How This Briefing Works
This dossier opens with key findings, then maps the gap between what ProspectDesk discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 4 sites
vendor fires before consent
1 HIGH
Briefing
ProspectDesk is an AI-powered visitor de-anonymization platform that identifies anonymous website visitors and resolves them to company and individual profiles. BLACKOUT detected ProspectDesk across 3 deployments on 3 sites, revealing 5 tracking domains, 5 scripts, and 2 cookies. Five behavioral threat codes were triggered including identity resolution (C14), fingerprinting (C10), and persistence mechanisms (C13). With a 67% pre-consent firing rate, ProspectDesk's entire purpose — converting anonymous visitors into identified leads — executes before consent on the majority of observed deployments. The 5 domains serving a small deanon vendor suggest reliance on external identity graph partners, meaning your visitor data flows to infrastructure beyond ProspectDesk itself.
What This Means For You
If ProspectDesk is deployed on your site, your anonymous visitors are being covertly identified and resolved to named individuals — and on 67% of observed deployments, this happens before any consent is collected. You are operating a de-anonymization service on your website that most of your visitors do not know about and did not agree to. The 5 external domains mean your visitor data is flowing to identity graph infrastructure beyond ProspectDesk, expanding your data processor chain and GDPR Article 28 obligations. If a visitor exercises their right to access under GDPR Article 15, you will need to account for the identification and profiling that ProspectDesk performed — including data held by their identity graph partners. The regulatory risk is not theoretical: de-anonymization vendors are precisely the category that EU data protection authorities have signaled as enforcement priorities.
Risk Channel Breakdown
ProspectDesk's identity resolution (C14) and fingerprinting (C10) create a parallel view of your site visitors that exists entirely outside your analytics stack. The identified visitor profiles ProspectDesk generates may not align with what your own systems report, distorting your understanding of who is visiting your site and why.
5 domains for a small de-anonymization vendor indicates reliance on third-party identity graph partners. Your visitor data — resolved to individuals — flows through external identity infrastructure where it may be aggregated with data from other ProspectDesk clients, giving identity graph providers intelligence about your audience that benefits the broader network.
Expands attack surface
De-anonymization is the highest-risk category under privacy regulations. A 67% pre-consent rate on a tool whose sole purpose is identifying anonymous visitors creates acute GDPR Article 6 and ePrivacy liability. Under GDPR, visitors have the right not to be identified without consent. ProspectDesk's default behavior directly contradicts this right on two-thirds of observed deployments.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Ignoring CMP signals
Device identification
Long-lived identifiers
PII deanonymization
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed ProspectDesk's public claims against observed runtime behavior and identified 1 contradiction.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →