All Vendors
marketing_automation

Klaviyo

Klaviyo operates marketing automation with aggressive cross-domain tracking achieving 100/100 CAC subsidization through data broker partnerships. Six BTI codes including consent bypass create maximum 100/100 legal exposure while feeding competitor intelligence systems.

66 IOCs5 detections40% pre-consent3 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Klaviyo discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

5 detections across 3 sites40% pre-consent activity
HIGH

Pre-Consent Activity

Klaviyo was observed loading and executing before user consent was obtained on 40% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Unknown

Observed Behavior

Requires claims extraction via CDT

Customer Impact

What This Means For You

E-commerce teams lose customer LTV visibility as Klaviyo attributes all repeat purchases to email campaigns. Data teams discover customer segments in competitor Facebook lookalikes within 14 days. Legal inherits maximum GDPR/CCPA exposure from consent bypass and broker syndication. CFO faces measurable revenue leakage through data monetization and CAC subsidization.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Klaviyo

  • Audit DPA for data broker syndication authorization—Klaviyo reserves broad rights
  • Extract consent bypass evidence showing tracking before banner interaction
  • Map Klaviyo customer segments to competitor lookalike audience appearance

If You're Evaluating Klaviyo

  • Quantify attribution inflation from email campaign over-claiming
  • Calculate data monetization revenue (your customers, their profit)
  • Document GDPR Article 9 violations from special category data processing

Negotiation Leverage

  • Klaviyo DPA permits customer data syndication to analytics vendors and brokers—loss of control documented
  • 100/100 CAC subsidization represents direct competitor funding through marketing automation spend
  • Consent bypass (C09) operates tracking pre-authorization—GDPR Article 6 violations timestamped
  • Cross-domain identity stitching creates comprehensive surveillance network across all channels
  • Email tracking pixels constitute defeat devices under Apple Mail Protection policies
  • 100/100 legal exposure represents maximum regulatory risk—evidence pack includes consent violations
  • Customer segments appear in competitor campaigns within 14 days of Klaviyo deployment
Runtime Detections

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Email tracking pixels and web beacons bypass browser privacy protections

BTI-C07Session Recording

Full session replay

Impact: Web session capture feeds predictive analytics while creating PII exposure

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Identity stitching across email, web, SMS, and third-party domains enables comprehensive profiling

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Tracking initiates before consent banner interaction—processing without lawful basis

BTI-C10Fingerprinting

Device identification

Impact: Device fingerprinting persists identity across cookie deletion and privacy modes

BTI-C15Tag Manager

Container/loader (neutral)

Impact: Dynamic tracking code deployment enables persistent measurement infrastructure

IOC Manifest

IOC Manifest

64 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
static.klaviyo.com
Tracking script
Ecosystem

Ecosystem & Supply Chain

Klaviyo integrates with Shopify, WooCommerce, and major e-commerce platforms, creating redundant customer data pipelines. Commonly deployed alongside Attentive and Postscript for SMS, triplicating mobile tracking infrastructure.
Loaded By (1)
Cookieyes
Commonly Deployed With
MetapixelGoogletagmanager
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

66 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details