How This Briefing Works
This report opens with key findings, then maps the gaps between what AdRoll discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
claims_gap
85.4% pre-consent tracking rate. 34 vendors fire before consent on own website. Privacy policy admits to SELLING personal information.
disclosure_gap
64 third-party vendors detected on adroll.com including BrightData, Clearbit, ZoomInfo, Demandbase, Clarity, Contentsquare, Criteo, and 50+ others
compliance_gap
Explicit admission of selling personal information in privacy policy. SOC2 Privacy principle cannot coexist with a data sales business model.
Pre-Consent Activity
AdRoll was observed loading and executing before user consent was obtained on 85% of sites where it was detected.
consent_gap
Own website (adroll.com) has no visible CMP while loading 64 vendors, 34 pre-consent. BrightData and session recording fire before any consent mechanism.
Claims vs. Observed Behavior
claims_gap
“Homepage: 'Keep ROI flowing without compromising consumer trust. Our technology keeps ads relevant — and performant — in a privacy-forward future.'”
85.4% pre-consent tracking rate. 34 vendors fire before consent on own website. Privacy policy admits to SELLING personal information.
Runtime pre_consent rate + Privacy policy Section: In the preceding twelve months we have sold...
disclosure_gap
“Privacy policy discloses 4 Audience Partners: Bombora, Experian, Eyeota, LiveRamp”
64 third-party vendors detected on adroll.com including BrightData, Clearbit, ZoomInfo, Demandbase, Clarity, Contentsquare, Criteo, and 50+ others
Runtime vendor detection vs disclosed partner list
compliance_gap
“Trust Center: SOC2 Type 2 Audit (Security and Privacy) with no exceptions”
Explicit admission of selling personal information in privacy policy. SOC2 Privacy principle cannot coexist with a data sales business model.
Trust center SOC2 claim + Privacy policy data sales admission
consent_gap
“Offers consent management features to customers”
Own website (adroll.com) has no visible CMP while loading 64 vendors, 34 pre-consent. BrightData and session recording fire before any consent mechanism.
No CMP detected on adroll.com + 34 pre_consent=true vendors
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use AdRoll
- →IMMEDIATE: Audit your AdRoll implementation — 85.4% pre-consent rate means your pixel almost certainly fires before consent on EU traffic
- →Request in writing the full list of data recipients beyond the 4 disclosed Audience Partners (Bombora, Experian, Eyeota, LiveRamp)
- →Request written confirmation that your customer data is NOT being sold — their privacy policy admits to selling business emails
- →Review your DPA to ensure contract explicitly prohibits sale of data derived from your visitors
- →Discount any EU/CA conversions attributed to AdRoll where pre-consent tracking makes consent chain legally questionable
If You're Evaluating AdRoll
- →Ask why AdRoll's own website fires 34 vendors pre-consent while marketing a 'privacy-forward future'
- →Request complete data flow documentation showing where your customer data goes beyond retargeting
- →Require contractual prohibition on data sale — their default terms allow selling personal information
- →Factor in joint regulatory liability: 85.4% pre-consent rate with admitted data sale creates one of the highest compliance risk profiles we observe
- →Consider retargeting alternatives that do not sell personal data and maintain sub-10% pre-consent rates
Negotiation Leverage
- →Pre-consent SLA: 85.4% pre-consent rate makes GDPR compliance nearly impossible with current implementation. Require contractual guarantee of 0% pre-consent activity with liquidated damages, and mandate server-side integration to replace client-side pixel.
- →Data sale prohibition: AdRoll admits to selling personal information in the form of business emails. Require contractual prohibition on selling, sharing, or enriching any data derived from your visitors with third parties.
- →Data partner restriction: AdRoll shares data with Experian, Bombora, Eyeota, and LiveRamp. Require contractual right to approve or reject each data partner that receives your visitor data, with 30-day advance notice before additions.
- →BrightData relationship: BrightData (web scraping service) loads on adroll.com. Require written explanation of this relationship and contractual guarantee that BrightData is not involved in any data processing related to your account.
- →Attribution audit rights: Given 85.4% pre-consent rate, Criteo-attributed conversions from EU/CA traffic may be legally invalid. Require access to raw conversion data with consent timestamps for independent attribution verification.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
121 detection signatures across scripts, domains, cookies, and network endpoints