How This Briefing Works
This report opens with key findings, then maps the gaps between what Notion discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Notion was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Claims vs. Observed Behavior
Pending Analysis
“Claims extraction pending”
CDT analysis required for Notion Terms of Service, Privacy Policy, and workspace data processing agreements
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Notion
- →Audit Notion Terms of Service and DPA for fingerprinting data retention and cross-workspace sharing provisions
- →Review privacy policy for Notion embed tracking disclosures to end users
- →Defer Notion iframe loading until user initiates content interaction (lazy load strategy)
- →Assess GTM integration for undeclared workspace analytics tags triggered by Notion embeds
- →Consider screenshot or PDF alternatives for static Notion content to eliminate surveillance dependency
If You're Evaluating Notion
- →Alternative documentation platforms with minimal tracking footprint (GitBook, ReadMe, self-hosted wikis)
- →Notion API integration for server-side content rendering without client-side tracking iframes
- →Content export workflows that eliminate need for live Notion embeds
- →Consent-first embed loading that gates Notion iframes behind explicit user authorization
Negotiation Leverage
- →Notion Privacy Policy permits analytics on embedded content but lacks clear limits on cross-workspace fingerprint correlation
- →Behavioral biometric capture during content interaction not disclosed in embed documentation, discovered via scanner detection
- →GTM exploitation patterns suggest workspace analytics injection beyond customer control
- →Device fingerprinting exceeds functional requirements for content display, indicates user profiling infrastructure
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Notion embed scripts employ obfuscation to conceal tracking embedded within collaboration widget functionality.
Keystroke/mouse tracking
Impact: Captures scroll patterns, read time, and interaction signatures during embedded content consumption for user profiling.
Full session replay
Impact: Records interaction with Notion embeds and surrounding host page activity beyond functional content display requirements.
Ignoring CMP signals
Impact: Fingerprinting initiates on Notion iframe load, before content interaction or user consent signal on host page.
Device identification
Impact: Collects browser and device fingerprints tied to Notion workspace identifiers and shared content access patterns.
PII deanonymization
Impact: Links device fingerprints across Notion workspace embeds and shared pages, enabling cross-site tracking of content consumption.
Container/loader (neutral)
Impact: Exploits GTM on host page when present to deploy workspace analytics beyond declared embed functionality.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
129 detection signatures across scripts, domains, cookies, and network endpoints