How This Briefing Works
This dossier opens with key findings, then maps the gap between what RB2B discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 51 sites
vendor fires before consent
3 CRIT · 2 HIGH
Briefing
RB2B is a B2B visitor identification platform owned by Retention.com (Austin, TX) that deanonymizes website visitors by harvesting personal emails, LinkedIn profiles, and company data. The platform deploys sophisticated defeat device infrastructure targeting 60+ compliance audit tools (Playwright, Puppeteer, Selenium) to evade regulatory oversight. Despite claims of SOC2 Type II, GDPR, and CCPA compliance, runtime analysis reveals 5.1% pre-consent tracking, HubSpot/Facebook cookie theft ("identifier laundering"), and 87% of third-party vendors on their site undisclosed in privacy documentation. Founder Adam Robinson (ex-Lehman Brothers) has publicly described the methodology as "email laundering" - applying financial CDO methodology to consumer data.
What This Means For You
If RB2B is deployed on your site, your privacy policy is almost certainly inaccurate. You have inherited 54+ undisclosed sub-processors through their script, creating direct GDPR Article 28 liability. Their 5.1% pre-consent tracking rate means data is being collected from your visitors before consent is granted — that is your regulatory exposure, not theirs. Their defeat device infrastructure means any compliance audit you run will see different behavior than what your actual visitors experience, making your audit results unreliable. HubSpot and Facebook cookie values are being copied to RB2B-controlled keys without authorization from either platform, which may violate your integration agreements. If you are subject to GDPR, CCPA, or ePrivacy Directive, RB2B creates material compliance gaps that your existing consent mechanism does not cover.
Risk Channel Breakdown
RB2B corrupts attribution by intercepting HubSpot and Facebook cookies, creating a parallel identity graph that competes with legitimate marketing attribution. The stolen hubspotutk cookie is copied to _reb2butk after a 2000ms delay to capture enriched identifiers, then used for cross-site correlation that pollutes first-party measurement.
Core business model is demand signal theft. RB2B identifies anonymous visitors on competitor websites and routes those leads to paying customers. Companies using RB2B receive competitor intent signals; companies being scraped by RB2B lose competitive intelligence to rivals. White-label network (Knock2.ai, Clay) amplifies signal leakage.
Defeat device infrastructure creates audit-proof attack surface. 60+ bot detection patterns disable tracking during compliance scans, meaning security assessments never see actual behavior. S3 bucket aliases (b2bjsstore) provide CDN-evasion fallback. Base64-encoded endpoints hide IP-API geolocation calls from static analysis.
Nine BTI-X violations create substantial regulatory exposure. SOC2/GDPR/CCPA claims combined with pre-consent tracking (X05), defeat devices (X04), and anonymous claims contradicted by PII harvesting (X09) constitute material misrepresentation. Cookie theft from HubSpot/Facebook without authorization may violate CFAA. GDPR Article 3(2) triggered via UK deployments (Cognism).
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
Behavior contradicts marketing
False certification claims
Data to undisclosed regions
Collection exceeds disclosed scope
Security claims vs evidence
CMP vendor list vs runtime
Gated or missing due diligence docs
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed RB2B's public claims against observed runtime behavior and identified 6 contradictions.
"SOC2 Type II, GDPR, CCPA Compliant"
60+ bot detection patterns disable tracking during compliance audits
5 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 8, observed 9
googletagmanager, googleanalytics4, liveintent…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →