All Vendors
intent_data
TechTarget

TechTarget

Registered data broker and intent data provider with zero consent infrastructure on its editorial network. 72 tracking pixels, session replay, and cross-domain ad exchange activity fire immediately on page load with no consent mechanism present.

87 IOCs
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what TechTarget discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

2 critical disclosure gaps
CRITICAL

Consent Infrastructure Absent

No cookie consent banner exists on techtarget.com. All tracking, including session replay (Microsoft Clarity) and 72 MathTag tracking pixels, fires immediately on page load with zero consent interaction.

GDPR Art 5(3)ePrivacy Directive Art 5(3)EU-US DPF Principles
CRITICAL

Session Replay Without Consent

Microsoft Clarity session replay (tag mc1aheaw4v) records visitor interactions including clicks, scroll behavior, and form interactions. Initialized pre-consent with no opt-in mechanism.

GDPR Art 6GDPR Art 7ePrivacy Directive Art 5(3)
HIGH

Undisclosed Subprocessors

10+ additional third-party services observed receiving visitor data at runtime that are not listed as subprocessors: Microsoft Clarity, Chartbeat, Optimizely, StackAdapt, MediaMath/MathTag, AppNexus/Xandr, DoubleVerify, dpmsrv.com, Cloudflare analytics, usbrowserspeed.com.

GDPR Art 28GDPR Art 13
HIGH

Cross-Domain Cookie Syncing

Hidden DoubleClick partner pixel iframe (cm.g.doubleclick.net/partnerpixels) and AppNexus segment pixels (ib.adnxs.com/seg) with hundreds of segment IDs observed loading in hidden iframes. These enable identity graph construction across ad exchanges.

GDPR Art 5(1)(a)ePrivacy Directive Art 5(3)
HIGH

Undisclosed Sharing

Hidden data recipients

Disclosure Gaps

Claims vs. Observed Behavior

5 gaps
2 CRIT2 HIGH1 MED
Classified:BTI-X02BTI-X05

Undisclosed Subprocessors

GDPR Art 28 · GDPR Art 13HIGH
They Claim

Subprocessor list names 18 vendors

Observed Behavior

10+ additional third-party services observed receiving visitor data at runtime that are not listed as subprocessors: Microsoft Clarity, Chartbeat, Optimizely, StackAdapt, MediaMath/MathTag, AppNexus/Xandr, DoubleVerify, dpmsrv.com, Cloudflare analytics, usbrowserspeed.com.

CDT MCP network request analysis and performance resource timing API

Do Not Track Explicitly Rejected

CCPA · CalOPPAMEDIUM
They Claim

Claims to honor GPC signal for device/browser information

Observed Behavior

Privacy policy explicitly states: our websites currently do not respond to do not track browser headers. GPC honored only for device/browser info, not direct identifiers like name or email.

Privacy policy Section 12 and Section 13 verbatim text

Customer Impact

What This Means For You

If your organization purchases TechTarget intent data, you are consuming signals collected without consent infrastructure on the editorial network. Under GDPR, the lawfulness of the underlying data collection directly affects the legitimacy of downstream processing. TechTarget's absence of a cookie consent mechanism means intent signals derived from EU visitors may lack a valid legal basis under Art 6 GDPR, creating liability exposure for any organization that uses this data for targeting or outreach. Additionally, your employees who research vendors on TechTarget sites generate intent signals that are sold to your competitors and other TechTarget Partners. The 10+ undisclosed third-party services on the editorial network mean visitor data flows to parties not covered by TechTarget's DPA or subprocessor list, creating audit gaps for organizations subject to GDPR Art 28 processor chain requirements.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use TechTarget

  • Audit your DPA with TechTarget to confirm the subprocessor list matches the 10+ undisclosed third-party services observed at runtime (Clarity, Chartbeat, Optimizely, StackAdapt, MediaMath, AppNexus, DoubleVerify, dpmsrv.com)
  • Request documentation of the legal basis for intent data collection from EU visitors given the absence of consent infrastructure on the editorial network
  • Evaluate whether your use of TechTarget intent data for outreach to EU-based contacts creates GDPR Art 6 liability for your organization
  • Add contract clause requiring TechTarget to notify you within 30 days of any new third-party tracking added to their editorial network

If You're Evaluating TechTarget

  • Request evidence of consent infrastructure deployment timeline for the editorial network before signing
  • Require contractual warranty that intent data provided has a valid legal basis under GDPR for EU-sourced signals
  • Compare TechTarget intent data pricing against alternatives that operate with consent infrastructure (Bombora, G2)
  • Negotiate right-to-audit clause with access to real-time tracking inventory on editorial sites that generate your intent data

Negotiation Leverage

  • Subprocessor disclosure gap: Runtime investigation identified 10+ third-party services receiving visitor data that are not listed on TechTarget's subprocessor page. Request a complete and current subprocessor list that includes all client-side tracking services, not just server-side infrastructure vendors.
  • Consent infrastructure absence: TechTarget's editorial sites have no cookie consent banner, yet the company certifies EU-US Data Privacy Framework compliance. Request contractual warranty that intent data delivered to you was collected with a valid legal basis under GDPR Art 6, with indemnification for regulatory action stemming from unlawful collection.
  • Data broker disclosure leverage: TechTarget is a registered data broker in California (Registration #186791) and explicitly states it sells personal data. Use this disclosure to negotiate data minimization requirements and purpose limitations in your DPA.
  • Session replay exposure: Microsoft Clarity session replay on the editorial network records visitor interactions without consent. If your employees research vendors on TechTarget sites, their behavior is being recorded. Request exclusion of session replay data from intent signals provided to your account.
  • Competitive intelligence risk: TechTarget sells intent data to multiple competing vendors simultaneously. Request contractual exclusivity provisions or at minimum a disclosure of how many of your direct competitors receive intent signals from the same topic categories you purchase.
Runtime Detections

