All Vendors
advertising

Google AdSense

5.7% pre-consent rate across 264 detections — significantly better than industry peers like AdRoll (85.4%) but technically non-zero. Google explicitly states they never sell personal information and provides consent integration tools (Funding Choices, Consent Mode). Risk is implementation-dependent.

22 IOCs270 detections6% pre-consent260 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Google AdSense discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

270 detections across 260 sites6% pre-consent activity
MEDIUM

Pre-Consent Activity

Google AdSense was observed loading and executing before user consent was obtained on 6% of sites where it was detected.

GDPRePrivacy
HIGH

Compliance Claim Mismatch

False certification claims

Disclosure Gaps

Claims vs. Observed Behavior

2 gaps
1 MED
Classified:BTI-X05

disclosure_gap

GDPR Article 13MEDIUM
They Claim

Google-owned properties should only load Google services

Observed Behavior

adsense.google.com loads non-Google third parties including Scrapemagic, Bytemine, Lavender, Scoreplex, Upcell

Third-party vendor detection on adsense.google.com

Customer Impact

What This Means For You

If Google AdSense is deployed on your site, your compliance exposure is largely implementation-dependent. Google provides robust consent integration tools including Funding Choices and Consent Mode v2 — when properly configured, these can achieve near-zero pre-consent rates. Unlike competitors, Google explicitly does not sell personal information, keeping data within Alphabet's ecosystem. Under GDPR Art 7, you remain responsible for ensuring AdSense loads after consent on your property. The 5.7% pre-consent rate observed in the wild primarily reflects publisher implementation gaps, not Google's defaults. Your primary risk is proper CMP integration, not vendor behavior.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Google AdSense

  • Verify your AdSense implementation uses Consent Mode v2 for EU/UK traffic — this eliminates most pre-consent compliance exposure
  • Implement Google Funding Choices or integrate AdSense with your CMP via Google's consent APIs
  • Review Google's Ad Technology Providers list to understand which third parties receive data through your AdSense deployment
  • Test your implementation with a runtime scan to verify 0% pre-consent rate on your property
  • Enable restricted data processing for California users under CCPA requirements

If You're Evaluating Google AdSense

  • AdSense is among the more compliant ad networks at 5.7% pre-consent versus industry averages exceeding 50%
  • Google explicitly does not sell personal information — a meaningful differentiator versus competitors like AdRoll or Criteo
  • Require implementation to use Consent Mode v2 from day one to avoid consent compliance gaps
  • Review Google's Data Processing Terms and Ad Technology Providers list before signing
  • Consider that Google's walled garden approach means less data leakage to external brokers but more dependency on Google's ecosystem

Negotiation Leverage

  • Consent Mode v2 implementation: Google provides Consent Mode v2 for EU/UK compliance. Require your implementation team to enable this before launch and verify 0% pre-consent rate with runtime testing.
  • Ad Technology Providers audit: Google operates an extensive network of ad technology providers that may receive data through AdSense. Request and review the complete Ad Technology Providers list to ensure compatibility with your privacy commitments.
  • Data retention terms: Review Google's Data Processing Terms for ad data retention periods and ensure alignment with your organization's data retention policies and GDPR Art 5(1)(e) requirements.
Runtime Detections

Runtime Detections

9 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C13Persistence Mechanisms

Long-lived identifiers

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

17 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*adsense.google.com/start/static/revamp/index.js*
Tracking script
EXFIL
*adsense.google.com/start/calculator-data.json*
Data collection endpoint
TRACK
*www.google.com/js/th/O7Brsst-eKRSBMqZEzo84u91_54NIqrtMXpCF32IP3I.js*
Tracking script
TRACK
adsense.google.com/start/static/revamp/index.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Google AdSense operates as the publisher-facing component of Alphabet's advertising ecosystem, the largest in the world. Related services include DoubleClick (now Google Marketing Platform), Google Ads (advertiser-facing), and Google Ad Manager (enterprise publishers). On adsense.google.com itself, the detected vendors are predominantly other Google properties (GA4, Google Cloud, Google Maps, YouTube, DoubleClick)—this is first-party context within the Google ecosystem. However, third-party tools were also detected: Scrapemagic (data extraction), Bytemine, Lavender, Scoreplex, and TrenDemon. The presence of data extraction tools on Google's corporate site warrants investigation. AdSense publishers inherit Google's advertiser network, which includes competitors and data enrichment services—traffic signals flow through Google's bidding infrastructure to thousands of demand partners.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

22 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details