How This Briefing Works
This dossier opens with key findings, then maps the gap between what FullStory discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 10 sites
vendor fires before consent
1 CRIT · 1 HIGH
Briefing
FullStory is a behavioral data analytics platform offering session replay, product analytics, and AI-powered insights. While presenting itself as privacy-conscious with extensive compliance certifications (SOC2, ISO 27001/27701, GDPR, CCPA), runtime analysis reveals significant disclosure gaps. FullStory's own website deploys 22+ undisclosed third-party vendors pre-consent, including identity resolution tools (6sense, Demandbase, Qualified) not listed in their subprocessor documentation. This creates a credibility gap between their trust center messaging and actual runtime behavior.
What This Means For You
If FullStory captures session replays on your site, 55.6% of observed implementations record sessions before users consent. Under GDPR Art 7 and ePrivacy Art 5(3), recording detailed user interactions — clicks, scrolls, form inputs, and page content — without prior consent creates direct regulatory liability. FullStory discloses 6 subprocessors while 22+ vendors operate pre-consent on their own site, including 6sense, Demandbase, and Qualified for identity resolution. These undisclosed vendors can identify your prospects visiting FullStory for competitive evaluation, and similar data flows may exist through their deployed JavaScript. FullStory integrates with Salesforce and Marketo, meaning session replay data connects to your CRM and marketing automation.
Risk Channel Breakdown
FullStory captures detailed behavioral data including mouse movements, clicks, page visits, and text entered. While positioned for UX optimization, this granular data combined with identity resolution vendors on their site suggests potential cross-site behavioral profiling that could corrupt independent measurement.
FullStory integrates with CRM platforms (Salesforce) and marketing tools (Marketo). Identity resolution vendors (6sense, Demandbase, Qualified) detected on their site enable B2B deanonymization, potentially leaking visitor intent signals and demand data to competitors through shared vendor networks.
Session replay technology records user interactions at high fidelity, creating significant attack surface if compromised. FullStory's script runs on customer sites with privileged access to DOM content. The presence of multiple undisclosed third-party scripts increases supply chain risk.
Despite extensive compliance certifications, 55.6% pre-consent tracking rate and undisclosed third-party vendors create consent divergence liability. Privacy policy acknowledges visitor data may be sold/shared while customer data is protected differently, creating consent complexity that could trigger regulatory scrutiny.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Device identification
PII deanonymization
Claims-vs-Reality (BTI-X)
Hidden data recipients
False certification claims
Collection exceeds disclosed scope
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed FullStory's public claims against observed runtime behavior and identified 3 contradictions.
"Subprocessor list discloses 6 vendors (Google, Fastly, Salesforce, Zendesk, Marketo, OpenAI)"
22+ third-party vendors detected on fullstory.com operating pre-consent including 6sense, Demandbase, Criteo, Qualified, Contactout, G2, LinkedIn, Google Ads
2 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 6, observed 8
googletagmanager, googleanalytics4
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →