How This Briefing Works
This report opens with key findings, then maps the gaps between what Marchex discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Marchex was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Claims vs. Observed Behavior
disclosure
“Pending claims extraction”
High Broker score (50) and Counselor score (70) indicate significant undisclosed data sharing and consent violations. Behavioral biometrics and session recording likely not mentioned in privacy policy.
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Marchex
- →Immediate consent gate implementation before any Marchex script loads
- →BIPA compliance review for voice biometric processing
- →Data Processing Agreement audit for call recording retention and third-party sharing
- →Explicit opt-in for voice analysis separate from general marketing consent
If You're Evaluating Marchex
- →Defer all Marchex scripts until post-consent confirmation
- →Require vendor attestation on biometric data processing lawfulness
- →Implement call recording disclosure on every phone interaction
- →Consider privacy-respecting call tracking alternatives without session recording
Negotiation Leverage
- →Marchex contract likely permits third-party data sharing for "service improvement" - demand explicit prohibition
- →Voice recordings may be retained indefinitely - negotiate 30-day maximum retention aligned to attribution window
- →Request evidence of BIPA compliance in Illinois, GDPR Article 9 lawful basis documentation for EU visitors
- →Confirm whether behavioral biometric models are trained on your call data - demand opt-out and model deletion rights
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
IOC Manifest
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
110 detection signatures across scripts, domains, cookies, and network endpoints