How This Briefing Works
This report opens with key findings, then maps the gaps between what RudderStack discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
14 detections across 9 sites29% pre-consent activity
HIGH
Pre-Consent Activity
RudderStack was observed loading and executing before user consent was obtained on 29% of sites where it was detected.
GDPRePrivacy
HIGH
Undisclosed Sharing
Hidden data recipients
HIGH
Marketing Mismatch
Behavior contradicts marketing
HIGH
Compliance Claim Mismatch
False certification claims
Disclosure Gaps
Claims vs. Observed Behavior
3 gaps
2 MED
Classified:BTI-X02BTI-X04BTI-X05
Subprocessor Disclosure
GDPR Art 28 · CCPA 1798.140MEDIUM
They Claim
“Subprocessor list available in DPA”
Observed Behavior
12+ marketing vendors (BingAds, DoubleClick, Clarity, Hotjar, etc.) active on website but not in public documentation
Runtime scan detected: Cloudflare Insights, Mapbox, Qualified (pre-consent); BingAds, Clarity, DoubleClick, GA4, GTM, Hotjar, HubSpot, LinkedInAds, Reddit
Privacy-First Marketing
GDPR Art 6 · ePrivacy DirectiveMEDIUM
They Claim
“Privacy and Security focused Segment-alternative with privacy-first architecture”
Observed Behavior
28.6% pre-consent tracking including advertising network pixels
Own GitHub repo and marketing describe privacy focus; runtime shows ad trackers loading before consent
Consent Framework
GDPR Art 7 · CCPA 1798.100LOW
They Claim
“GDPR and CCPA compliant”
Observed Behavior
Pre-consent tracking present on own properties
28.6% pre-consent rate detected across scans
Customer Impact
What This Means For You
If RudderStack routes your customer data, their "data never leaves your infrastructure" positioning is a meaningful differentiator — but their own website tells a contradictory story. RudderStack deploys DoubleClick, BingAds, LinkedInAds, and Reddit advertising pixels pre-consent on rudderstack.com at a 28.6% rate, suggesting privacy-first principles are not consistently applied. Under GDPR Art 28, 12+ marketing vendors on their site are not in their public subprocessor documentation. While their warehouse-native architecture provides genuine data control benefits, the gap between privacy-first marketing and corporate site behavior warrants scrutiny. Their SOC2 Type II certification is a positive signal but does not explain the pre-consent advertising pixels.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
If You Use RudderStack
- →Audit your RudderStack consent integration — ensure events are blocked pre-consent for GDPR regions given their own 28.6% pre-consent rate
- →Review destinations receiving data and compare against your privacy policy disclosure obligations
- →Implement server-side tracking where possible to maximize the warehouse-native data control benefit
- →Request their full subprocessor list via DPA — 12+ vendors on their site are not in public documentation
- →Verify your implementation achieves the 'data never leaves your infrastructure' promise with network traffic monitoring
If You're Evaluating RudderStack
- →Note the gap between 'privacy and security focused' marketing and pre-consent advertising pixels on rudderstack.com
- →Request SOC2 Type II report and verify scope covers their SDK and data routing infrastructure
- →Verify that the warehouse-native architecture truly keeps data in your environment with no intermediate processing
- →Compare RudderStack's actual consent architecture against Segment — both have pre-consent issues on their own sites
- →Test consent-first SDK behavior in your environment before deployment to verify privacy claims
Negotiation Leverage
- →Privacy-first verification: RudderStack markets as the privacy-focused Segment alternative. Require documented evidence of how their SDK enforces consent-first data routing, given pre-consent advertising pixels on their own site.
- →Subprocessor reconciliation: 12+ marketing vendors on rudderstack.com not in public documentation. Require complete subprocessor list covering both infrastructure and marketing technology partners.
- →Warehouse-native guarantees: RudderStack's value proposition is that data stays in your warehouse. Require contractual guarantee with technical architecture documentation and right to audit data flows.
- →Pre-consent SLA: 28.6% pre-consent rate on their site. Require contractual guarantee that their SDK loads only after consent on your property.
Runtime Detections
Runtime Detections
6 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
BTI-C09Consent Bypass
Ignoring CMP signals
BTI-C10Fingerprinting
Device identification
BTI-C14Identity Resolution
PII deanonymization
BTI-C15Tag Manager
Container/loader (neutral)
IOC Manifest
IOC Manifest
148 INDICATORS
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*www.rudderstack.com/_next/static/chunks/*.js*
Tracking script
TRACK
*www.rudderstack.com/_next/static/chunks/turbopack-*.js*
Tracking script
EXFIL
*www.rudderstack.com/lotties/products/solutions-data-integration.json*
Data collection endpoint
TRACK
cdn.rudderlabs.com
Tracking script
TRACK
rudder-analytics.min.js
Tracking script
TRACK
rudderanalytics
Tracking script
TRACK
www.rudderstack.com/_next/static/chunks/49aab54d5dec5810.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/0c20544140243c18.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/fdffc7ff647356f2.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/e984564fe21ad893.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/b17f1041b13a12b9.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/47ad803248115596.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/turbopack-45819147ecaffe54.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/b4ff0ebcd927c6ba.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/78d68738759cf338.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/a4b7b0fa23d10ebd.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/6e988a8fe24c7f3d.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/de7515b56b5900b2.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/b295c8e5868fb191.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/80012b9c4137bc5c.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/217305bb8e4c9778.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/15ce2b9934eaabb0.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/36b6d4bdf7232fa2.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/cfd78a61f475ea4f.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/5799830ca6525eb3.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/609d0cd850a91ccf.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/31899331592a2f7c.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/2a54e734e9b08c05.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/45b6daff1cf85ac7.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/30ef500124933c8d.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/f48b1cef1f00aa42.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/c460da279fe1d202.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/00bff982f6197d53.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/29a32bb96238a981.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/cfd64ebd9ada3768.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/9ebe34064a29a33b.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/b929eb24bdb0eb42.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/0f380be72090463f.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/f37fff3113a0aa6c.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/9a42e90967197be5.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/34c6938262d776c7.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/0f507a78357800b1.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/d0fe3293553213ad.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/c7cbaf637cc3ad6c.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/4328e306eddd44e5.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/aac9383333f43807.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/155f8cb8073f2eae.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/1b1857c81e5eb5e2.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/d801cc69dcfdd9a8.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/8ccbd8a84741806b.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/43621d682302fc47.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/d6501fd9ac030a22.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/c256834bac98048b.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/1eb8ff72b615d276.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/12cfe0b24a676e64.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/cc70e0230d0dbcd2.js
Auto-extracted from scan
TRACK
www.rudderstack.com/_next/static/chunks/da9a796427563466.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
RudderStack sits at the infrastructure layer of modern data stacks, functioning as a Customer Data Platform that collects events from websites and apps, then routes them to data warehouses and downstream tools. They are typically loaded via tag managers (detected loading method: inline) or direct SDK integration. RudderStack integrates with 200+ destinations including Snowflake, BigQuery, and marketing tools. On their own site, they load GoogleTagManager which orchestrates additional vendors. They compete with Segment (acquired by Twilio), mParticle, and Tealium. As warehouse-native CDP, they claim not to store customer data but serve as the routing layer. When customers deploy RudderStack, any consent framework gaps in the RudderStack implementation could propagate to all downstream destinations.
Loads (1)
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
176 detection signatures across scripts, domains, cookies, and network endpoints