How This Briefing Works
This dossier opens with key findings, then maps the gap between what Hunter discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 1 sites
vendor fires before consent
Briefing
Email finding/verification platform that deploys aggressive website surveillance to identify visitors and track behavior across domains. Combines session recording, behavioral fingerprinting, cross-site identity syncing, and tag manager deployment - all before consent. VRS 90 = extreme threat. Primary risk: maximum surveillance architecture creates indefensible GDPR liability across six violation categories.
What This Means For You
Marketing teams gain email enrichment but inherit maximum surveillance liability: session recording + special category biometrics + cross-domain data transfers. Engineering teams lose control through tag manager deployment - vendor can modify tracking without customer awareness. Legal teams face indefensible regulatory enforcement across six GDPR provisions simultaneously.
Risk Channel Breakdown
Limited analytics distortion - Hunter tracks for identification not measurement.
VRS 90 represents extreme intelligence extraction. Session replay + behavioral biometrics + cross-domain syncing create comprehensive visitor profiles. Records competitor research, email verification patterns (reveals marketing targets), cross-site behavior syncing. Intelligence feeds sales targeting and competitive analysis.
Expands attack surface
Five-layer consent catastrophe: (1) loads before consent, (2) records sessions including sensitive inputs, (3) captures behavioral biometrics, (4) syncs identities across domains with ad/data partners, (5) deploys via tag manager for evasion. Creates compounded GDPR Article 5/6/7/9/44 violations.
Threat Indicators
Runtime-observed (BTI-C)
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Container/loader (neutral)
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Hunter's public claims against observed runtime behavior and identified 1 contradiction.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 3 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →