How This Briefing Works
This dossier opens with key findings, then maps the gap between what RocketReach discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 0 sites
vendor fires before consent
3 CRIT · 3 HIGH
Briefing
RocketReach (rocketreach.co) is a B2B lead intelligence and data enrichment platform backed by Brighton Park Capital. Despite embedding OneTrust for consent management, the banner is never displayed to visitors — all consent categories are auto-approved (C0001-C0004 set to 1) with zero user interactions recorded. Meanwhile, 12+ third-party tracking vendors fire immediately on page load: Google Analytics 4, Google Ads conversion tracking, Microsoft Clarity session replay, HubSpot analytics, Bing UET, Reddit Pixel, G2 Crowd attribution, and a suspicious cloaked domain (a.usbrowserspeed.com) that sets persistent tracking cookies via AWS infrastructure. The site's CSP whitelist includes 100+ domains including suspicious Russian and unknown TLDs (*.izveztka.ru, *.vk-online.xyz, *.zeltrufgam.com). RocketReach self-identifies as a Texas data broker and processed 5,887 CCPA opt-out/deletion requests in 2024, indicating significant consumer privacy friction.
What This Means For You
Organizations deploying RocketReach or allowing RocketReach scripts on their properties face four categories of risk: (1) MEASUREMENT CORRUPTION — GA4 fires with falsified consent signals, meaning any shared analytics environment will contain tainted consent data that undermines reporting accuracy. (2) DATA LEAKAGE — visitor data flows to 12+ third parties pre-consent, including advertising platforms (Google, Reddit, Bing) that use it for cross-network profiling and remarketing. (3) LIABILITY EXPOSURE — the phantom consent banner creates a compliance gap that extends to any site embedding RocketReach technology, as the auto-consented OneTrust configuration may be inherited or replicated. EU/UK GDPR, CCPA, and emerging state privacy laws all require meaningful consent for non-essential tracking. (4) SUPPLY CHAIN RISK — the cloaked domain (a.usbrowserspeed.com) and suspicious CSP whitelist entries (Russian TLDs, unknown domains) introduce unknown data flows into the customer's digital supply chain. RocketReach's 5,887 annual opt-out requests signal that consumers are already flagging privacy concerns at scale.
Risk Channel Breakdown
Google Analytics 4 fires pre-consent with experiment data and custom dimensions. GA4 consent signals claim all categories granted despite no user interaction. Measurement data flows to Google before any legitimate consent is obtained, poisoning attribution accuracy for any site deploying RocketReach scripts.
12+ third-party vendors receive visitor data on every page load. Google Ads remarkets with 1p user lists, Reddit Pixel generates persistent UUIDs, G2 Crowd captures attribution data, and a.usbrowserspeed.com sets cross-domain tracking cookies (SameSite=None, 1-year expiry). Demand signals leak to advertising platforms, competitors via G2, and unknown entities via cloaked domains.
Microsoft Clarity captures full session replays (38KB+ compressed payloads per batch) with cross-domain MUID tracking. The CSP whitelist authorizes script execution from 100+ domains including suspicious TLDs (*.izveztka.ru, *.vk-online.xyz). reCAPTCHA invisible iframes perform browser fingerprinting. The attack surface is massive and largely uncontrolled.
OneTrust is loaded but the consent banner is NEVER displayed. All four consent categories (Strictly Necessary, Performance, Functional, Targeting) are auto-set to approved with interactionCount=0. This is textbook consent theater — the CMP exists purely for compliance optics while providing zero actual user choice. Combined with the Do Not Track non-compliance admission and Texas data broker registration, the liability exposure is severe.
Threat Indicators
Runtime-observed (BTI-C)
Cookie/localStorage reading
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Device identification
PII deanonymization
Site tampering (MITB)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
Exceeds disclosed retention
Behavior contradicts marketing
Collection exceeds disclosed scope
Security claims vs evidence
CMP vendor list vs runtime
Gated or missing due diligence docs
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed RocketReach's public claims against observed runtime behavior and identified 8 contradictions.
""
7 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
0 for current users · 0 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →