QA mode · Tier:PUBLIC(override via ?tier=paid | premium)
← All Vendors
data_enrichment
RocketReach

RocketReach

HOSTILE — RocketReach operates a sprawling pre-consent surveillance apparatus across 12+ third-party vendors, deploys session replay via Microsoft Clarity, and loads OneTrust as consent theater (banner never shown, all categories auto-consented). Self-identified Texas data broker with 5,887 opt-out requests in 2024. Vendor risk score: 8.2/10.

90
Vendor Risk Score
Tier: HOSTILE
Observation Coverage

BLACKOUT observes runtime behavior in the browser. This dossier reflects browser-side execution, which is one of five vendor data-egress classes. Server-to-server transfers, backend integrations, and offline data flows are outside this observation boundary.

BLACKOUT observes runtime behavior and cites the regulations that address that behavior pattern. Legal determinations are the customer's counsel's call.

How This Briefing Works

This dossier opens with key findings, then maps the gap between what RocketReach discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.

Key Findings

At a Glance

Detections
0

across 0 sites

Pre-Consent Rate
0%

vendor fires before consent

Disclosure Gaps
8

3 CRIT · 3 HIGH

Claims-vs-Reality Classified
BTI-X01BTI-X02BTI-X03BTI-X04BTI-X08BTI-X09BTI-X10BTI-X12
Summary

Briefing

RocketReach (rocketreach.co) is a B2B lead intelligence and data enrichment platform backed by Brighton Park Capital. Despite embedding OneTrust for consent management, the banner is never displayed to visitors — all consent categories are auto-approved (C0001-C0004 set to 1) with zero user interactions recorded. Meanwhile, 12+ third-party tracking vendors fire immediately on page load: Google Analytics 4, Google Ads conversion tracking, Microsoft Clarity session replay, HubSpot analytics, Bing UET, Reddit Pixel, G2 Crowd attribution, and a suspicious cloaked domain (a.usbrowserspeed.com) that sets persistent tracking cookies via AWS infrastructure. The site's CSP whitelist includes 100+ domains including suspicious Russian and unknown TLDs (*.izveztka.ru, *.vk-online.xyz, *.zeltrufgam.com). RocketReach self-identifies as a Texas data broker and processed 5,887 CCPA opt-out/deletion requests in 2024, indicating significant consumer privacy friction.

Customer Impact

What This Means For You

Organizations deploying RocketReach or allowing RocketReach scripts on their properties face four categories of risk: (1) MEASUREMENT CORRUPTION — GA4 fires with falsified consent signals, meaning any shared analytics environment will contain tainted consent data that undermines reporting accuracy. (2) DATA LEAKAGE — visitor data flows to 12+ third parties pre-consent, including advertising platforms (Google, Reddit, Bing) that use it for cross-network profiling and remarketing. (3) LIABILITY EXPOSURE — the phantom consent banner creates a compliance gap that extends to any site embedding RocketReach technology, as the auto-consented OneTrust configuration may be inherited or replicated. EU/UK GDPR, CCPA, and emerging state privacy laws all require meaningful consent for non-essential tracking. (4) SUPPLY CHAIN RISK — the cloaked domain (a.usbrowserspeed.com) and suspicious CSP whitelist entries (Russian TLDs, unknown domains) introduce unknown data flows into the customer's digital supply chain. RocketReach's 5,887 annual opt-out requests signal that consumers are already flagging privacy concerns at scale.

Collapse Engine

Risk Channel Breakdown

Oracle
Truth Collapse
30

Google Analytics 4 fires pre-consent with experiment data and custom dimensions. GA4 consent signals claim all categories granted despite no user interaction. Measurement data flows to Google before any legitimate consent is obtained, poisoning attribution accuracy for any site deploying RocketReach scripts.

Broker
Control Collapse
100

12+ third-party vendors receive visitor data on every page load. Google Ads remarkets with 1p user lists, Reddit Pixel generates persistent UUIDs, G2 Crowd captures attribution data, and a.usbrowserspeed.com sets cross-domain tracking cookies (SameSite=None, 1-year expiry). Demand signals leak to advertising platforms, competitors via G2, and unknown entities via cloaked domains.

Reaper
Safety Collapse
40

Microsoft Clarity captures full session replays (38KB+ compressed payloads per batch) with cross-domain MUID tracking. The CSP whitelist authorizes script execution from 100+ domains including suspicious TLDs (*.izveztka.ru, *.vk-online.xyz). reCAPTCHA invisible iframes perform browser fingerprinting. The attack surface is massive and largely uncontrolled.

Counselor
Legitimacy Collapse
100

OneTrust is loaded but the consent banner is NEVER displayed. All four consent categories (Strictly Necessary, Performance, Functional, Targeting) are auto-set to approved with interactionCount=0. This is textbook consent theater — the CMP exists purely for compliance optics while providing zero actual user choice. Combined with the Do Not Track non-compliance admission and Texas data broker registration, the liability exposure is severe.

BTI Codes

Threat Indicators

Runtime-observed (BTI-C)

BTI-C03
Storage Exfiltration

Cookie/localStorage reading

BTI-C06
Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07
Session Recording

Full session replay

BTI-C09
Consent Bypass

Ignoring CMP signals

BTI-C10
Fingerprinting

Device identification

BTI-C14
Identity Resolution

PII deanonymization

BTI-C19
Client-Side Manipulation

Site tampering (MITB)

Claims-vs-Reality (BTI-X)

BTI-X01
Undisclosed Party

Not in privacy policy

BTI-X02
Undisclosed Sharing

Hidden data recipients

BTI-X03
Retention Violation

Exceeds disclosed retention

BTI-X04
Marketing Mismatch

Behavior contradicts marketing

BTI-X08
Scope Creep

Collection exceeds disclosed scope

BTI-X09
Data Security Discrepancy

Security claims vs evidence

BTI-X10
CMP Disclosure Mismatch

CMP vendor list vs runtime

BTI-X12
Assurance Gap

Gated or missing due diligence docs

7
BTI Consequences Identified

Per-code narrative explanations of what each detected behavior means for your organization

Available in VIDB Subscription

Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →

Disclosure Gaps

Claims vs. Reality

8
Gaps Observed
3 CRITICAL3 HIGH2 MEDIUM

BLACKOUT analyzed RocketReach's public claims against observed runtime behavior and identified 8 contradictions.

BTI-X01BTI-X02BTI-X03BTI-X04BTI-X08BTI-X09BTI-X10BTI-X12
Featured Gap
CRITICAL
They Claim

""

BLACKOUT Observed

7 more gaps — with regulatory citations and evidence pointers — available with subscription.

Available in VIDB Subscription

Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →

Recommended Actions

What To Do

Recommended Actions
0

0 for current users · 0 for evaluators

Negotiation Leverage
5

contractual leverage points

Available in VIDB Subscription

Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →

Ecosystem

Supply Chain & Pairings

Available in VIDB Subscription

Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →