All Vendors
advertising

Adgoji

Advertising analytics platform. High liability exposure from session recording and identity resolution without consent. High revenue impact from visitor identification data sold to competitors.

39 IOCs17 detections41% pre-consent15 sites
70
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Adgoji discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

17 detections across 15 sites41% pre-consent activity
HIGH

Pre-Consent Activity

Adgoji was observed loading and executing before user consent was obtained on 41% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Requires claims extraction via CDT

Observed Behavior

Live website analysis pending

Customer Impact

What This Means For You

For security teams: Identity resolution links ad engagement to employee accounts, revealing organizational structure and job functions to surveillance platforms. For legal: Every identity-matched session becomes a GDPR data subject access request requiring complete reconstruction with linked CRM data. For marketing: Identified visitor lists sold to competitors enable targeted outbound to your warmest ad-engaged prospects. For sales: Ad engagement signals leaked before your SDRs can act - competitors reach identified accounts first.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Adgoji

  • Require Adgoji to execute post-consent only with explicit identity resolution disclosure
  • Implement immediate data deletion for identity-matched sessions upon visitor request
  • Add identity resolution disclosure to privacy policy with clear opt-out mechanism
  • Audit data sharing agreements to identify identity graph buyers

If You're Evaluating Adgoji

  • Review DPA for identity resolution data controller/processor responsibilities
  • Assess first-party attribution vs. third-party identity matching risk
  • Calculate competitive leakage cost: (Adgoji fee + identified visitor list value to competitors)

Negotiation Leverage

  • Identity resolution without consent violates GDPR Article 6 - require explicit opt-in or contract termination
  • Session recording creates data breach liability - demand encryption at rest and in transit with annual security audits
  • Identity graphs sold to third parties subsidize competitor prospecting - require complete buyer list with pricing transparency
  • Linking anonymous to personal data triggers retroactive GDPR obligations - demand legal opinion on joint controller liability
Runtime Detections

Runtime Detections

3 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C07Session Recording

Full session replay

Impact: Records visitor sessions to track ad-to-conversion attribution paths. Every recording creates GDPR data subject access request liability and breach notification obligations if storage compromised.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Executes session recording and identity matching before consent collection. Documented in pre-consent timeline analysis. Creates strict liability under ePrivacy Directive.

BTI-C14Identity Resolution

PII deanonymization

Impact: Links anonymous ad interactions to email addresses and CRM records. Converts pseudonymous tracking data to personal data, triggering retroactive GDPR compliance obligations for all historical sessions.

IOC Manifest

IOC Manifest

29 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.adgoji.com/wp-content/plugins/wp-rocket/assets/js/lazyload/17.8.3/lazyload.js*
Tracking script
TRACK
*www.adgoji.com/wp-content/cache/min/1/wp-content/themes/adgoji/dist/scripts/critical_*.js*
Tracking script
TRACK
www.adgoji.com/wp-content/cache/min/1/wp-content/themes/adgoji/dist/scripts/critical_9b1ef30e.js
Auto-extracted from scan
TRACK
www.adgoji.com/wp-content/plugins/wp-rocket/assets/js/lazyload/17.8.3/lazyload.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Attribution infrastructure feeding CRM and marketing automation platforms. Common co-deployments: Salesforce (CRM sync), HubSpot (identity matching), Google Ads (conversion tracking), ZoomInfo (contact enrichment). Identity graphs sold to intent data marketplaces.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

39 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details