Executive Summary
Crazy Egg is a heatmap and session recording vendor founded in 2006, detected on 13 sites with a 58.8% pre-consent loading rate. While claiming GDPR compliance and anonymous data collection, the vendor's own website deploys 20+ third-party vendors while only disclosing 5 in their cookie policy. Key finding: significant vendor disclosure gap and reliance on undisclosed identity resolution partners (Intentdata, Semcasting, Rockerbox). Organizations using Crazy Egg should audit consent timing and verify third-party data flows match their privacy disclosures.
Revenue Threat Profile
4 COLLAPSE VECTORSHow this vendor creates financial exposure. Each score (0-100) reflects observed runtime behavior and documented business practices.
CAC Subsidization
Session recordings and heatmaps capture granular user behavior, but the pre-consent loading pattern means behavioral data is collected before users can object. This corrupts consent-based analytics segmentation and inflates engagement metrics with non-consented sessions.
Signal Corruption
Integration with Intentdata, Semcasting, and Rockerbox suggests behavioral data may be enriched with intent signals or fed into advertising ecosystems. Competitor intelligence derived from your visitor behavior could flow through these undisclosed pipes.
Legal Tail Risk
Session recordings capture keystrokes, form inputs, and navigation patterns. At 58.8% pre-consent, this creates PII exposure before consent gatekeeping. The 20+ third-party vendor load expands attack surface significantly.
GTM Attack Surface
GDPR claim conflicts with 58.8% pre-consent deployment pattern. Cookie policy discloses 5 vendors but 20+ are observed. No subprocessor list published. This creates material misrepresentation risk for clients relying on CrazyEgg's compliance claims.