How This Briefing Works
This dossier opens with key findings, then maps the gap between what VWO discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 40 sites
vendor fires before consent
1 HIGH
Briefing
VWO (Visual Website Optimizer) markets itself as an A/B testing and conversion optimization platform, deployed across 29 sites in our corpus with 47 detections. BLACKOUT analysis reveals the platform's true behavioral footprint extends far beyond split testing: defeat device infrastructure (C01), behavioral biometrics capture (C06), full session recording (C07), cross-domain identity sync (C08), consent bypass (C09), device fingerprinting (C10), persistence mechanisms (C13), identity resolution (C14), and tag manager capabilities (C15). With 8 domains, 12 scripts, and 9 cookies in its IOC profile, VWO operates one of the most extensive client-side surveillance architectures in the optimization category.
What This Means For You
If you deploy VWO, your visitors' entire session experience is captured — every keystroke pattern, mouse movement, click, scroll, and form interaction. With 47% pre-consent firing, nearly half of your visitor sessions begin recording before consent is obtained. The 9-cookie persistence architecture means VWO maintains tracking across sessions and devices, building longitudinal behavioral profiles of your visitors. You are the data controller for all of this processing. Your privacy policy likely describes VWO as an "optimization tool" — it is functionally a behavioral surveillance platform with identity resolution capabilities.
Risk Channel Breakdown
Signal corruption score of 40 reflects VWO's cross-domain sync and identity resolution capabilities layered on top of A/B testing. Test results may be contaminated by stitched identity data, and behavioral biometrics (C06) capture creates measurement artifacts that distort conversion analysis beyond what legitimate experimentation requires.
Maximum CAC subsidization score (100). VWO's 9-cookie, 8-domain infrastructure captures granular behavioral data — keystroke patterns, mouse movements, full session replays — that feeds VWO's product intelligence. Your visitors' optimization data trains VWO's models, benefiting every other VWO customer including your competitors.
Expands attack surface
Maximum legal tail risk (100). A 47% pre-consent firing rate combined with behavioral biometrics (C06) and session recording (C07) creates severe regulatory exposure. Session replay captures every visitor interaction including form inputs, while behavioral biometrics records keystroke and mouse patterns — both classified as personal data under GDPR. Consent bypass (C09) and persistence mechanisms (C13) compound the violation surface.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
Long-lived identifiers
PII deanonymization
Container/loader (neutral)
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed VWO's public claims against observed runtime behavior and identified 1 contradiction.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
googletagmanager, googleanalytics4, linkedinads…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →