How This Briefing Works
This dossier opens with key findings, then maps the gap between what Adquality discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 1 sites
vendor fires before consent
1 CRIT · 1 HIGH
Briefing
AdQuality is a French digital marketing agency founded in 2013, now part of BAE Groupe. Despite claiming GDPR compliance and stating they do not sell or share data with third parties, runtime analysis reveals 31 distinct third-party vendors loading on their own website including Google Ads, DoubleClick, and numerous advertising/analytics platforms. Three vendors fire pre-consent (2.3% rate). The critical finding is a massive disclosure gap: their privacy policy mentions only a generic web hosting provider while 31 actual data recipients operate on their site.
What This Means For You
YOUR campaign data managed through AdQuality flows through a vendor ecosystem of 31 while their privacy policy mentions only a generic web hosting provider. YOUR advertising performance metrics — which campaigns convert, which audiences engage, which creatives perform — pass through a platform with undisclosed connections to TrenDemon, HGInsights, and Firmable competitive intelligence tools. YOUR trust in their no data sharing claim is contradicted by 31 vendors detected at runtime. Under GDPR, YOUR records of processing must account for AdQuality's actual vendor chain, not their single generic disclosure.
Risk Channel Breakdown
As a digital marketing agency specializing in traffic acquisition and attribution, AdQuality handles client measurement data. The 31 undisclosed vendors on their own site suggest similar opacity may exist in client deployments, corrupting attribution accuracy.
Their position as a media buying agency means demand signals (campaign performance, audience segments, conversion data) flow through their systems. Undisclosed data recipients like TrenDemon, HGInsights, and Firmable suggest potential competitive intelligence leakage to data brokers.
Loading 31 third-party scripts creates significant attack surface. Multiple advertising and analytics vendors increase JavaScript execution risk and potential for supply chain compromise through any of these dependencies.
Claims GDPR compliance while tracking before consent and maintains undisclosed relationships with 31 vendors creates substantial compliance exposure. The gap between their privacy statement (we do not share) and reality (31 data recipients) could constitute a material misrepresentation under GDPR Article 13/14.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Device identification
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
False certification claims
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Adquality's public claims against observed runtime behavior and identified 3 contradictions.
"Privacy policy mentions only generic web hosting provider"
31 distinct third-party vendors detected on site
2 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 1, observed 1
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →
