All Vendors
session_replay
FullStory

FullStory

55.6% pre-consent session recording rate despite SOC2, ISO 27001/27701, and GDPR/CCPA certifications. Discloses 6 subprocessors while 22+ vendors operate pre-consent on fullstory.com — including identity resolution tools (6sense, Demandbase, Qualified) and advertising pixels not in their subprocessor documentation.

115 IOCs10 detections60% pre-consent8 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what FullStory discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

10 detections across 8 sites60% pre-consent activity1 critical disclosure gap
CRITICAL

Subprocessor Disclosure

22+ third-party vendors detected on fullstory.com operating pre-consent including 6sense, Demandbase, Criteo, Qualified, Contactout, G2, LinkedIn, Google Ads

GDPR Article 28CCPA 1798.140
CRITICAL

Pre-Consent Activity

FullStory was observed loading and executing before user consent was obtained on 60% of sites where it was detected.

GDPRePrivacy
HIGH

Pre-Consent Tracking

55.6% pre-consent tracking rate across sites using FullStory. Identity resolution and advertising vendors load before consent on their own website.

GDPR Article 6ePrivacy DirectiveCCPA
HIGH

Undisclosed Sharing

Hidden data recipients

HIGH

Compliance Claim Mismatch

False certification claims

Disclosure Gaps

Claims vs. Observed Behavior

3 gaps
1 CRIT1 HIGH1 MED
Classified:BTI-X02BTI-X05BTI-X08

Subprocessor Disclosure

GDPR Article 28 · CCPA 1798.140CRITICAL
They Claim

Subprocessor list discloses 6 vendors (Google, Fastly, Salesforce, Zendesk, Marketo, OpenAI)

Observed Behavior

22+ third-party vendors detected on fullstory.com operating pre-consent including 6sense, Demandbase, Criteo, Qualified, Contactout, G2, LinkedIn, Google Ads

BLACKOUT runtime scan 2026-01-23

Data Sale Disclosure

CCPA 1798.115 · CPRAMEDIUM
They Claim

We do not sell the data of our Customers or their Users collected through the Services

Observed Behavior

Privacy policy CCPA section states: Certain information of Visitors may be sold or shared, including to advertising and marketing partners

Privacy policy CCPA disclosure section

Customer Impact

What This Means For You

If FullStory captures session replays on your site, 55.6% of observed implementations record sessions before users consent. Under GDPR Art 7 and ePrivacy Art 5(3), recording detailed user interactions — clicks, scrolls, form inputs, and page content — without prior consent creates direct regulatory liability. FullStory discloses 6 subprocessors while 22+ vendors operate pre-consent on their own site, including 6sense, Demandbase, and Qualified for identity resolution. These undisclosed vendors can identify your prospects visiting FullStory for competitive evaluation, and similar data flows may exist through their deployed JavaScript. FullStory integrates with Salesforce and Marketo, meaning session replay data connects to your CRM and marketing automation.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use FullStory

  • Audit your consent flow to ensure FullStory script loads only after consent — 55.6% pre-consent rate indicates most deployments are non-compliant
  • Review the subprocessor disclosure gap — 14+ undisclosed vendors may require updates to your GDPR Art 30 records and privacy policy
  • Verify your privacy policy accurately reflects FullStory's session recording scope including form inputs, clicks, and page content
  • Implement data masking and exclusion rules given the sensitivity of session replay data capturing user interactions
  • Monitor for identity resolution vendors loading alongside FullStory on your property

If You're Evaluating FullStory

  • Request updated subprocessor list and compare against the 22+ vendors detected at runtime on fullstory.com
  • Verify consent-mode integration documentation and test in your environment before deployment
  • Assess the risk of identity resolution vendors (6sense, Demandbase, Qualified) on their corporate site extending to customer deployments
  • Request SOC2 and ISO 27701 reports and verify scope covers client-side session recording behavior
  • Compare FullStory's compliance posture against alternatives like PostHog (self-hosted) for session replay with full data control

Negotiation Leverage

  • Subprocessor transparency: 6 disclosed versus 22+ detected including identity resolution (6sense, Demandbase, Qualified) and advertising (Criteo, LinkedIn, Google Ads). Require complete enumeration of all third-party vendors, with 30-day advance notice before additions.
  • Pre-consent SLA: 55.6% pre-consent rate. Require contractual guarantee that FullStory script loads only after consent on your property with documented consent-mode integration.
  • Session data scope: Session replays capture detailed user interactions. Require contractual specification of exactly what data is recorded with mandatory PII masking verification before deployment.
  • Identity resolution isolation: 6sense, Demandbase, and Qualified on fullstory.com perform visitor deanonymization. Require contractual guarantee that no identity resolution capabilities are embedded in FullStory's JavaScript deployed on your property.
  • ISO 27701 scope verification: Request ISO 27701 privacy certification and verify scope covers session recording and client-side data collection, not just server infrastructure.
Runtime Detections

