How This Briefing Works
This report opens with key findings, then maps the gaps between what AdobeAnalytics discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
AdobeAnalytics was observed loading and executing before user consent was obtained on 36% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use AdobeAnalytics
- →Disable Adobe Analytics session recording features and verify cessation via HAR inspection
- →Restrict Adobe ECID to first-party cookies only, prohibit localStorage/IndexedDB backup
- →Audit Adobe Audience Manager integrations and sever connections to programmatic demand networks
- →Implement consent-conditional initialization to prevent tracking library load before acceptance
- →Review Adobe Launch rules to eliminate post-rejection beacon firing
If You're Evaluating AdobeAnalytics
- →Request Adobe Analytics deployment without Experience Cloud ID service to prevent cross-property tracking
- →Require contractual prohibition on Adobe Audience Manager data sharing for 24 months post-contract
- →Verify Analytics implementation does not enable behavioral biometrics or session replay by default
- →Assess alternative analytics platforms (Plausible, Matomo self-hosted) that respect consent boundaries
- →Demand pricing concessions reflecting restricted deployment mode without cross-cloud integrations
Negotiation Leverage
- →VRS 80 classification with 100% CAC subsidization justifies 40% discount if Adobe Audience Manager integration is permanently disabled
- →100% legal tail risk demands indemnification for GDPR violations and session recording consent failures
- →Require contractual guarantee that Adobe ECID respects cookie deletion and does not use backup persistence mechanisms
- →Request monthly attestation that your deployment does not feed Adobe demand networks or programmatic exchanges
- →Negotiate data retention limits (30 days maximum) and right to audit Adobe cross-property visitor graphs for your domain
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Analytics beacon continues firing after consent rejection via backup tracking mechanisms embedded in Adobe Launch.
Keystroke/mouse tracking
Impact: Mouse movements, scroll depth, and rage clicks captured and processed to build engagement scoring models.
Full session replay
Impact: DOM capture and interaction replay enabled by default in Adobe Analytics Premium, recording keystrokes and form interactions.
Ignoring CMP signals
Impact: Adobe ECID (Experience Cloud ID) persists after cookie rejection via localStorage, IndexedDB, and ETags.
Device identification
Impact: Canvas fingerprinting and browser profiling used to reconnect visitors across cookie deletion events.
Long-lived identifiers
Impact: Multi-layered backup identifiers respawn deleted cookies via Adobe Visitor ID service coordination.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
20 detection signatures across scripts, domains, cookies, and network endpoints