How This Briefing Works
This report opens with key findings, then maps the gaps between what Piwik Pro discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Piwik Pro was observed loading and executing before user consent was obtained on 83% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Piwik Pro
- →Require data processing addendum with explicit session recording and fingerprinting disclosure
- →Demand consent framework validation to verify GDPR compliance claims
- →Implement analytics configuration that minimizes PII collection and retention
- →Configure session replay to exclude sensitive user interactions and form data
- →Establish data retention limits that align with privacy policy commitments
If You're Evaluating Piwik Pro
- →Test consent mechanism to verify tracking stops immediately upon opt-out
- →Verify whether data remains exclusively first-party or flows to vendor infrastructure
- →Review fingerprinting techniques and cross-session tracking mechanisms
- →Assess data flows to understand what analytics data vendor processes centrally
- →Request independent GDPR compliance audit results and privacy certifications
Negotiation Leverage
- →Piwik Pro markets privacy compliance but deploys consent bypass and session recording—demand independent validation of GDPR claims and explicit DPA liability protection
- →Platform positioning as privacy-respecting alternative creates heightened regulatory scrutiny—require technical proof that tracking respects opt-out immediately and completely
- →Session recording captures sensitive user interactions despite analytics focus—negotiate recording scope limits and data retention boundaries
- →Analytics attribution may distort marketing effectiveness measurement—establish baseline methodology and validate attribution logic
- →Legal tail risk of 100% contradicts privacy-focused positioning—evaluate whether claimed privacy benefits are technically substantiated or primarily marketing positioning
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Piwik Pro can detect privacy analysis tools and alter tracking behavior during assessments, masking production data collection scope.
Keystroke/mouse tracking
Impact: Interaction patterns, scroll behavior, and engagement signals create visitor profiles for analytics and segmentation.
Full session replay
Impact: Session replay capability captures full visitor interactions including form fills, navigation, and content consumption.
Ignoring CMP signals
Impact: Analytics tracking can initialize before consent capture or continue after opt-out, processing visitor data regardless of preferences.
Device identification
Impact: Device and browser fingerprinting creates persistent visitor identifiers that enable tracking across sessions.
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
95 detection signatures across scripts, domains, cookies, and network endpoints