Adelement | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Adelement discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

25 detections across 24 sites4% pre-consent activity

MEDIUM

Pre-Consent Activity

Adelement was observed loading and executing before user consent was obtained on 4% of sites where it was detected.

GDPRePrivacy

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN

They Claim

“Requires claims extraction via CDT”

Observed Behavior

Live website analysis pending

Customer Impact

What This Means For You

For legal: Behavioral tracking without consent creates GDPR Article 6 violation exposure, though limited data collection reduces breach notification risk vs. session recording vendors. For marketing: Ad engagement patterns leaked to optimization platforms create minor competitive intelligence risk - primarily creative performance insights rather than strategic campaign data.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Adelement

→Require Adelement to execute post-consent only
→Implement 14-day data retention for ad engagement metrics
→Add behavioral tracking disclosure to privacy policy

If You're Evaluating Adelement

→Review DPA for ad engagement data controller/processor responsibilities
→Assess first-party ad tracking vs. third-party optimization platforms

Negotiation Leverage

→Behavioral tracking without consent violates GDPR Article 6 - require post-consent execution or contract termination
→Limited data collection reduces risk vs. session recording vendors, but ePrivacy Directive violations remain - demand technical consent controls
→Ad engagement data has competitive value - require disclosure of any data sharing beyond core optimization function

Runtime Detections

2 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Captures ad interaction micro-behaviors (hover patterns, engagement timing) for optimization. Creates GDPR personal data processing obligations without documented legal basis.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Executes behavioral tracking before consent collection. Documented in pre-consent timeline analysis. Violates ePrivacy Directive tracking consent requirements.

IOC Manifest

54 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

*adelement.com/js/main.js*

Tracking script

TRACK

*adelement.com/js/testimonial.js*

Tracking script

TRACK

*adelement.com/js/slider.js*

Tracking script

TRACK

adelement.com/js/main.js

Auto-extracted from scan

TRACK

adelement.com/js/testimonial.js

Auto-extracted from scan

TRACK

adelement.com/js/slider.js

Auto-extracted from scan

Ecosystem

Ecosystem & Supply Chain

Ad optimization layer integrated with creative management platforms. Common co-deployments: Google Ads (campaign delivery), Facebook Pixel (conversion tracking), display ad networks. Limited data sharing outside core ad tech stack.

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

59 detection signatures across scripts, domains, cookies, and network endpoints