providers disclosed while 52 vendors detected including marketing and adtech — require named vendor disclosure as a contract condition
- →Session replay sensitivity: Contentsquare captures granular user behavior data — leverage this data sensitivity to negotiate enhanced data protection and retention limits
Runtime Detections
Runtime Detections
8 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
BTI-C07Session Recording
Full session replay
BTI-C08Cross-Domain Sync
Identity stitching
BTI-C09Consent Bypass
Ignoring CMP signals
BTI-C10Fingerprinting
Device identification
BTI-C13Persistence Mechanisms
Long-lived identifiers
BTI-C15Tag Manager
Container/loader (neutral)
IOC Manifest
IOC Manifest
143 INDICATORS
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*contentsquare.com/_next/static/chunks/701.*.js*
Tracking script
TRACK
*contentsquare.com/_next/static/3JnvIfkH3ebe3xwL1xMHK/_ssgManifest.js*
Tracking script
TRACK
*contentsquare.com/_next/static/chunks/975-*.js*
Tracking script
TRACK
*contentsquare.com/_next/static/3JnvIfkH3ebe3xwL1xMHK/_buildManifest.js*
Tracking script
TRACK
*contentsquare.com/_next/static/chunks/pages/%5B%5B...slug%5D%5D-*.js*
Tracking script
TRACK
*contentsquare.com/_next/static/chunks/webpack-*.js*
Tracking script
TRACK
*contentsquare.com/_next/static/chunks/pages/_app-*.js*
Tracking script
TRACK
*contentsquare.com/_next/static/chunks/main-*.js*
Tracking script
TRACK
*contentsquare.com/_next/static/chunks/368.*.js*
Tracking script
TRACK
*contentsquare.com/_next/static/chunks/513.*.js*
Tracking script
TRACK
*contentsquare.com/_next/static/chunks/255.*.js*
Tracking script
TRACK
*contentsquare.com/_next/static/chunks/965.*.js*
Tracking script
TRACK
*contentsquare.com/_next/static/chunks/635.*.js*
Tracking script
TRACK
*contentsquare.com/_next/static/chunks/framework.*.js*
Tracking script
TRACK
*contentsquare.com/_next/static/chunks/725.*.js*
Tracking script
TRACK
*contentsquare.com/_next/static/chunks/953.*.js*
Tracking script
TRACK
*contentsquare.com/_next/static/chunks/715.*.js*
Tracking script
TRACK
*contentsquare.com/_next/static/chunks/165.*.js*
Tracking script
TRACK
*invite.contentsquare.com/pr/js*
Tracking script
EXFIL
*contentsquare.com/_next/data/3JnvIfkH3ebe3xwL1xMHK/en/request-a-demo.json*
Data collection endpoint
EXFIL
*contentsquare.com/_next/data/3JnvIfkH3ebe3xwL1xMHK/en/blog/contentsquare-completes-acquisition-of-loris-ai.json*
Data collection endpoint
EXFIL
*contentsquare.com/_next/data/3JnvIfkH3ebe3xwL1xMHK/en/pricing.json*
Data collection endpoint
EXFIL
*contentsquare.com/_next/data/3JnvIfkH3ebe3xwL1xMHK/en.json*
Data collection endpoint
EXFIL
*contentsquare.com/_next/data/3JnvIfkH3ebe3xwL1xMHK/en/customers.json*
Data collection endpoint
EXFIL
*contentsquare.com/_next/data/3JnvIfkH3ebe3xwL1xMHK/en/product-tour.json*
Data collection endpoint
TRACK
*contentsquare.com/_next/static/chunks/pages/pricing-*.js*
Tracking script
TRACK
*www.hj.contentsquare.com/_next/static/chunks/remoteEntry.js*
Tracking script
TRACK
*www.hj.contentsquare.com/_next/static/chunks/*-*.js*
Tracking script
TRACK
*www.hj.contentsquare.com/_next/static/chunks/__federation_expose_page.*.js*
Tracking script
TRACK
*www.hj.contentsquare.com/_next/static/chunks/framework.*.js*
Tracking script
TRACK
*www.hj.contentsquare.com/_next/static/chunks/*.*.js*
Tracking script
EXFIL
*contentsquare.com/_next/data/3JnvIfkH3ebe3xwL1xMHK/en/platform/experience-analytics.json*
Data collection endpoint
EXFIL
*contentsquare.com/_next/data/3JnvIfkH3ebe3xwL1xMHK/en/press/contentsquare-completes-acquisition-of-loris-ai.json*
Data collection endpoint
EXFIL
*contentsquare.com/_next/data/3JnvIfkH3ebe3xwL1xMHK/en/platform.json*
Data collection endpoint
EXFIL
*contentsquare.com/_next/data/3JnvIfkH3ebe3xwL1xMHK/en/platform/capabilities/ai.json*
Data collection endpoint
EXFIL
*contentsquare.com/_next/data/3JnvIfkH3ebe3xwL1xMHK/en/solutions/teams/digital-marketing.json*
Data collection endpoint
EXFIL
*contentsquare.com/_next/data/3JnvIfkH3ebe3xwL1xMHK/en/customers/easyjet.json*
Data collection endpoint
EXFIL
*contentsquare.com/_next/data/3JnvIfkH3ebe3xwL1xMHK/en/customers/specsavers.json*
Data collection endpoint
EXFIL
