How This Briefing Works
This dossier opens with key findings, then maps the gap between what ContentSquare discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 12 sites
vendor fires before consent
2 CRIT · 2 HIGH
Briefing
Contentsquare is a Paris-based experience intelligence platform (founded 2012) that has grown through acquisitions of Hotjar, Heap, Clicktale, and Loris.ai to serve 1.3+ million websites. Despite maintaining extensive compliance documentation (SOC2 Type II, ISO 27001/27017/27018/27701, GDPR DPA), Contentsquare's own website exhibits significant privacy gaps: 66.7% of detected tracking occurs before consent, with 52 third-party vendors detected but only infrastructure providers disclosed in their subprocessor list. Identity resolution vendors (Apollo.io, Clearbit, Demandbase, RB2B) actively de-anonymize visitors on contentsquare.com while remaining undisclosed. This creates a credibility gap for a vendor whose core product captures user behavior data.
What This Means For You
YOUR experience analytics data processed through Contentsquare flows through a platform with 52 undisclosed vendor dependencies. YOUR user session replays, heatmaps, and behavioral analytics — the most granular user data you collect — pass through a vendor ecosystem that includes demand-side platforms and identity resolution services. Through acquisitions of Hotjar, Heap, Clicktale, and Loris.ai, Contentsquare has consolidated behavioral analytics across 1.3+ million websites — YOUR user behavior data contributes to this aggregated intelligence. YOUR compliance documentation citing Contentsquare's SOC2 and ISO certifications may provide false assurance given the gap between certified controls and actual vendor practices.
Risk Channel Breakdown
Contentsquare's analytics platform captures granular user behavior (session replay, heatmaps, click tracking). When combined with the identity resolution vendors running on their own site (Apollo.io, Clearbit, Demandbase), measurement data becomes attributable to individuals. Customers using Contentsquare may unknowingly enable cross-site visitor identification through the vendor ecosystem.
With 52 third-party vendors on contentsquare.com including demand-side platforms and identity resolution services, visitor intent signals (pricing page visits, demo requests, feature exploration) leak to the broader adtech ecosystem. Competitors researching Contentsquare are identified and targetable.
Session replay and behavior capture create significant attack surface. The presence of 21 vendors loading before consent, combined with identity resolution, means visitor sessions are captured and attributed before any privacy choice is made. OpenAI and Azure OpenAI as subprocessors indicate AI processing of captured behavioral data.
The gap between Contentsquare's compliance posture (SOC2, ISO certifications, GDPR claims, comprehensive Trust Center) and runtime behavior (66.7% pre-consent tracking, undisclosed marketing vendors) creates material misrepresentation risk. Their cookie policy explicitly states they do not honor DNT signals while claiming GDPR compliance.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
Long-lived identifiers
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
Behavior contradicts marketing
False certification claims
Data to undisclosed regions
Collection exceeds disclosed scope
CMP vendor list vs runtime
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed ContentSquare's public claims against observed runtime behavior and identified 5 contradictions.
"Subprocessor list identifies data processors"
52 vendors detected, only 16 infrastructure/support processors disclosed. Marketing and analytics vendors completely absent.
4 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 16, observed 18
googletagmanager, clarity, linkedinads…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →