BeeswaxRTB | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what BeeswaxRTB discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

9 detections across 9 sites11% pre-consent activity

MEDIUM

Pre-Consent Activity

BeeswaxRTB was observed loading and executing before user consent was obtained on 11% of sites where it was detected.

GDPRePrivacy

HIGH

Disclosure Gap

23 specific third-party vendors detected on beeswax.com including GoogleAnalytics4, HubSpot, Pardot, DoubleClick, Intentdata, Peer39, Rockerbox, Semcasting

GDPR Art 13GDPR Art 28CCPA 1798.110

HIGH

Pre-Consent Tracking

GoogleAnalytics4, HubSpot, and Pardot load pre-consent on beeswax.com. 11.1% pre-consent rate on sites where Beeswax is detected.

GDPR Art 6GDPR Art 7ePrivacy Directive

HIGH

Undisclosed Party

Not in privacy policy

HIGH

Undisclosed Sharing

Hidden data recipients

Disclosure Gaps

Claims vs. Observed Behavior

3 gaps

2 HIGH1 MED

Classified:BTI-X01BTI-X02BTI-X05

Disclosure Gap

GDPR Art 13 · GDPR Art 28 · CCPA 1798.110HIGH

They Claim

“Privacy policy references generic vendor categories (data analytics vendors, optimization vendors)”

Observed Behavior

23 specific third-party vendors detected on beeswax.com including GoogleAnalytics4, HubSpot, Pardot, DoubleClick, Intentdata, Peer39, Rockerbox, Semcasting

Runtime scan of beeswax.com detected 23 distinct vendor scripts

Data Sale Disclosure

CCPA 1798.115 · CCPA 1798.120MEDIUM

They Claim

“Transparent about data sale practices”

Observed Behavior

While transparent about selling data, customers may not realize their campaign data becomes part of this data sale ecosystem

Customer Impact

What This Means For You

YOUR programmatic campaigns through Beeswax route bid data through a platform that explicitly admits to selling personal information. YOUR audience targeting strategies and pricing data flow through bid streams to undisclosed partners, creating competitive intelligence leakage. YOUR DPA with Beeswax likely references generic vendor categories rather than the 23 specific vendors detected — leaving YOUR compliance documentation incomplete under GDPR Article 30. As a Comcast subsidiary, YOUR campaign data exists within a media conglomerate with cross-platform targeting capabilities.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use BeeswaxRTB

→Review your DPA to ensure specific subprocessor disclosure requirements are met — current disclosures are generic categories only
→Audit pre-consent behavior on your properties where Beeswax is integrated
→Assess data sale implications — Beeswax explicitly sells personal information; verify your contract restricts this for your campaign data
→Request documentation on data flows within the Comcast/FreeWheel corporate structure

If You're Evaluating BeeswaxRTB

→Request named subprocessor list rather than generic vendor categories before signing
→Verify what bid stream data is retained and how it flows within the Comcast ecosystem
→Compare with independent DSPs that do not carry conglomerate data aggregation risk
→Require contractual restrictions on personal information sales related to your campaigns

Negotiation Leverage

→Personal information sales: Beeswax explicitly states they sell personal information — use this disclosure to negotiate data usage restrictions and opt-out mechanisms for your campaign data
→Generic vendor disclosure: Privacy policy lists only vendor categories while 23 specific vendors detected — require named subprocessor disclosure as a contract condition
→Comcast subsidiary risk: As a FreeWheel/Comcast entity, bid stream data may flow across the conglomerate — negotiate explicit restrictions on data sharing within the Comcast corporate family
→Pre-consent behavior: Vendors firing before consent on beeswax.com suggests systemic consent architecture issues — leverage for consent compliance guarantees in your DSP agreement

Runtime Detections

5 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C14Identity Resolution

PII deanonymization

IOC Manifest

15 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

*www.beeswax.com/js/beeswax.bundle.js*

Tracking script

TRACK

bidr.io

Tracking script

TRACK

www.beeswax.com/js/beeswax.bundle.js

Auto-extracted from scan

Ecosystem

Ecosystem & Supply Chain

Beeswax operates as a Bidder-as-a-Service (BaaS) and DSP platform in the programmatic advertising ecosystem. Owned by Comcast via FreeWheel subsidiary since 2021, it processes bid requests from SSPs and ad exchanges. The platform loads via inline scripts on customer sites. Key ecosystem position: sits between advertisers and inventory sources, processing bid stream data that contains audience signals, pricing information, and competitive intelligence. Loads: GoogleAnalytics4, HubSpot, Pardot (for their own marketing). Is loaded by: various publishers and advertisers integrating the Beeswax DSP. Connected to broader Comcast/NBCUniversal advertising ecosystem.

Commonly Deployed With

Googletagmanager Googleanalytics4 Linkedinads Doubleclick Trovo Tag Idvisitors Remarketing Stats Liveintent Ad Management Metapixel Liveintent

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

15 detection signatures across scripts, domains, cookies, and network endpoints