How This Briefing Works
This report opens with key findings, then maps the gaps between what CustomerIO discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
CustomerIO was observed loading and executing before user consent was obtained on 60% of sites where it was detected.
Pending Analysis
8 BTI behavioral codes detected including full identity stitching stack (C08+C13+C14). Full claims extraction required for gap analysis.
Claims vs. Observed Behavior
Pending Analysis
“Claims analysis pending”
8 BTI behavioral codes detected including full identity stitching stack (C08+C13+C14). Full claims extraction required for gap analysis.
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use CustomerIO
- →Audit whether Customer.io's persistence mechanisms (C13) survive consent withdrawal on your site — this is a critical right-to-erasure compliance issue
- →Verify your CMP gates Customer.io before all tracking — 60% pre-consent rate indicates your consent implementation has gaps
- →Request Customer.io's complete data architecture documentation including all 3 tracking domains and cross-domain sync behavior
- →Review whether your DPA covers identity resolution, cross-domain sync, and persistent identification — these likely exceed standard marketing automation terms
If You're Evaluating CustomerIO
- →Require Customer.io to demonstrate that consent withdrawal effectively stops all tracking including persistence mechanisms before deployment
- →Demand contractual guarantee that customer identities resolved on your site are not synced to or accessible from other Customer.io client deployments
- →Evaluate server-side Customer.io integration to eliminate client-side identity stitching and behavioral collection
- →Assess whether Customer.io's full capability set is necessary or if a simpler marketing automation tool without identity stitching would suffice
Negotiation Leverage
- →Full identity stitching stack (C08+C13+C14) is the most comprehensive in this analysis group — use to justify requirement for complete data architecture disclosure
- →Persistence mechanisms (C13) that survive consent withdrawal create direct GDPR Art. 7(3) and Art. 17 liability — demand technical proof that consent withdrawal terminates all persistent identifiers
- →60% pre-consent rate across majority of deployments indicates systemic consent implementation failure — require Customer.io to provide consent-gate verification tooling
- →3-domain tracking infrastructure with cross-domain sync means your customer data traverses multiple endpoints — demand complete sub-processor and data flow documentation
- →8 behavioral threat codes on a marketing automation platform exceeds reasonable scope — leverage data minimization requirements under GDPR Art. 5(1)(c) to negotiate reduced collection footprint
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Evasion infrastructure on a CDP with 8 behavioral codes means Customer.io may present reduced functionality during compliance assessments, concealing the full scope of their identity stitching and persistence capabilities.
Keystroke/mouse tracking
Impact: Keystroke and mouse tracking through a marketing automation platform captures micro-behavioral patterns that feed into Customer.io's identity resolution — creating behavioral fingerprints linked to resolved customer identities.
Full session replay
Impact: Full session replay within a CDP means complete customer journeys are captured with identity context. Session recordings linked to known customer identities create comprehensive behavioral dossiers that exceed marketing automation scope.
Identity stitching
Impact: Identity stitching across domains means customer identities resolved on your site are correlated with their activity elsewhere. For a CDP, this means your first-party customer data effectively becomes shared data across Customer.io's infrastructure.
Ignoring CMP signals
Impact: 60% pre-consent rate means the majority of Customer.io deployments fire their full identity stitching stack before consent. Marketing automation that begins tracking before consent creates per-session regulatory violations at scale.
Device identification
Impact: Device fingerprinting enables Customer.io to maintain identity resolution across browsers and devices, creating unified customer profiles that persist beyond individual session or cookie-based identification.
Long-lived identifiers
Impact: Long-lived identifiers mean Customer.io maintains identification across sessions even after cookie deletion or consent withdrawal. This creates a fundamental conflict with GDPR Art. 17 right to erasure and Art. 7(3) right to withdraw consent — the persistence mechanism survives the user's privacy choices.
PII deanonymization
Impact: PII deanonymization within a CDP means Customer.io resolves anonymous visitors to known identities and maintains that resolution through persistence mechanisms (C13). Once identified, your visitors cannot effectively become anonymous again within Customer.io's system.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
135 detection signatures across scripts, domains, cookies, and network endpoints