All Vendors
session_replay
CrazyEgg

CrazyEgg

Crazy Egg fires 58.8% of its tracking pre-consent while running intent data brokers Intentdata, Semcasting, and Rockerbox on its own website — undisclosed vendors that turn a heatmap tool into a demand signal pipeline.

10 IOCs17 detections59% pre-consent13 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what CrazyEgg discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

17 detections across 13 sites59% pre-consent activity
CRITICAL

Pre-Consent Activity

CrazyEgg was observed loading and executing before user consent was obtained on 59% of sites where it was detected.

GDPRePrivacy
HIGH

Vendor Disclosure

20+ vendors detected including Airtable, HubSpot, Intentdata, Semcasting, Rockerbox, Dreamdata, Peer39

GDPR Art 13CCPA 1798.100
HIGH

Pre-Consent Loading

58.8% of CrazyEgg detections are pre-consent on client sites

GDPR Art 6ePrivacy Directive Art 5(3)
HIGH

Undisclosed Party

Not in privacy policy

HIGH

Undisclosed Sharing

Hidden data recipients

Disclosure Gaps

Claims vs. Observed Behavior

3 gaps
2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X05BTI-X10

Vendor Disclosure

GDPR Art 13 · CCPA 1798.100HIGH
They Claim

Cookie policy lists Google Analytics, Facebook, DoubleClick, Drip, CloudFlare

Observed Behavior

20+ vendors detected including Airtable, HubSpot, Intentdata, Semcasting, Rockerbox, Dreamdata, Peer39

Runtime scan vs cookie policy comparison

Missing Subprocessor List

GDPR Art 28MEDIUM
They Claim

Privacy policy mentions third-party data processors

Observed Behavior

No public subprocessor list available despite identity resolution vendors observed

404 on /subprocessors, /dpa endpoints

Customer Impact

What This Means For You

YOUR heatmap and session recording data collected through Crazy Egg may flow to intent data brokers detected on their own site. YOUR visitor behavior — click patterns, scroll depth, form interactions — constitutes demand signal intelligence that Intentdata, Semcasting, and Rockerbox could monetize. YOUR privacy policy likely lists Crazy Egg as an analytics tool while 12+ undisclosed vendors operate in their ecosystem. With a 58.8% pre-consent rate, YOUR consent mechanism may not protect YOUR visitors from tracking before they make a choice.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use CrazyEgg

  • Audit consent timing — verify Crazy Egg loads AFTER consent granted given their 58.8% pre-consent rate
  • Review your privacy policy — ensure Crazy Egg and its 20+ observed third parties are disclosed
  • Request subprocessor list and compare against intent data vendors detected on their site
  • Implement server-side consent gating to prevent Crazy Egg from loading before consent

If You're Evaluating CrazyEgg

  • Test Crazy Egg implementation in staging and audit all network requests
  • Compare with Hotjar and FullStory on pre-consent behavior and vendor disclosure transparency
  • Require contractual guarantees that session recording data will not flow to intent data brokers
  • Verify Crazy Egg GDPR compliance claims against 58.8% pre-consent rate evidence

Negotiation Leverage

  • Intent data broker presence: Intentdata, Semcasting, and Rockerbox on crazyegg.com — use this to negotiate restrictions on behavioral data sharing with intent data vendors
  • 58.8% pre-consent rate: More than half of tracking fires before consent — leverage for consent architecture guarantees and contractual termination rights
  • 12+ undisclosed vendors: Cookie policy lists 5 vendors while 20+ detected — require complete vendor disclosure as a contract condition
  • Session recording sensitivity: Heatmap and session data captures granular user behavior — negotiate enhanced data protection, retention limits, and restrictions on data enrichment
Runtime Detections

Runtime Detections

7 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

8 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
script.crazyegg.com
Tracking script
Ecosystem

Ecosystem & Supply Chain

Crazy Egg operates as a session analytics vendor that embeds via JavaScript tag on client sites. Commonly loaded via GTM or direct script inclusion. The vendor's own site demonstrates extensive martech stack (20+ vendors) including HubSpot for marketing automation, Segment for CDP functionality, and intent data providers (Intentdata, Semcasting) suggesting behavioral enrichment. Downstream: recordings and heatmaps flow to CrazyEgg servers. Upstream: clients embed CrazyEgg which captures visitor sessions, potentially before consent. Cross-vendor: observed alongside other analytics vendors (GA4, Hotjar) and advertising platforms.
Loaded By (2)
GoogletagmanagerOsano
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

10 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details