"You can block the researcher. You can't block the evidence."

On November 25, 2025, ZoomInfo CEO Henry Schuck posted a product demo of GTM Studio on LinkedIn — their AI-powered platform that "identifies person-level website visits."

A security researcher analyzed the GTM Studio landing page and documented extensive pre-consent tracking infrastructure. The findings were posted as a comment on the CEO's LinkedIn post.

Within minutes, the researcher was blocked.

No correction. No clarification. Just silence.

This evidence pack ensures the findings cannot be suppressed.

{
  "enableBiometrics": true,
  "enableDNS": true,
  "partnerId": "zoominfo",
  "dBaseDomain": "d.sardine.ai",
  "environment": "production"
}

This configuration was decoded from a base64-encoded payload in the collector iframe URL.

Translation:

• Mouse movements tracked by default
• Typing patterns recorded
• DNS fingerprinting enabled
• ZoomInfo has a formal partnership with Sardine.ai
• This is production, not testing

ZoomInfo markets GTM Studio as a tool to "identify person-level website visits."

Yet on their own landing page for this product, they deploy:

• 3 external identity/fingerprinting vendors (Sardine.ai, PerimeterX, IdentityMatrix.ai)
• Behavioral biometrics before consent
• 118 different tracking domains

Even the visitor identification vendor doesn't trust their own product for visitor identification.

You're not a privacy lawyer. You're trying to hit pipeline targets. So why should you care?

Every dollar spent on vendors with documented pre-consent tracking is a dollar potentially spent on future legal liability. When class actions emerge in this space, "we didn't know" often isn't accepted as a defense — it can be characterized as negligence.

The question to consider: could this data become actionable in litigation?

Data collected without proper consent may not be legally processable. That could mean:

• Your lead scores may be built on problematic data
• Your ABM campaigns may target profiles collected without consent
• Your attribution models may include tainted signals

This is worth evaluating with your legal team.

The people being tracked without consent? They're the same people you're trying to convert. When they find out (and the prevalence of these practices is increasingly public), you may not just lose a deal — you may create an adversary with legal standing.

Every visitor is a potential plaintiff. Every page view is potential evidence.

GDPR Article 26. CCPA 1798.100. Your contracts may say "vendor warrants compliance." Courts have found joint liability regardless. When a vendor's practices become public record, your legal team will ask: "Who approved this vendor?"

That answer is discoverable.

Imagine losing an enterprise deal because the prospect's security team researched your martech stack. Imagine the RFP question: "Do you use vendors with documented pre-consent tracking?"

Your vendor choices are discoverable. Choose accordingly.

Marketing has operated in a "move fast, ask forgiveness" mode for 15 years. That era is ending.

The tracking infrastructure that powered the "growth at all costs" playbook is now:

• Documented (you're reading the evidence)
• Discoverable (public GitHub repo)
• Potentially actionable (GDPR, CCPA, CIPA may apply)

You can either:

1. Audit your stack now and evaluate liability before it crystallizes
2. Wait for external scrutiny and explain why you didn't act on public evidence

The vendors won't protect you. Your contracts may not protect you. Only your choices will.

zoominfo-gtm-studio/
├── FINDINGS.md              # Full technical analysis
├── TIMELINE.md              # CEO post → comment → block sequence
├── code/
│   ├── sardine-config.json  # Decoded biometrics configuration
│   ├── perimeterx.md        # PerimeterX infrastructure details
│   └── tracking-sequence.md # Complete request timeline
├── methodology/
│   └── how-we-tested.md     # Reproduction instructions
└── legal/
    ├── gdpr-analysis.md     # EU regulation analysis
    ├── ccpa-analysis.md     # California privacy law analysis
    └── cipa-exposure.md     # California wiretapping exposure analysis

1. Open Chrome in Incognito mode
2. Open DevTools (F12) → Network tab
3. Enable "Preserve log"
4. Navigate to: https://www.zoominfo.com/products/gtm-studio
5. DO NOT interact with consent banner
6. Count requests that fire before you see the banner

• collector-pxosx7m0dx.px-cloud.net — PerimeterX fingerprinting
• *.d.sardine.ai/bg.png — Sardine behavioral biometrics
• gw-app.zoominfo.com/gw/ziapi/fraud-detection — Session fingerprinting

• Article 5(3): Cookie consent required before tracking
• Article 6: Lawful basis required for processing
• Article 9: Behavioral biometrics may constitute special category data

• Right to Know: Sardine.ai partnership not disclosed in privacy policy
• Right to Opt-Out: No opt-out presented before tracking begins
• Data Sharing: Data transmitted to 40+ third parties pre-consent

• Wiretapping provisions: Biometric collection without consent may implicate wiretapping statutes
• Two-party consent: California requires all-party consent for certain recordings


When presented with documented evidence of:

• Pre-consent tracking
• Behavioral biometrics collection
• 118 tracking domains on a single page

The CEO of a publicly traded company chose to:

• Block the researcher
• NOT dispute the findings
• NOT provide clarification

ZoomInfo has not responded to requests for comment on these findings.

THIS IS NOT LEGAL ADVICE.

The information contained in this evidence pack is provided for informational and educational purposes only. Nothing herein constitutes legal advice, and no attorney-client relationship is created by accessing, reading, or using this information.

You should consult with a qualified attorney licensed in your jurisdiction before taking any action based on the information presented here. Privacy law is complex, varies by jurisdiction, and is subject to change. What may constitute a violation in one jurisdiction may not apply in another.

Blackout is not a law firm. We are security researchers documenting technical findings. We make no representations or warranties about:

• The legal accuracy or completeness of any analysis
• The applicability of cited regulations to your specific situation
• The current state of any company's tracking practices (which may change)
• The outcome of any legal action based on this information

All findings are based on publicly observable behavior at the time of testing. Network captures, decoded configurations, and request timelines represent a point-in-time snapshot. Vendors may modify their practices after publication.

If you believe you have been affected by pre-consent tracking or surveillance practices, consult a privacy attorney or contact your local data protection authority. Do not rely solely on this document to assess your legal rights or remedies.

By accessing this evidence pack, you acknowledge that you have read and understood this disclaimer.

This evidence pack is released in the public interest.

Vendor tracking infrastructure should be transparent and verifiable, not suppressed when documented.

Released by: Blackout Research
Date: November 25, 2025

Free forensic scans. 100 domains. 24 hours.

Find out what YOUR vendors are doing.

→ deployblackout.com

"You can block the researcher.
You can't block the evidence."