How This Briefing Works
This report opens with key findings, then maps the gaps between what G2 discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
G2 was observed loading and executing before user consent was obtained on 54% of sites where it was detected.
Claims vs. Observed Behavior
consent
“Unknown - requires claims extraction via CDT”
Deploys identity resolution + pre-consent tracking on review platform
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use G2
- →Disable G2 Buyer Intent tracking in admin panel immediately
- →Request deletion of all historical visitor identification data
- →Audit current G2 pixel deployment: remove from website if present
If You're Evaluating G2
- →Require G2 to demonstrate consent-first architecture before contract renewal
- →Demand contractual liability shift: vendor assumes 100% penalty risk for identity resolution violations
- →Evaluate alternatives: anonymous review tracking (no identity resolution) or review platforms without surveillance (TrustRadius privacy mode)
Negotiation Leverage
- →G2 combines consent bypass with identity resolution, creating compounded GDPR Article 6 + Article 7 liability
- →Vendor must eliminate pre-consent tracking AND obtain explicit consent for identity resolution, or assume full regulatory penalty exposure
- →Review platforms should not require visitor surveillance - users expect product research privacy, not sales intelligence capture
- →Current architecture processes personal data (names, companies) without consent, transparent disclosure, or documented legitimate interest
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Identity stitching
Ignoring CMP signals
Impact: Identity resolution tracking loads before consent opportunity, creating per-visitor GDPR Article 7 violation. Combined with personal data processing (names, companies, emails), elevates to Article 6 unlawful processing liability.
PII deanonymization
Impact: Cross-site tracking and device fingerprinting resolve anonymous visitors to named individuals/companies. Creates personal data processing without consent, transparent disclosure, or legitimate interest assessment required by GDPR Article 6.
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
16 detection signatures across scripts, domains, cookies, and network endpoints