How This Briefing Works
This report opens with key findings, then maps the gaps between what AdobeLaunch discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
AdobeLaunch was observed loading and executing before user consent was obtained on 44% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use AdobeLaunch
- →Audit Launch rule firing sequence to verify no Adobe tags execute before consent acceptance
- →Disable Adobe ECID service initialization within Launch library configuration
- →Implement consent-conditional Launch library load rather than pre-consent initialization
- →Review all Launch rules for post-rejection execution and disable tracking tag continuation
- →Migrate Adobe tags to neutral tag manager (GTM) to eliminate embedded ECID coordination
If You're Evaluating AdobeLaunch
- →Request Adobe Launch deployment without embedded ECID service and Visitor ID coordination
- →Require Launch configuration audit showing consent-conditional rule execution for all tracking tags
- →Assess alternative tag managers (Google Tag Manager, Tealium with strict privacy mode) without vendor-specific coordination
- →Verify Launch library does not establish persistent identifiers before user interaction
- →Demand contractual guarantee that Launch rules respect consent rejection without backup execution
Negotiation Leverage
- →VRS 80 classification justifies Adobe Launch replacement with neutral tag manager unless ECID coordination is permanently disabled
- →100% legal tail risk demands indemnification for consent bypass violations through pre-consent tag execution
- →Require contractual guarantee that Launch library does not initialize Adobe infrastructure before consent acceptance
- →100% CAC subsidization from Audience Manager integration justifies tag manager migration costs or significant pricing concessions
- →Request monthly attestation that Launch rules do not fire tracking beacons after consent rejection
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Launch rules configured to fire analytics beacons before consent acceptance, creating consent theater.
Keystroke/mouse tracking
Impact: Orchestrates Adobe Target behavioral data collection including mouse tracking and engagement scoring.
Full session replay
Impact: Manages Adobe Analytics session replay initialization and coordinates DOM capture across Experience Cloud properties.
Ignoring CMP signals
Impact: Launch library loads and establishes Adobe ECID before consent management platform initialization, bypassing user controls.
Device identification
Impact: Coordinates browser fingerprinting across Adobe Analytics, Target, and Audience Manager for cross-property reconnection.
Long-lived identifiers
Impact: Manages multi-layered Adobe ECID backup mechanisms including localStorage, IndexedDB, and ETag coordination.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
16 detection signatures across scripts, domains, cookies, and network endpoints