All Vendors
cmp

Termly

Termly operates as a consent management platform with severe hypocrisy: it defeats the privacy controls it claims to enforce. Cross-domain tracking, behavioral biometrics, session replay, and consent bypass create maximum legal exposure. The 100% CAC subsidization score reflects visitor consent data and behavioral patterns becoming competitor intelligence.

120 IOCs8 detections63% pre-consent6 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Termly discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

8 detections across 6 sites63% pre-consent activity
CRITICAL

Pre-Consent Activity

Termly was observed loading and executing before user consent was obtained on 63% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Requires claims extraction via CDT

Observed Behavior

Runtime evidence confirms C01/C06/C07/C08/C09/C10 activation

Customer Impact

What This Means For You

Compliance infrastructure creates liability. Termly captures visitor consent choices while bypassing consent mechanisms, creating indefensible GDPR violations. Legal holds 100% exposure risk from CMP that defeats its own purpose. Consent preference data accessible to competitors using same platform.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Termly

  • Immediate removal of Termly CMP
  • Legal review of consent mechanism integrity
  • Audit all consent choices for validity under Termly bypass
  • Notify DPO of consent bypass by consent platform
  • Breach notification assessment for consent data leakage

If You're Evaluating Termly

  • Self-hosted CMP with zero third-party data sharing
  • First-party consent infrastructure on owned domains
  • Open-source consent management without tracking

Negotiation Leverage

  • Termly creates unlimited legal liability through consent bypass BY THE CONSENT PLATFORM
  • 100% CAC subsidization means consent preferences train competitor compliance circumvention
  • CMP that defeats its own purpose is indefensible in regulatory audit
  • Consent data accessible to competitors on shared platform
  • Immediate removal required - no remediation possible for circular privacy violation
Runtime Detections

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: CMP bypasses its own consent controls to capture data

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Captures interaction patterns with consent UI for profiling

BTI-C07Session Recording

Full session replay

Impact: Records visitor sessions including consent choices and banner interactions

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Tracks consent preferences across multiple domains

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Activates before its own consent mechanisms, creating circular privacy violation

BTI-C10Fingerprinting

Device identification

Impact: Creates persistent visitor profiles to track consent choices

IOC Manifest

IOC Manifest

120 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*termly.io/cdn-cgi/scripts/*/cloudflare-static/rocket-loader.js*
Tracking script
TRACK
*termly.io/wp-content/plugins/wp-rocket/assets/js/lazyload/17.8.3/lazyload.js*
Tracking script
TRACK
*termly.io/wp-content/themes/genesis-tly-v4/v2/js/script.js*
Tracking script
TRACK
*app.termly.io/resource-blocker/*-6c78-437c-83a3-**
Tracking script
TRACK
*app.termly.io/resource-blocker/support/377-*.js*
Tracking script
TRACK
*app.termly.io/resource-blocker/support/894-*.js*
Tracking script
TRACK
*app.termly.io/resource-blocker/support/808-*.js*
Tracking script
TRACK
*app.termly.io/resource-blocker/i18n/en.json*
Tracking script
TRACK
*app.termly.io/resource-blocker/support/524-*.js*
Tracking script
TRACK
app.termly.io
Tracking script
TRACK
termly.io/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js
Auto-extracted from scan
TRACK
termly.io/wp-content/plugins/wp-rocket/assets/js/lazyload/17.8.3/lazyload.min.js
Auto-extracted from scan
TRACK
termly.io/wp-content/themes/genesis-tly-v4/v2/js/script.min.js
Auto-extracted from scan
TRACK
app.termly.io/resource-blocker/9598d17a-6c78-437c-83a3-52d50ae899fd
Auto-extracted from scan
TRACK
app.termly.io/resource-blocker/support/377-432db1fea5ba075614bc.min.js
Auto-extracted from scan
TRACK
app.termly.io/resource-blocker/support/894-89d79a6f8f82b0c3865f.min.js
Auto-extracted from scan
TRACK
app.termly.io/resource-blocker/support/808-9196f9c5852a2c78130f.min.js
Auto-extracted from scan
TRACK
app.termly.io/resource-blocker/support/524-f73bfc326482cfdcfe35.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Termly consent data flows through centralized infrastructure accessible to all platform users. Visitor consent preferences, rejection patterns, and privacy choices become training data for compliance circumvention strategies. Cross-domain tracking enables consent preference identification across customer properties.
Loaded By (1)
Factors Ai
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

120 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details