How This Briefing Works
This dossier opens with key findings, then maps the gap between what BeeswaxRTB discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 10 sites
vendor fires before consent
2 HIGH
Briefing
Beeswax (now FreeWheel Buyer Cloud) is a programmatic advertising DSP and Bidder-as-a-Service platform acquired by Comcast in 2021. The platform enables real-time bidding across CTV, video, and display advertising. Key finding: Despite GDPR/CCPA compliance claims, 11.1% pre-consent tracking rate observed on sites where detected, and their own website loads GoogleAnalytics4, HubSpot, and Pardot before consent. Privacy policy discloses only generic vendor categories while 23 specific third-party vendors operate on beeswax.com. Explicit data sale disclosure makes this a revenue intelligence risk for customers whose demand signals flow through the platform.
What This Means For You
YOUR programmatic campaigns through Beeswax route bid data through a platform that explicitly admits to selling personal information. YOUR audience targeting strategies and pricing data flow through bid streams to undisclosed partners, creating competitive intelligence leakage. YOUR DPA with Beeswax likely references generic vendor categories rather than the 23 specific vendors detected — leaving YOUR compliance documentation incomplete under GDPR Article 30. As a Comcast subsidiary, YOUR campaign data exists within a media conglomerate with cross-platform targeting capabilities.
Risk Channel Breakdown
As an RTB bidder platform, Beeswax processes bid requests containing detailed audience signals. Measurement integrity is compromised when advertisers cannot verify which data processors touch their campaign data, as only generic categories are disclosed rather than specific subprocessors.
Beeswax explicitly states they sell personal information. Bid stream data contains competitive intelligence about advertiser strategies, audience targeting, and pricing. This data flows to undisclosed partners, creating demand signal leakage to potential competitors.
The platform operates as a data processor for multiple advertisers, creating concentrated attack surface. Pre-consent tracking on their own site (GA4, HubSpot, Pardot) demonstrates operational security practices that could expose advertiser data. 23 undisclosed vendors on their website expand the attack surface.
Claims GDPR and CCPA compliance while allowing pre-consent tracking (11.1% rate on detected sites, 3 vendors pre-consent on their own site). This creates consent liability for customers who integrate Beeswax, as their compliance posture becomes dependent on Beeswax practices they cannot audit.
Threat Indicators
Runtime-observed (BTI-C)
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
PII deanonymization
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
False certification claims
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed BeeswaxRTB's public claims against observed runtime behavior and identified 3 contradictions.
"Privacy policy references generic vendor categories (data analytics vendors, optimization vendors)"
23 specific third-party vendors detected on beeswax.com including GoogleAnalytics4, HubSpot, Pardot, DoubleClick, Intentdata, Peer39, Rockerbox, Semcasting
2 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 6, observed 6
googletagmanager, googleanalytics4, linkedinads…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →
