All Vendors
personalization

Guideline

Guideline is a personalization platform with a VRS of 80, combining high Oracle (40), maximum Broker (100), and moderate Counselor (60) threats. The platform employs defeat devices, behavioral biometrics, cross-domain sync, consent bypass, fingerprinting, and tag manager infrastructure to deliver dynamic website personalization.

7 IOCs27 detections7% pre-consent25 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Guideline discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

27 detections across 25 sites7% pre-consent activity
MEDIUM

Pre-Consent Activity

Guideline was observed loading and executing before user consent was obtained on 7% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Unknown

Observed Behavior

Requires claims extraction via CDT

Customer Impact

What This Means For You

Marketing teams using Guideline for personalization face three critical risks: (1) ROI corruption as selection bias in visitor segmentation creates false lift attribution, (2) Behavioral intelligence leakage as engagement patterns feed platform algorithms shared across customers, (3) Regulatory exposure from behavioral biometrics, cross-domain tracking, and consent bypass creating compounding GDPR violations. The platform's tag manager architecture creates client-side execution risk for malicious script injection.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Guideline

  • Demand A/B testing methodology with proper randomization to eliminate selection bias in lift measurement
  • Require contractual prohibition on behavioral data sharing across customers for algorithm training
  • Implement consent-first deployment where behavioral tracking only activates after explicit opt-in
  • Configure tag manager with strict CSP policies to limit third-party script execution risk

If You're Evaluating Guideline

  • Request third-party audit of consent bypass mechanisms and cross-domain tracking practices
  • Evaluate server-side personalization alternatives to eliminate client-side behavioral capture
  • Consider whether personalization lift (after correcting for selection bias) justifies regulatory exposure
  • Assess tag manager security posture with application security team before renewal

Negotiation Leverage

  • Guideline VRS 80 = Broker (100) + Counselor (60) threat. Behavioral data sharing = competitive intelligence leakage. Demand exclusive data processing.
  • Cross-domain sync (BTI-C08) enables visitor tracking across properties. Require technical documentation on cookie syncing domains and data flows.
  • Consent bypass (BTI-C09) to maintain personalization state violates GDPR. Request technical remediation separating essential functionality from tracking.
  • Behavioral biometrics (BTI-C06) for segmentation = special category data risk. Demand legal basis documentation and minimize data collection.
  • Tag manager (BTI-C15) creates third-party script execution risk. Require CSP compatibility and security audit of all loaded scripts.
  • Ask: What behavioral data is shared across customers? How are visitor profiles secured? What is the data breach notification history? Expect vague answers.
Runtime Detections

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Tag behavior varies based on privacy tool detection, presenting minimal tracking to auditors while conducting comprehensive profiling on standard browsers.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Mouse tracking and scroll pattern analysis feed visitor segmentation models, creating persistent behavioral profiles that survive cookie deletion.

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Cookie syncing across multiple properties enables visitor tracking across unrelated websites, violating user privacy expectations and ePrivacy Directive requirements.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Behavioral tracking continues after consent rejection to maintain personalization state, creating GDPR violation liability.

BTI-C10Fingerprinting

Device identification

Impact: Browser and device fingerprinting enables persistent visitor identification for personalization even after cookie deletion, defeating user privacy controls.

BTI-C15Tag Manager

Container/loader (neutral)

Impact: Client-side tag management creates third-party script execution environment with elevated DOM access, enabling comprehensive page interaction capture.

IOC Manifest

IOC Manifest

4 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

No indicators in this category

Ecosystem

Ecosystem & Supply Chain

Guideline operates within the personalization ecosystem alongside Optimizely, Dynamic Yield, and Monetate. The platform likely shares behavioral engagement patterns across customers to improve segmentation models, meaning visitor interactions on your site inform personalization strategies deployed by competitors. Integration with analytics platforms and CDPs creates bidirectional data flow where visitor profiles are enriched with external data sources.
Loads (1)
Linkedin
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

7 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details