ZoomInfo | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what ZoomInfo discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

82 detections across 62 sites27% pre-consent activity

HIGH

Pre-Consent Activity

ZoomInfo was observed loading and executing before user consent was obtained on 27% of sites where it was detected.

GDPRePrivacy

HIGH

Compliance Claim Mismatch

26.6% pre-consent tracking rate across 60 detected sites

GDPR Art 6GDPR Art 7CCPA 1798.100ePrivacy Directive

HIGH

Scope Misrepresentation

Registered California data broker selling personal information

CCPA 1798.140California Delete Act

HIGH

Compliance Claim Mismatch

False certification claims

HIGH

Scope Creep

Collection exceeds disclosed scope

Disclosure Gaps

Claims vs. Observed Behavior

3 gaps

2 HIGH1 MED

Classified:BTI-X05BTI-X08

Compliance Claim Mismatch

GDPR Art 6 · GDPR Art 7 · CCPA 1798.100 · ePrivacy DirectiveHIGH

They Claim

“SOC2 Type II, ISO 27001, GDPR, CCPA certified/compliant”

Observed Behavior

26.6% pre-consent tracking rate across 60 detected sites

BLACKOUT runtime scans show systematic tracking before consent banner interaction

Scope Misrepresentation

CCPA 1798.140 · California Delete ActHIGH

They Claim

“B2B intelligence platform, business-related data only”

Observed Behavior

Registered California data broker selling personal information

CA AG registration #185627, privacy policy explicitly states sale of personal information

Third-Party Vendors on Own Site

GDPR Art 28MEDIUM

They Claim

“Privacy-first company with comprehensive security”

Observed Behavior

Deploys pre-consent tracking vendors (HumanSecurity, NeverBounce) on own website

BLACKOUT scan of zoominfo.com shows pre-consent vendor loading

Customer Impact

What This Means For You

If ZoomInfo is deployed on your site, you are exposed to GDPR Art 6/7 violations from their 26.6% pre-consent tracking rate — over a quarter of your visitors are tracked before consenting. As a registered California data broker, ZoomInfo explicitly sells personal information including names, emails, and phone numbers. If your employees' contacts flow into their database through email integrations, that data becomes inventory available to your competitors. Under CCPA §1798.140, you may bear shared liability for data sold by a vendor you deployed. ZoomInfo's SOC2 Type II and ISO 27001 certifications cover their internal operations — they do not indemnify you against regulatory action for pre-consent tracking on your property.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use ZoomInfo

→Audit consent basis for all ZoomInfo-sourced leads — 26.6% pre-consent rate means a quarter of contact data may lack valid consent
→Review your Data Processing Agreement for GDPR Article 28 compliance, specifically around their registered data broker status
→Assess liability exposure from pre-consent tracking deployed on your properties under ePrivacy Directive and GDPR Art 6/7
→Check whether your employees appear in ZoomInfo's database without consent via their email integration harvesting
→Evaluate whether email integration is exposing your contacts to third-party sale through their data brokerage operation

If You're Evaluating ZoomInfo

→Request their California data broker registration documentation (#185627) and ask how this reconciles with B2B-only marketing claims
→Verify the consent chain for any data they would provide — ask specifically how GPC signals are honored
→Assess whether competitor access to the same ZoomInfo database creates strategic risk for your sales intelligence
→Compare against alternatives that do not operate as registered data brokers (Apollo, Lusha, Cognism)
→Negotiate right-to-audit clause with access to live runtime behavior monitoring before signing

Negotiation Leverage

→Pre-consent SLA: ZoomInfo fires before consent on 26.6% of detected sites. Require contractual guarantee of 0% pre-consent activity on your properties with liquidated damages per violation detected by independent audit.
→Data broker disclosure: ZoomInfo is registered as California data broker #185627 and explicitly sells personal information. Require written confirmation that your organization's data will not be resold, with right to audit data flows quarterly.
→Email integration data rights: ZoomInfo harvests contact information through email client integrations. Negotiate explicit prohibition on using your employees' email contacts as inventory, with immediate deletion clause upon request.
→Subprocessor transparency: ZoomInfo operates NeverBounce and Chorus.ai as part of their data ecosystem. Require complete subprocessor list with 30-day advance notice before additions and right to object.
→Termination for cause: Include right to terminate without penalty if independent audit reveals undisclosed data sharing, pre-consent tracking, or data brokerage activity involving your organization's information.

Runtime Detections

9 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

BTI-C16Real-Time Exfiltration

WebSocket/SSE streaming

IOC Manifest

23 INDICATORS

Indicators of compromise across 6 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

*www.zoominfo.com/osx7m0dx/captcha/captcha.js*

Tracking script

TRACK

ws.zoominfo.com

Tracking script

TRACK

www.zoominfo.com/osx7m0dx/captcha/captcha.js

Auto-extracted from scan

Ecosystem

Ecosystem & Supply Chain

ZoomInfo operates at the apex of the B2B data supply chain. Upstream: Integrates with email clients, CRMs, and third-party data sources to harvest contact information. ZoomInfo users unwittingly contribute data through email integrations. Downstream: Powers sales, marketing, and recruiting tools across enterprise SaaS. Major customers include Salesforce, HubSpot, Outreach, and thousands of sales teams. ZoomInfo data flows into virtually every B2B prospecting workflow. They also operate NeverBounce (email verification) and Chorus.ai (conversation intelligence), creating a comprehensive surveillance ecosystem across the entire sales funnel.

Loads (1)

Perimeterx

Loaded By (9)

Mutiny Cheq Chorusai Partnerstack Fullstory Abmatic Onetrust Quantummetric Sequel

Commonly Deployed With

Googletagmanager Googleanalytics4 Linkedinads Metapixel Doubleclick Clarity Hubspot Bing Ads Onetrust Adobeanalytics Marketo Twitter Pixel Tradedesk Reddit Liveramp Companytarget Rubicon

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

43 detection signatures across scripts, domains, cookies, and network endpoints