How This Briefing Works
This report opens with key findings, then maps the gaps between what FingerprintJS discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Subprocessor Disclosure
59 vendors detected on fingerprint.com including identity resolution platforms
Pre-Consent Tracking
100% pre-consent tracking rate in BLACKOUT detection data
Pre-Consent Activity
FingerprintJS was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Do Not Track
Honest disclosure but problematic for compliance
Product Purpose
Product enables persistent cross-site identity resolution
Claims vs. Observed Behavior
Subprocessor Disclosure
“DPA lists 4 subprocessors (AWS, Rollbar, Postmark, WorkOS)”
59 vendors detected on fingerprint.com including identity resolution platforms
Runtime scan detected Apollo.io, Clearbit, HubSpot, MetaPixel, LinkedIn, LiveIntent, G2, PostHog, Vector, Verisoul, and 49 others
Pre-Consent Tracking
“GDPR and CCPA compliant”
100% pre-consent tracking rate in BLACKOUT detection data
All 3 FingerprintJS detections occurred before consent. 29 vendors on their site load pre-consent.
Do Not Track
“None - explicitly states they do not honor GPC/DNT”
Honest disclosure but problematic for compliance
Privacy policy states: we are unable to respond to Do Not Track signals set by your browser at this time
Product Purpose
“Fraud detection and prevention”
Product enables persistent cross-site identity resolution
Device fingerprinting creates identifiers that persist across consent boundaries, sessions, and browser resets
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use FingerprintJS
- →Audit your consent flow — FingerprintJS cannot operate compliantly if loaded pre-consent under ePrivacy Directive and GDPR Art 7
- →Review your privacy policy subprocessor list — FingerprintJS creates downstream disclosure obligations for all 59 detected vendors
- →Assess fingerprinting necessity — most fraud detection can be achieved without persistent device identification that survives browser clearing
- →Request their SOC2 report and verify scope covers client-side fingerprinting operations, not just server infrastructure
- →Consider the regulatory risk of deploying technology that users cannot opt out of through standard browser privacy controls
If You're Evaluating FingerprintJS
- →Understand that 'cookieless' fingerprinting is MORE invasive than cookies — users cannot clear, detect, or opt out of fingerprints through browser settings
- →Request complete subprocessor list — 4 disclosed versus 59 detected is the largest disclosure gap in our network
- →Verify fraud detection scope — ensure the SDK is not being used for identity resolution or advertising beyond your intended use case
- →Assess alternatives for fraud detection that do not require persistent device identification (reCAPTCHA, Arkose Labs)
- →Require contractual limitation that fingerprint data is used exclusively for fraud prevention with no secondary use
Negotiation Leverage
- →Subprocessor disclosure: 4 disclosed versus 59 detected — a 14.75x gap, the largest vendor disclosure ratio in our detection network. Require complete enumeration of all data recipients as a contract precondition.
- →Consent architecture: 100% pre-consent rate means fingerprinting begins immediately on page load. Require contractual guarantee of consent-gated initialization with documented SDK configuration.
- →Fingerprint data scope: Require contractual specification of what device attributes are collected, how fingerprints are stored, and who receives fingerprint data — with right to audit.
- →Fraud-only use restriction: If deployed for fraud detection, require contractual limitation that fingerprint data cannot be used for identity resolution, advertising, or visitor identification purposes.
- →SOC2 scope verification: Request SOC2 report and verify scope covers client-side fingerprinting operations and the 59 third-party data flows, not just server infrastructure.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
IOC Manifest
Indicators of compromise across 6 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
92 detection signatures across scripts, domains, cookies, and network endpoints