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C14Identity Resolution

PII deanonymization

IOC Manifest

IOC Manifest

111 INDICATORS

Indicators of compromise across 6 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.fullstory.com/framework-*.js*
Tracking script
TRACK
*www.fullstory.com/webpack-runtime-*.js*
Tracking script
TRACK
*www.fullstory.com/app-*.js*
Tracking script
TRACK
*edge.staging.fullstory.com/s/fs.js*
Tracking script
EXFIL
*www.fullstory.com/page-data/app-data.json*
Data collection endpoint
EXFIL
*www.fullstory.com/page-data/index/page-data.json*
Data collection endpoint
TRACK
*rs.staging.fullstory.com/rec/integrations*
Tracking script
EXFIL
*edge.staging.fullstory.com/datalayer/v4/latest.js*
Data collection endpoint
EXFIL
*www.fullstory.com/page-data/sq/d/*.json*
Data collection endpoint
TRACK
*www.fullstory.com/*-*.js*
Tracking script
TRACK
*www.fullstory.com/component---src-templates-homepage-modular-js-*.js*
Tracking script
TRACK
*www.fullstory.com/commons-*.js*
Tracking script
TRACK
*www.fullstory.com/reactPlayerYouTube-*.js*
Tracking script
TRACK
*go2.fullstory.com/js/forms2/js/forms2.js*
Tracking script
TRACK
fullstory.com/s/fs.js
Tracking script
TRACK
edge.fullstory.com
Tracking script
TRACK
edge.staging.fullstory.com/s/fs.js
Auto-extracted from scan
TRACK
www.fullstory.com/webpack-runtime-26ea1dc478775e09ce8c.js
Auto-extracted from scan
TRACK
www.fullstory.com/framework-edbe1f354e1032e53239.js
Auto-extracted from scan
TRACK
www.fullstory.com/app-8c1b9731b208ce391966.js
Auto-extracted from scan
TRACK
rs.staging.fullstory.com/rec/integrations
Auto-extracted from scan
TRACK
www.fullstory.com/4544e8b5-e12bec48555a2798799b.js
Auto-extracted from scan
TRACK
www.fullstory.com/94726e6d-20ab110247c85ccab8cc.js
Auto-extracted from scan
TRACK
www.fullstory.com/942714db-ca47f15619494b26a4bf.js
Auto-extracted from scan
TRACK
www.fullstory.com/f5b797a1-1e6289d7d454d22aa38a.js
Auto-extracted from scan
TRACK
www.fullstory.com/35ed6572-74f0f75be60f23e1501c.js
Auto-extracted from scan
TRACK
www.fullstory.com/44ce6858-b25a0a0de3ef19865389.js
Auto-extracted from scan
TRACK
www.fullstory.com/commons-ec8dfc69faa946b894ae.js
Auto-extracted from scan
TRACK
www.fullstory.com/74169e7f79f9c6d987bcfe18ff0a87a910cd3d32-d866f123c8bdfea0571f.js
Auto-extracted from scan
TRACK
www.fullstory.com/c0478f4ff2aaa2015d2a5bceae34f63ec60c9944-dfd6eab077e3fd2bb542.js
Auto-extracted from scan
TRACK
www.fullstory.com/216b7d5d9009c2588f5439b6c220594441b1a21a-49159fc907d98ab4e00f.js
Auto-extracted from scan
TRACK
www.fullstory.com/9592d4f8e29dd6a39cdf1e189acf7b5f4afb5fd3-529e3eb9ad502408956f.js
Auto-extracted from scan
TRACK
www.fullstory.com/fc891c9c9573a02465e943bcec8f87ce852dc12b-926434d0969e81e0c71e.js
Auto-extracted from scan
TRACK
www.fullstory.com/b1ee66450feb4a89771fe45076cdb81e0fb83352-0bdcf6a508470c9bf0a9.js
Auto-extracted from scan
TRACK
www.fullstory.com/8dfc091f765f620030a08aad1f22b7dc5d94729f-941d184e90b1d9a36020.js
Auto-extracted from scan
TRACK
www.fullstory.com/88e4411160f0dff3f9b38b94fefea795557d9adf-494fa45c525f44bc0327.js
Auto-extracted from scan
TRACK
www.fullstory.com/bffc07db7f64884caeccd8ac4cd98c7e616fc39c-36215ea9760d79b00d13.js
Auto-extracted from scan
TRACK
www.fullstory.com/1314555cb001ec22bb9172246099bb55f16db260-feca312f94ffe57cc475.js
Auto-extracted from scan
TRACK
www.fullstory.com/79c78c2d25f664f5f1935801a535fa91e8eeaa51-601c2223433e654fcaf9.js
Auto-extracted from scan
TRACK
www.fullstory.com/2be3c5bb59ca249495bed3efd655068f04a0d396-a3f6e6e6c8816bdb5d90.js
Auto-extracted from scan
TRACK
www.fullstory.com/component---src-templates-homepage-modular-js-4002d4fcac775b860349.js
Auto-extracted from scan
EXFIL
edge.staging.fullstory.com/datalayer/v4/latest.js
Auto-extracted from scan
TRACK
www.fullstory.com/1108-a8492e118b7e9fb8fde4.js
Auto-extracted from scan
TRACK
go2.fullstory.com/js/forms2/js/forms2.min.js
Auto-extracted from scan
TRACK
www.fullstory.com/reactPlayerYouTube-3c63822a56621c110dcd.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

FullStory operates as a tier-1 session replay and behavioral analytics vendor. They are commonly loaded via Google Tag Manager or direct script injection. On customer sites, FullStory captures detailed user interactions. On their own site, they deploy a complex MarTech stack including: Identity Resolution (6sense, Demandbase, Qualified, Contactout, G2), Advertising (Criteo, Google Ads, LinkedIn, DoubleVerify), Bot Detection (Cheq), Analytics (GA4, Cloudflare Insights), CMP (Osano), Chat (Qualified). This positions FullStory within the broader B2B intelligence ecosystem rather than as a standalone analytics tool.
Loads (8)
YoutubeShopping GoogleQualifiedOsanoGoogleanalytics4Linkedin6senseZoominfo
Loaded By (1)
Phoneburner
Commonly Deployed With
GoogletagmanagerGoogleanalytics4
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

115 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details