How This Briefing Works
This dossier opens with key findings, then maps the gap between what 33across discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 2 sites
vendor fires before consent
Briefing
33across operates as an identity resolution platform for advertising, creating persistent user profiles through cross-site tracking and deterministic matching. The 65% broker score reflects systematic data sharing with DSP partners, advertising exchanges, and measurement platforms.
What This Means For You
Sites deploying 33across leak 65% of user behavioral data to DSP partners and advertising exchanges, subsidizing competitor programmatic campaigns. Persistent cross-site tracking creates GDPR consent exposure, particularly for EU visitors where ePrivacy Directive enforcement is accelerating. Privacy-conscious buyers will flag identity resolution as disqualifying.
Risk Channel Breakdown
Distorts attribution data
65% demand signal leakage — user identifiers and behavioral signals shared with DSP partners and advertising exchanges, subsidizing competitor programmatic campaigns and audience targeting.
Expands attack surface
Persistent cross-site tracking and identity resolution without granular consent create GDPR Article 6 lawful basis gaps and ePrivacy Directive cookie consent violations.
Threat Indicators
Runtime-observed (BTI-C)
Long-lived identifiers
PII deanonymization
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed 33across's public claims against observed runtime behavior and identified 1 contradiction.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
0 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →