All Vendors
marketing_automation

Optimove

Optimove deploys OptiTrack cookies and a Web SDK for continuous behavioral surveillance that feeds a predictive analytics engine, and was fined 1 million euros by France's CNIL after a 46.9 million user data breach exposed systematic failures in data processor obligations.

69 IOCs
48
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Optimove discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

4 gaps

data_collection

HIGH
They Claim

Does not collect customer-identifying demographic data

Observed Behavior

Behavioral profiling depth creates detailed individual dossiers regardless of demographic labels; CDP centralizes data from multiple sources into unified profiles

compliance

CRITICAL
They Claim

GDPR compliant with SOC 2 Type-II and ISO 27001

Observed Behavior

CNIL imposed 1M euro fine in December 2025 for GDPR processor violations including unauthorized retention, unauthorized processing, and missing Records of Processing Activities

data_breach

CRITICAL
They Claim

Protects sensitive information and manages consent

Observed Behavior

46.9 million user breach via Deezer engagement; unauthorized data copies persisted nearly a year post-notification and were sold on darknet

pending

UNKNOWN
They Claim

Awaiting scanner verification

Observed Behavior

Runtime behavior analysis pending to confirm OptiTrack cookie deployment timing, Web SDK data transmission patterns, and consent gate implementation

Customer Impact

What This Means For You

Organizations deploying Optimove are granting the platform deep behavioral visibility through OptiTrack cookies and the Web SDK, with collected data feeding predictive models that autonomously drive campaign decisions. The CNIL enforcement action against Optimove is directly relevant to any current customer: it established that Optimove violated data processor obligations including unauthorized retention, unauthorized processing scope expansion, and recordkeeping failures. The 46.9 million user breach demonstrated that these compliance failures have real-world consequences for data subjects. Any organization using Optimove as a processor should evaluate their own controller liability exposure given this enforcement precedent, particularly in EU jurisdictions where the CNIL decision creates regulatory awareness.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for Optimove

  • - Review your Data Processing Agreement with Optimove in light of the December 2025 CNIL enforcement action and verify that processor obligations address the specific violations found (retention, scope, recordkeeping). - Audit OptiTrack cookie deployment and Web SDK initialization to confirm consent is collected before behavioral tracking begins on your properties. - Request confirmation from Optimove on data retention periods, sub-processor list, and Records of Processing Activities status post-CNIL remediation. - Evaluate controller liability exposure: as a data controller engaging Optimove as processor, the CNIL precedent establishes that Optimove has documented processor compliance failures. - Assess whether Optimove predictive model outputs (churn scores, lifetime value predictions) constitute profiling under GDPR Article 22 and whether your privacy notice adequately discloses automated decision-making.

Negotiation Leverage

  • Optimove's negotiation position is critically weakened by the December 2025 CNIL 1 million euro fine for GDPR processor violations and the associated 46.9 million user data breach. This is the strongest leverage point available: Optimove has a documented regulatory finding of unauthorized data retention, unauthorized processing beyond contracted purposes, and failure to maintain Records of Processing Activities. In contract negotiations, demand: enhanced DPA terms that specifically address the CNIL-identified violations, contractual indemnification for controller liability arising from processor non-compliance, independent audit rights beyond standard SOC 2 certification, mandatory breach notification SLAs with defined remediation timelines (the Deezer case revealed nearly a year-long delay in unauthorized data deletion), and explicit restrictions on predictive model training using your customer behavioral data. The CNIL decision is public record and creates negotiation leverage that Optimove cannot dispute.
Runtime Detections

Runtime Detections

3 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C08Cross-Domain Sync

Identity stitching

IOC Manifest

IOC Manifest

69 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.optimove.com/_next/static/chunks/*.js*
Tracking script
TRACK
*www.optimove.com/_next/static/chunks/turbopack-*.js*
Tracking script
TRACK
www.optimove.com/_next/static/chunks/a75f881c554519cc.js
Auto-extracted from scan
TRACK
www.optimove.com/_next/static/chunks/43c1b87281bfe8d7.js
Auto-extracted from scan
TRACK
www.optimove.com/_next/static/chunks/3fc234f95e101327.js
Auto-extracted from scan
TRACK
www.optimove.com/_next/static/chunks/turbopack-ff29f5968e69e7ca.js
Auto-extracted from scan
TRACK
www.optimove.com/_next/static/chunks/a050426fe083ba4a.js
Auto-extracted from scan
TRACK
www.optimove.com/_next/static/chunks/20296bfa55235273.js
Auto-extracted from scan
TRACK
www.optimove.com/_next/static/chunks/d99ed6d1b3f130fb.js
Auto-extracted from scan
TRACK
www.optimove.com/_next/static/chunks/e7ce6ee7ad6fc60c.js
Auto-extracted from scan
TRACK
www.optimove.com/_next/static/chunks/55326dec4e5f4052.js
Auto-extracted from scan
TRACK
www.optimove.com/_next/static/chunks/997fa9f9058d7516.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Optimove operates in the CRM marketing and Customer Data Platform ecosystem alongside Braze, Salesforce Marketing Cloud, Adobe Campaign, and Bloomreach. Its CDP architecture centralizes data from ecommerce platforms, CRM systems, payment processors, and behavioral tracking sources. Key integrations include Attentive (SMS), web push platforms, and various data warehouse connectors. OptiTrack's runtime footprint includes client-side cookies, the Web SDK JavaScript, and network requests to Optimove infrastructure for every tracked event. The platform serves verticals including online gaming, retail, financial services, and online trading, each with distinct regulatory requirements. Sites deploying Optimove typically pair it with separate analytics, advertising, and payment platforms, creating multi-vendor data centralization where Optimove's CDP acts as the aggregation hub.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

69 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details