ZoomInfo CEO Blocks Researcher After Revealing Pre-Consent Biometric and Fingerprinting Tracking

In November 2025, ZoomInfo CEO Henry Schuck shared a demo of GTM Studio, an AI-driven platform that tracks individual website visits. Shortly after, a security researcher examined the product’s landing page and discovered extensive pre-consent tracking technology. The researcher documented their findings in a comment on Schuck’s LinkedIn post, exposing detailed evidence of invasive data collection practices. Within minutes, the researcher was blocked, with no explanation or correction provided.

Key findings from the investigation include over 50 tracking requests occurring before user consent is obtained, with network analysis confirming that tracking fires prior to the appearance of consent banners. The site employed multiple tracking methods, such as DNS fingerprinting, session fingerprinting, and behavioral biometrics via Sardine.ai. Notably, the Sardine.ai configuration, decoded from embedded data, revealed active biometric and fingerprinting features, including mouse movement tracking and typing patterns.

Furthermore, the analysis uncovered a partnership between ZoomInfo and Sardine.ai, with the platform operating in a production environment—meaning these invasive tracking mechanisms are active during normal operations, not tests. The configuration explicitly enabled DNS fingerprinting and biometrics, raising concerns about user privacy.

Ironically, ZoomInfo markets GTM Studio as a tool designed to identify individual site visitors, yet their own product page deploys three external fingerprinting vendors and conducts behavioral biometrics before obtaining user consent. In addition, the site contacts 118 different tracking domains within a single page load, highlighting aggressive data collection practices. This demonstrates a lack of trust in their own technology and raises questions about privacy compliance.

For marketers, this revelation underscores potential legal risks. Investments in vendors documented to perform pre-consent tracking could translate into future legal liabilities. Data collected without proper consent may render lead scoring, targeting, and attribution processes legally questionable. These practices can also turn visitors into plaintiffs, as unconsented tracking becomes public knowledge and potential evidence.

Moreover, vendor compliance practices directly impact your organization’s legal standing. Courts may hold companies jointly liable for data breaches or misuse, especially if vendors’ methods are publicly exposed. Competitors could leverage these practices during negotiations or RFP processes, making vendor selection critical.

The core issue is that marketing has traditionally operated on a “move fast, ask forgiveness” approach. However, increasing transparency and regulatory scrutiny are ending this era. Companies must reassess their tracking infrastructure, prioritize user privacy, and choose vendors with responsible data collection practices.

In conclusion, the ZoomInfo incident highlights the urgent need for transparency, legal awareness, and ethical data practices in digital marketing. Marketers should review their vendor relationships and ensure compliance with privacy laws to mitigate future risks.

FAQs

Q: What was discovered about ZoomInfo’s tracking practices?
A: The investigation revealed extensive pre-consent biometric and fingerprinting tracking, including external vendor partnerships and aggressive data collection methods.

Q: Why is pre-consent tracking a problem?
A: It violates privacy regulations like GDPR and CCPA, can lead to legal liabilities, and erodes user trust.

Q: How can this impact marketers?
A: Marketers risk legal action, flawed data, and damage to reputation if they use vendors with invasive practices. It can also affect campaign effectiveness and legal compliance.

Q: What should companies do to protect themselves?
A: Review vendor practices, prioritize privacy-compliant technologies, and ensure proper consent mechanisms are in place before data collection.

Q: Is there a broader industry concern?
A: Yes, this incident signifies a shift toward stricter regulation and transparency, requiring companies to adopt responsible data collection practices.