How This Briefing Works
This dossier opens with key findings, then maps the gap between what Bannerflow discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 1 sites
vendor fires before consent
1 HIGH
Briefing
Bannerflow is a Stockholm-based creative management platform (CMP) founded in 2010 that enables marketing teams to create and publish HTML5 display ads across 100+ networks. While the company claims GDPR compliance and participates in IAB TCF (ID 273), runtime analysis reveals a 17.9% pre-consent tracking rate with undisclosed third-party vendors (Emerse, Gravite) loading before consent is obtained. This creates compliance liability for customers deploying Bannerflow creatives, as the gap between stated compliance posture and observed behavior undermines GDPR consent requirements.
What This Means For You
YOUR display ad creatives published through Bannerflow reach 100+ networks where undisclosed vendor dependencies may introduce tracking YOUR privacy policy does not account for. YOUR campaign data flows through a platform that fires Emerse and Gravite pre-consent while claiming IAB TCF compliance — YOUR consent framework may be undermined at the creative delivery layer. YOUR DPA with Bannerflow must account for data flows across 100+ publishing networks, each with their own vendor ecosystems. YOUR regulatory exposure extends to every network where Bannerflow publishes YOUR ads with undisclosed tracking.
Risk Channel Breakdown
As an ad creative platform, Bannerflow does not directly corrupt measurement. However, undisclosed tracking partners (Emerse, Gravite) may create attribution conflicts for customers by introducing untracked data flows that fragment the measurement chain.
Bannerflow publishes ads to 100+ networks including competitors' DSPs. The undisclosed tracking vendors create potential demand signal leakage - customer campaign data may flow to parties not covered by data processing agreements, enabling competitive intelligence gathering.
Pre-consent tracking creates regulatory attack surface. Customers using Bannerflow creatives inherit the compliance gap, exposing them to GDPR enforcement risk. The 17.9% pre-consent rate represents measurable non-compliance evidence.
The company claims GDPR compliance and IAB TCF participation but loads tracking scripts before consent. This creates consent divergence - the legal position (compliant) does not match the technical reality (pre-consent tracking). Customers face vicarious liability for Bannerflow's consent violations.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Identity stitching
Ignoring CMP signals
Device identification
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
False certification claims
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Bannerflow's public claims against observed runtime behavior and identified 2 contradictions.
"GDPR compliant, IAB TCF participant (ID 273)"
17.9% of detections show pre-consent tracking
1 more gap — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 4, observed 4
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →