How This Briefing Works
This dossier opens with key findings, then maps the gap between what Intentsify discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 7 sites
vendor fires before consent
1 CRIT · 3 HIGH
Briefing
Intentsify is a B2B intent data provider operating large-scale identity resolution infrastructure with 382 million contact records, 5 billion MAIDs, and 203 million IP addresses. Despite marketing as an "ethical" data platform with SOC2/GDPR/CCPA compliance claims, runtime scans reveal 80% pre-consent tracking on their own website with 6 surveillance vendors loading before consent. Their consumer privacy policy explicitly states they sell personal information, contradicting their privacy-first positioning. The platform enables person-level tracking disguised as aggregate "intent signals."
What This Means For You
If Intentsify provides your intent data, you are consuming intelligence built on an identity resolution infrastructure of 382 million contacts, 5 billion MAIDs, and 203 million IP addresses. Under GDPR Art 5(1)(a), you must ensure lawful basis for processing this data — Intentsify's 80% pre-consent rate and conflicting privacy policies make consent chain verification impossible. Their consumer privacy policy explicitly admits selling personal information while their website policy claims the opposite, creating a compliance documentation gap you inherit. Under CCPA §1798.140, intent data derived from person-level surveillance without proper consent exposes you to shared liability. The multi-tenant data model means your research signals may also strengthen competitor campaigns using the same platform.
Risk Channel Breakdown
Intentsify corrupts measurement by providing identity-resolved data that appears to be aggregate intent signals. When customers use Intentsify data, they unknowingly benefit from person-level surveillance that may have been collected without proper consent, creating attribution data built on legally questionable foundations.
As a data broker with 382M contacts and explicit admission of selling personal information, Intentsify enables demand signal leakage. Intent data collected from one customer's target accounts can inform competitor targeting. The multi-tenant data model means your research signals may strengthen competitor campaigns.
Intentsify's Identity Graph creates significant attack surface through its network of 21+ third-party vendors loading on their website, cross-device tracking via MAIDs, and IP-to-company resolution. This infrastructure represents both a privacy liability for customers and a potential breach vector for any organization in their data supply chain.
Critical consent divergence exists: Intentsify claims GDPR/CCPA compliance while operating with 80% pre-consent tracking. Their consumer policy admits selling data while their website policy claims they don't. This creates vicarious liability for customers who rely on Intentsify's compliance representations to justify their own data practices.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
False certification claims
Gated or missing due diligence docs
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Intentsify's public claims against observed runtime behavior and identified 4 contradictions.
"SOC2 Type II certified, GDPR compliant, CCPA compliant"
80% of vendors load before consent obtained on their own website. Six surveillance vendors (Clearbit, CookieYes, Demandbase, HubSpot, IDVisitors, TradeDesk) fire pre-consent.
3 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 6, observed 6
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →