How This Briefing Works
This report opens with key findings, then maps the gaps between what Peopledatalabs discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Peopledatalabs was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Pending Analysis
7 BTI behavioral codes detected across 1 detection on 1 site. Full claims extraction required for gap analysis.
Claims vs. Observed Behavior
Pending Analysis
“Claims analysis pending”
7 BTI behavioral codes detected across 1 detection on 1 site. Full claims extraction required for gap analysis.
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Peopledatalabs
- →Immediately audit whether People Data Labs JavaScript is intentionally deployed or was introduced via a tag manager without review
- →Verify whether your privacy notice discloses data broker enrichment as a processing activity
- →Check your CCPA compliance: enabling People Data Labs' identity resolution may constitute a 'sale' of personal information requiring Do Not Sell mechanisms
- →Review your vendor risk assessment for People Data Labs — ensure the 2019 breach is reflected in your risk scoring
If You're Evaluating Peopledatalabs
- →Assess whether the business value of People Data Labs' enrichment justifies the regulatory exposure of running their JavaScript on-site
- →Request People Data Labs' SOC 2 report and breach remediation documentation post-2019 incident
- →Evaluate server-side enrichment alternatives that do not require deploying data broker JavaScript on your customer-facing properties
- →Consider whether your organization's brand risk tolerance includes being associated with a data broker that exposed 1.2 billion records
Negotiation Leverage
- →100% pre-consent firing rate on a data broker — every visitor is captured before consent, creating indefensible regulatory exposure
- →People Data Labs' 2019 breach exposed 1.2 billion records — demand current security audit results and breach notification procedures
- →Identity resolution (C14) is their core product: your visitors are being deanonymized and added to a commercial database sold to third parties
- →Under CCPA, enabling this data flow may classify your organization as selling personal information — verify Do Not Sell compliance
- →Demand contractual prohibition on using data collected from your properties to enrich profiles sold to your competitors
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: People Data Labs deploys evasion infrastructure that may behave differently during compliance testing, making it difficult to verify the full scope of data collection during audits.
Keystroke/mouse tracking
Impact: A data broker collecting behavioral biometric patterns from your visitors creates enrichment data that enhances their commercial profiles — your visitors' interaction patterns become a sellable data product.
Full session replay
Impact: Session replay capability on a data enrichment platform means People Data Labs can observe exactly how your visitors interact with your site, adding behavioral context to their identity profiles.
Identity stitching
Impact: Cross-domain identity stitching is core to People Data Labs' business. Every site running their JavaScript contributes to a cross-site identity graph that powers their commercial data products.
Ignoring CMP signals
Impact: 100% pre-consent firing rate means every visitor to your site has their data captured by a data broker before any consent mechanism can intervene. This is indefensible under any privacy framework.
Device identification
Impact: Device fingerprinting by a data broker creates persistent identifiers that feed their enrichment pipeline. Your visitors are fingerprinted and added to People Data Labs' commercial database without consent.
PII deanonymization
Impact: PII deanonymization is People Data Labs' core product. Their on-site JavaScript identifies your anonymous visitors and matches them to their database of billions of personal records — this is not a side effect, it is the primary function.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
134 detection signatures across scripts, domains, cookies, and network endpoints