How This Briefing Works
This dossier opens with key findings, then maps the gap between what Heap discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 12 sites
vendor fires before consent
2 CRIT · 3 HIGH
Briefing
Heap is a product analytics platform (now part of Contentsquare) that automatically captures all user interactions without manual event configuration. Detected on 13 sites in BLACKOUT's network with a 62.5% pre-consent deployment rate. Auto-capture architecture records behavioral biometrics, session replays, and form interactions. Primary risk: comprehensive behavioral surveillance deployed before consent creates regulatory exposure for site operators.
What This Means For You
If Heap is deployed on your site, you inherit liability for auto-capture data collection that initializes before consent on 62.5% of observed deployments. Under GDPR Article 5(3) and the ePrivacy Directive, you as the site operator bear responsibility for pre-consent cookie deployment and behavioral tracking on your property. Heap's ISO 27701 and ISO 27001 certifications cover their internal information management — they do not transfer compliance coverage to the client-side JavaScript executing on your domain. Session recording capabilities may capture sensitive personal data (form inputs, search queries, page content) creating GDPR Article 9 special category exposure. The auto-capture architecture collects all interaction data by default, making GDPR Article 5(1)(c) data minimization compliance your responsibility to configure and verify.
Risk Channel Breakdown
Heap's auto-capture records everything — including internal competitor research, pricing page visits, and feature exploration patterns. This raw behavioral data feeds product decisions without distinguishing signal from noise, creating measurement distortion where volume masquerades as insight. Session recording conflates user struggle with user interest.
As part of the Contentsquare group, Heap's behavioral data exists within a larger analytics ecosystem. Scanner detected Heap's own site sharing data with 6sense, Clearbit, Apollo, and LinkedIn — all of which syndicate visitor intelligence. Customers deploying Heap inherit this data-sharing architecture pattern on their own properties.
Auto-capture architecture with form interception creates an expansive attack surface. Scanner detected obfuscation patterns (eval, function_constructor) and session recording capabilities that capture DOM state including potentially sensitive content. Client-side JavaScript with this scope represents a significant supply chain risk if compromised.
Three-layer consent violation observed: (1) 62.5% pre-consent deployment rate across detection network, (2) behavioral biometrics capture through automatic event tracking constitutes GDPR special category data, (3) session recording captures form inputs and page content without granular consent. ISO 27701 certification covers Heap's internal operations but does not transfer to client-side deployments on customer sites.
Threat Indicators
Runtime-observed (BTI-C)
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Long-lived identifiers
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
False certification claims
Collection exceeds disclosed scope
Gated or missing due diligence docs
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Heap's public claims against observed runtime behavior and identified 6 contradictions.
"ISO 27701 privacy information management certified. Claims GDPR compliance with full European Privacy Policy section and Data Privacy Framework participation."
Scanner detected 18 pre-consent cookies (44% of total) on heap.io. Session recording and behavioral biometrics capture active before consent. 62.5% pre-consent deployment rate across detection network.
5 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
googletagmanager, googleanalytics4, linkedinads…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →
