How This Briefing Works
This report opens with key findings, then maps the gaps between what HockeyStack discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Privacy Marketing Mismatch
Uses FingerprintJS for device fingerprinting which is MORE persistent and invasive than cookies, cannot be cleared by users, and fires pre-consent
Pre-Consent Activity
HockeyStack was observed loading and executing before user consent was obtained on 2% of sites where it was detected.
Subprocessor Disclosure Gap
41 vendors detected at runtime on hockeystack.com including 20+ not in any disclosure list
Pre-Consent Tracking
12 vendors fire pre-consent including fingerprinting and identity resolution services
Undisclosed Party
Not in privacy policy
Claims vs. Observed Behavior
Privacy Marketing Mismatch
“Cookieless tracking technology is privacy-friendly”
Uses FingerprintJS for device fingerprinting which is MORE persistent and invasive than cookies, cannot be cleared by users, and fires pre-consent
Trust Portal lists Fingerprint.js as subprocessor; runtime scans show FingerprintJS firing pre-consent on hockeystack.com
Subprocessor Disclosure Gap
“Trust Portal lists 11 subprocessors as comprehensive data processor list”
41 vendors detected at runtime on hockeystack.com including 20+ not in any disclosure list
BLACKOUT runtime scan detected Leadfeeder, RB2B, Cheq, Contentsquare, Adform, VWO and others not listed in Trust Portal or Privacy Policy
Pre-Consent Tracking
“GDPR and ISO 27001 compliant with continuous monitoring”
12 vendors fire pre-consent including fingerprinting and identity resolution services
Runtime scans show 2% pre-consent rate across HockeyStack deployments; their own website shows FingerprintJS, Leadfeeder, MetaPixel pre-consent
Dual Disclosure Lists
“Privacy Policy and Trust Portal provide vendor transparency”
Privacy Policy lists different vendors than Trust Portal subprocessor list, creating confusion about actual data processors
Privacy Policy mentions Google Analytics, Facebook Pixel, Hotjar; Trust Portal lists PostHog, Datadog, Sentry - minimal overlap
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use HockeyStack
- →Audit your consent implementation — verify no HockeyStack scripts fire pre-consent, given 12 pre-consent vendors on their own site
- →Review your privacy policy to disclose device fingerprinting via FingerprintJS — 'cookieless' does not mean 'no tracking' and users cannot clear fingerprints
- →Request full subprocessor list including all vendors loaded by the HockeyStack snippet — 41 detected versus ~20 disclosed on their site
- →Assess AI data flows — OpenAI and Google Gemini subprocessors may affect your data residency requirements and AI training opt-out preferences
- →Update data processor agreements to explicitly cover identity resolution and fingerprinting capabilities of their Atlas platform
If You're Evaluating HockeyStack
- →Clarify 'cookieless' versus fingerprinting — FingerprintJS is more invasive than cookies and requires identical consent under ePrivacy Directive
- →Request comprehensive subprocessor list beyond their Trust Portal — their Privacy Policy vendor list differs significantly
- →Confirm pre-consent behavior can be configured to zero tracking before consent on your property
- →Evaluate the identity resolution scope of their Atlas data foundation — it performs cross-source deanonymization despite privacy-friendly marketing
- →Consider the regulatory risk of ISO 27001 and GDPR compliance claims paired with observed pre-consent fingerprinting behavior
Negotiation Leverage
- →Fingerprinting disclosure: HockeyStack uses FingerprintJS, which is more persistent and invasive than cookies. Require contractual disclosure of all fingerprinting techniques used by their platform, with explicit consent requirement documentation for your legal team.
- →Subprocessor transparency: 41+ vendors detected on hockeystack.com versus ~20 disclosed. Require complete subprocessor list covering all third-party code loaded by their tracking snippet on your property, with 30-day advance notice before additions.
- →Cookieless claim verification: Require written technical documentation of what 'cookieless' means in practice — specifically that it involves device fingerprinting, not absence of tracking.
- →Pre-consent SLA: 12 vendors fire pre-consent on their own site including identity resolution services. Require contractual guarantee that their snippet loads zero third-party vendors before consent on your property.
- →AI data flow restrictions: HockeyStack uses OpenAI and Google Gemini as subprocessors. Require contractual commitment that your analytics data is not used for AI model training and specify data residency requirements for AI processing.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
27 detection signatures across scripts, domains, cookies, and network endpoints