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C13Persistence Mechanisms

Long-lived identifiers

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

87 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.techtarget.com/cdn-cgi/scripts/*/cloudflare-static/rocket-loader.js*
Tracking script
TRACK
*www.techtarget.com/rms/ux/responsive/js/libs/jquery-1.10.2.js*
Tracking script
EXFIL
*www.techtarget.com/cmp/ttCmpApi.js*
Data collection endpoint
TRACK
*www.techtarget.com/cmp/sourcepoint/ccpa-config.js*
Tracking script
TRACK
*www.techtarget.com/cmp/sourcepoint/gdprTCFv2-config.js*
Tracking script
TRACK
*www.techtarget.com/rms/ux/responsive/js/responsive.js*
Tracking script
TRACK
*www.techtarget.com/rms/ux/responsive/js/responsive-ui.js*
Tracking script
TRACK
*optimizely.techtarget.com/optimizely-edge/**
Tracking script
TRACK
*www.techtarget.com/rms/ux/responsive/js/libs/techtarget-informa-banner.js*
Tracking script
TRACK
*www.techtarget.com/cdn-cgi/challenge-platform/scripts/jsd/main.js*
Tracking script
TRACK
*www.techtarget.com/rms/ux/responsive/js/libs/techtarget-informa-footer.js*
Tracking script
TRACK
*www.techtarget.com/cdn-cgi/challenge-platform/h/g/scripts/jsd/*/main.js*
Tracking script
TRACK
*consent.techtarget.com/unified/wrapperMessagingWithoutDetection.js*
Tracking script
TRACK
*consent.techtarget.com/unified/4.40.0/gdpr-tcf.*.bundle.js*
Tracking script
EXFIL
*consent.techtarget.com/unified/4.40.0/usnat-uspapi.*.bundle.js*
Data collection endpoint
EXFIL
*consent.techtarget.com/mms/v2/get_site_data*
Data collection endpoint
TRACK
*consent.techtarget.com/polyfills.*.js*
Tracking script
TRACK
*consent.techtarget.com/PrivacyManagerUS.3cbad.js*
Tracking script
TRACK
*consent.techtarget.com/unified/4.40.1/gdpr-tcf.*.bundle.js*
Tracking script
EXFIL
*consent.techtarget.com/unified/4.40.1/usnat-uspapi.*.bundle.js*
Data collection endpoint
TRACK
www.techtarget.com/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js
Auto-extracted from scan
TRACK
www.techtarget.com/rms/ux/responsive/js/libs/jquery-1.10.2.min.js
Auto-extracted from scan
TRACK
www.techtarget.com/rms/ux/responsive/js/responsive-ui.min.js
Auto-extracted from scan
TRACK
optimizely.techtarget.com/optimizely-edge/17796810052
Auto-extracted from scan
TRACK
www.techtarget.com/rms/ux/responsive/js/responsive.min.js
Auto-extracted from scan
EXFIL
www.techtarget.com/cmp/ttCmpApi.min.js
Auto-extracted from scan
TRACK
www.techtarget.com/cmp/sourcepoint/ccpa-config.min.js
Auto-extracted from scan
TRACK
www.techtarget.com/cmp/sourcepoint/gdprTCFv2-config.min.js
Auto-extracted from scan
TRACK
consent.techtarget.com/unified/wrapperMessagingWithoutDetection.js
Auto-extracted from scan
TRACK
www.techtarget.com/rms/ux/responsive/js/libs/techtarget-informa-banner.min.js
Auto-extracted from scan
TRACK
www.techtarget.com/rms/ux/responsive/js/libs/techtarget-informa-footer.min.js
Auto-extracted from scan
TRACK
www.techtarget.com/cdn-cgi/challenge-platform/scripts/jsd/main.js
Auto-extracted from scan
TRACK
www.techtarget.com/cdn-cgi/challenge-platform/h/g/scripts/jsd/ea2d291c0fdc/main.js
Auto-extracted from scan
TRACK
consent.techtarget.com/unified/4.40.1/gdpr-tcf.27718c8cb9d29947d2c1.bundle.js
Auto-extracted from scan
EXFIL
consent.techtarget.com/unified/4.40.1/usnat-uspapi.090eccada574d39af6f8.bundle.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

TechTarget operates as both a content publisher and a B2B intent data provider. Its 220+ editorial websites (techtarget.com, searchsecurity.com, searchnetworking.com, etc.) serve as the data collection infrastructure. Intent signals are captured through visitor behavior tracking and packaged as products like Priority Engine for B2B marketing and sales teams. The company is part of Informa PLC since December 2024 and operates as Informa TechTarget. Its tracking infrastructure includes two GTM containers, Google Analytics 4, Microsoft Clarity for session replay, Chartbeat for editorial analytics, Optimizely for experimentation, and a heavy programmatic advertising stack (Google Ad Manager, MediaMath, AppNexus/Xandr, StackAdapt, DoubleVerify). All 18 disclosed subprocessors are US-based except Workato (US/Germany) and AWS (US/Ireland).
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

87 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details