How This Briefing Works
This dossier opens with key findings, then maps the gap between what AdRoll discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 23 sites
vendor fires before consent
3 CRIT · 1 HIGH
Briefing
AdRoll, a NextRoll Inc. brand, is a retargeting and cross-channel advertising platform claiming to serve 110,000+ brands. Despite prominent messaging about a "privacy-forward future" and displaying SOC2 Type 2, GDPR, and CCPA compliance badges, BLACKOUT runtime analysis reveals an 85.4% pre-consent tracking rate across 41 detections—meaning their technology fires tracking before consent is obtained in 85% of observed implementations. More critically, their privacy policy explicitly states: "we have sold personal information in the form of business emails." Their own website (adroll.com) loads 64 third-party vendors with 34 firing pre-consent, including BrightData (data scraping), Clearbit and ZoomInfo (de-anonymization), and Clarity/Contentsquare (session recording). For any company using AdRoll, you are partnering with a vendor that claims privacy compliance while explicitly selling personal data and operating with one of the highest pre-consent rates we have observed.
What This Means For You
If AdRoll retargeting is deployed on your site, their pixel fires before consent on 85.4% of observed implementations — one of the highest pre-consent rates in our detection network. Under GDPR Art 7, this creates near-certain consent violations on EU traffic. AdRoll explicitly admits to selling business emails, meaning your visitors' data may enter a commercial data marketplace. Their audience data flows to Experian (credit bureau), Bombora (intent data), Eyeota, and LiveRamp — your customer signals become competitor intelligence through these partnerships. AdRoll's own website loads 64 third-party vendors with 34 firing pre-consent including BrightData (web scraping), demonstrating that privacy-forward positioning is marketing language, not operational reality. Any conversions attributed to AdRoll from EU or California traffic are legally tainted by pre-consent tracking.
Risk Channel Breakdown
AdRoll's 85.4% pre-consent rate means attribution models are systematically corrupted—conversions attributed to AdRoll may never have received valid consent, making your ROI calculations legally tainted.
Your audience data flows to Experian (credit bureau), Bombora (intent data), Eyeota, and LiveRamp. AdRoll explicitly SELLS business emails. Your customer signals become competitor intelligence.
64 vendors on AdRoll's own site including BrightData (web scraping), Scrapemagic, and TrafficJunky create massive undocumented attack surface. Session recording (Clarity, Contentsquare) captures user behavior.
85.4% pre-consent rate + explicit data sales = direct GDPR Article 7 and CCPA Section 1798.100 violations. SOC2 Privacy audit claim contradicted by admitted data sales.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
Behavior contradicts marketing
False certification claims
Collection exceeds disclosed scope
Security claims vs evidence
CMP vendor list vs runtime
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed AdRoll's public claims against observed runtime behavior and identified 4 contradictions.
"Homepage: 'Keep ROI flowing without compromising consumer trust. Our technology keeps ads relevant — and performant — in a privacy-forward future.'"
85.4% pre-consent tracking rate. 34 vendors fire before consent on own website. Privacy policy admits to SELLING personal information.
3 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 4, observed 4
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →