VWO

Impact: Evasion infrastructure means VWO can alter its behavior during compliance audits, making it impossible to verify through standard testing what data is collected during normal visitor sessions.

Impact: Keystroke dynamics and mouse movement tracking captures unique behavioral signatures of your visitors. This biometric data is classified as sensitive personal data under multiple privacy frameworks and requires explicit consent with specific purpose limitation.

Impact: Full session replay means every click, scroll, and form interaction on your site is captured and transmitted to VWO servers. Visitors typing passwords, credit card numbers, or health information have no visibility into this recording.

Impact: Identity stitching across 8 domains means VWO correlates visitor behavior across multiple properties, building behavioral profiles that extend beyond your site and beyond your data processing disclosures.

Impact: VWO fires before consent on 47% of observed deployments. Every pre-consent session recording and biometric capture is a separate GDPR violation with potential fines up to 4% of annual turnover.

Impact: Device fingerprinting creates persistent visitor identifiers that survive cookie clearing, undermining the right to withdraw consent and creating compliance gaps with ePrivacy regulations.

Impact: Long-lived identifiers across 9 cookies ensure visitor tracking persists beyond reasonable session boundaries. Combined with fingerprinting, this creates a dual-layer persistence architecture that is extremely difficult for visitors to escape.

Impact: PII deanonymization transforms VWO from a testing tool into an identification system. Anonymous visitors can be resolved to real identities, creating data processing that most privacy policies do not disclose.

Impact: Tag management capabilities mean VWO can dynamically load additional scripts and trackers, expanding the data collection surface beyond what was initially deployed or audited.