*contentsquare.com/_next/data/3JnvIfkH3ebe3xwL1xMHK/en/customers/audi.json*
Data collection endpoint
EXFIL
*contentsquare.com/_next/data/3JnvIfkH3ebe3xwL1xMHK/en/customers/pirelli.json*
Data collection endpoint
EXFIL
*contentsquare.com/_next/data/3JnvIfkH3ebe3xwL1xMHK/en/integrations-partners.json*
Data collection endpoint
TRACK
t.contentsquare.net
Tracking script
TRACK
contentsquare.com/_next/static/chunks/701.159a73bd1ecc65f0.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/chunks/webpack-fdfb015eefc50227.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/chunks/main-b94e36cbe5926882.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/chunks/pages/_app-bc2a79b0f767bade.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/chunks/975-e4f7b183a51270d8.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/chunks/pages/%5B%5B...slug%5D%5D-1301f9bb34c4192a.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/3JnvIfkH3ebe3xwL1xMHK/_buildManifest.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/3JnvIfkH3ebe3xwL1xMHK/_ssgManifest.js
Auto-extracted from scan
TRACK
invite.contentsquare.com/pr/js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/chunks/framework.d7bdff03d017b348.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/chunks/513.a47e6288dba838da.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/chunks/368.459f9286300cbe76.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/chunks/255.3eba703e7abd5861.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/chunks/635.b6aceb551a4dfd8f.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/chunks/715.0861cba0301af072.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/chunks/725.881f60db7a8cb303.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/chunks/965.8c6a60284405d4a3.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/chunks/953.3a65e5a9ae1eb771.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/chunks/165.f3a240280a6ab2d1.js
Auto-extracted from scan
TRACK
contentsquare.com/_next/static/chunks/pages/pricing-7b6af1201654a775.js
Auto-extracted from scan
TRACK
www.hj.contentsquare.com/_next/static/chunks/remoteEntry.js
Auto-extracted from scan
TRACK
www.hj.contentsquare.com/_next/static/chunks/c78d26b1-f23f81ca8a2508b9.js
Auto-extracted from scan
TRACK
www.hj.contentsquare.com/_next/static/chunks/8847-6a9d34edb742e6b5.js
Auto-extracted from scan
TRACK
www.hj.contentsquare.com/_next/static/chunks/2665-d206e42ae94c9ee0.js
Auto-extracted from scan
TRACK
www.hj.contentsquare.com/_next/static/chunks/1278-7684c647ed111794.js
Auto-extracted from scan
TRACK
www.hj.contentsquare.com/_next/static/chunks/4248-d1a490e36324bbff.js
Auto-extracted from scan
TRACK
www.hj.contentsquare.com/_next/static/chunks/2779.53478be2293efd41.js
Auto-extracted from scan
TRACK
www.hj.contentsquare.com/_next/static/chunks/3613-4d29e21719e3359a.js
Auto-extracted from scan
TRACK
www.hj.contentsquare.com/_next/static/chunks/4813-11774f7c76799b23.js
Auto-extracted from scan
TRACK
www.hj.contentsquare.com/_next/static/chunks/1996-e1a4cf5f2bbbdad6.js
Auto-extracted from scan
TRACK
www.hj.contentsquare.com/_next/static/chunks/__federation_expose_page.19cc8862bed3a54d.js
Auto-extracted from scan
TRACK
www.hj.contentsquare.com/_next/static/chunks/framework.5566999d9841ed98.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Contentsquare occupies a central position in the experience analytics ecosystem. Through acquisitions of Hotjar (heatmaps/session replay), Heap (product analytics), Clicktale (session replay pioneer), and Loris.ai (conversation intelligence), they control multiple touchpoints in the customer journey capture stack. They integrate with 100+ platforms and are detected on 10 sites in our scan corpus. Their subprocessor chain includes AI/LLM providers (OpenAI, Azure OpenAI) indicating machine learning processing of captured behavioral data. The presence of identity resolution vendors on their own site suggests potential for similar deployments on customer properties, though this requires verification of their product capabilities.
Loads (1)
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
145 detection signatures across scripts, domains, cookies, and network endpoints