How This Briefing Works
This report opens with key findings, then maps the gaps between what Anteriad discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Tracking
25+ third-party tracking scripts fire before OneTrust consent banner loads. 21 tracking cookies set pre-consent including Google Analytics, HubSpot, Hotjar, Clarity, LinkedIn, Bing, Reddit, and identity resolution beacons.
Consent Mechanism Failure
CMP loads AFTER 25+ tracking scripts have already executed. No Reject All button available -- only I Accept and Cookies Settings. Consent banner is cosmetic theater.
Broken Privacy Infrastructure
Both the Do Not Sell My Personal Information page and Transparency of Data page return 404 errors. CCPA opt-out mechanism is inaccessible.
Undisclosed Identity Resolution
LiveRamp identity sync (idsync.rlcdn.com), Neustar/TransUnion (aa.agkn.com), Pippio (pippio.com), and Apollo.io visitor identification all active pre-consent. No subprocessor list published.
Session Replay Without Consent
Three session replay tools (Hotjar, Microsoft Clarity, CrazyEgg) active pre-consent, recording visitor mouse movements, clicks, scrolls, and form interactions before any consent is obtained.
Claims vs. Observed Behavior
Pre-Consent Tracking
“Claims GDPR compliance with detailed Data Privacy Framework certification”
25+ third-party tracking scripts fire before OneTrust consent banner loads. 21 tracking cookies set pre-consent including Google Analytics, HubSpot, Hotjar, Clarity, LinkedIn, Bing, Reddit, and identity resolution beacons.
CDT MCP network capture showing 236 requests on homepage load, majority from third-party tracking domains, all firing before consent interaction
Consent Mechanism Failure
“OneTrust CMP deployed as consent management platform”
CMP loads AFTER 25+ tracking scripts have already executed. No Reject All button available -- only I Accept and Cookies Settings. Consent banner is cosmetic theater.
Network request timeline shows OneTrust (cdn.cookielaw.org) loading at request #2606 while tracking scripts like GTM, GA, Hotjar, Clarity loaded at requests #2595-2608
Broken Privacy Infrastructure
“Privacy Center links to Do Not Sell My Personal Information page and Transparency of Data page”
Both the Do Not Sell My Personal Information page and Transparency of Data page return 404 errors. CCPA opt-out mechanism is inaccessible.
CDT MCP navigation to anteriad.com/do-not-sell-my-personal-information and anteriad.com/transparency-of-data both return PAGE NOT FOUND
Undisclosed Identity Resolution
“Claims privacy-compliant data practices with Neutronian top 1% certification”
LiveRamp identity sync (idsync.rlcdn.com), Neustar/TransUnion (aa.agkn.com), Pippio (pippio.com), and Apollo.io visitor identification all active pre-consent. No subprocessor list published.
Network requests to idsync.rlcdn.com/712245.gif, aa.agkn.com/adscores/s.pixel, pippio.com/api/sync, and assets.apollo.io/micro/website-tracker observed in pre-consent network capture
Session Replay Without Consent
“Privacy Charter promises to always use data in line with applicable law and always protect information”
Three session replay tools (Hotjar, Microsoft Clarity, CrazyEgg) active pre-consent, recording visitor mouse movements, clicks, scrolls, and form interactions before any consent is obtained.
Hotjar (hotjar-3159465), Clarity (drmu4lraas), and CrazyEgg (0120/1236) scripts loaded and session replay globals (window.hj, window.clarity) confirmed active in pre-consent state
Data Broker Transparency Gap
“Registered California data broker (#186601) positioning as privacy-compliant”
Registered as a data broker while marketing as top 1% for quality and transparency. Privacy policy explicitly acknowledges selling personal information but key transparency pages (Transparency of Data) are non-functional.
California DOJ data broker registration #186601 confirmed via oag.ca.gov. Transparency of Data page returns 404.
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Anteriad
- →Audit your deployment to verify Anteriad tracking fires only after valid consent is obtained -- their own site demonstrates this is not the default behavior
- →Request a complete list of all data recipients and identity resolution partners that receive data collected from your property, as no subprocessor list is currently published
- →Verify that the Do Not Sell opt-out mechanism functions for your visitors -- Anteriad's own opt-out page returns a 404 error
- →Add contract clause requiring Anteriad to disclose all identity graph partners (LiveRamp, Neustar, Pippio) that receive visitor data from your deployment
- →Implement server-side data collection to reduce client-side code execution and control what data flows to Anteriad's identity resolution partners
If You're Evaluating Anteriad
- →Request evidence that Anteriad's tracking technology fires only after consent on reference customer deployments -- their own website contradicts this
- →Require disclosure of all identity resolution and data syndication partners in the DPA before signing
- →Negotiate right-to-audit clause for runtime consent compliance on your deployment at any time
- →Compare data quality claims (Neutronian top 1%) against observed runtime behavior on their own properties
- →Require contractual indemnification for regulatory fines arising from pre-consent tracking or undisclosed data sharing
Negotiation Leverage
- →Broken opt-out infrastructure: Anteriad's own Do Not Sell My Personal Information page returns a 404 error, and the Transparency of Data page is also broken. Request immediate remediation and contractual guarantee of functional opt-out for your deployment.
- →Pre-consent tracking evidence: 25+ tracking scripts fire before the consent banner loads on Anteriad's own website. Request written confirmation that your deployment will implement consent-gated loading, with liquidated damages for pre-consent activity.
- →Undisclosed data partners: Identity sync requests observed to LiveRamp, Pippio, Neustar/TransUnion, and usbrowserspeed.com with no published subprocessor list. Require complete partner disclosure within 10 business days and 30-day advance notice for new partners.
- →Data broker registration leverage: Anteriad is registered as a California data broker (#186601) while claiming Neutronian top 1% certification for quality and transparency. Use this registered status to negotiate enhanced data handling provisions and deletion SLAs under the California Delete Act.
- →Session replay disclosure: Three session replay tools (Hotjar, Clarity, CrazyEgg) record visitor behavior on Anteriad's site pre-consent. Request confirmation that your deployment will not be subject to session replay without explicit visitor consent.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Identity stitching
Ignoring CMP signals
PII deanonymization
Container/loader (neutral)
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
130 detection signatures across scripts, domains, cookies, and network endpoints