How This Briefing Works
This report opens with key findings, then maps the gaps between what Benchmedia discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Benchmedia was observed loading and executing before user consent was obtained on 9% of sites where it was detected.
Claims vs. Observed Behavior
consent
“Pending claims extraction via CDT”
Consent bypass detected in runtime behavior
disclosure
“Pending privacy policy review”
Behavioral biometrics and session recording observed without disclosure verification
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Benchmedia
- →Implement server-side consent verification before Benchmedia initialization
- →Deploy consent management platform (CMP) with explicit opt-in for behavioral tracking
- →Configure tag manager rules to block Benchmedia until consent granted
- →Enable privacy-preserving ad targeting modes if available
- →Conduct quarterly audits of tracking behavior vs. privacy policy disclosures
If You're Evaluating Benchmedia
- →Request Data Processing Agreement (DPA) with behavioral tracking scope definitions
- →Require vendor attestation on consent mechanism compliance
- →Verify IAB Transparency & Consent Framework (TCF) v2.2 implementation
- →Demand contractual liability protection for regulatory fines
- →Consider alternative DSP platforms with consent-first architecture
Negotiation Leverage
- →Benchmedia behavioral biometrics collection (BTI-C06) operates without consent verification—require contractual commitment to honor consent signals
- →Session recording functionality (BTI-C07) must be disabled by default with explicit opt-in requirement
- →Consent bypass behavior (BTI-C09) creates direct regulatory exposure—demand indemnification for GDPR/CCPA fines arising from vendor non-compliance
- →Request technical documentation on data retention periods and deletion procedures for behavioral profiles
- →Negotiate right to audit vendor compliance with consent directives on quarterly basis
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Impact: Captures mouse movements, scroll depth, and interaction patterns to build unique user fingerprints, enabling cross-site tracking even when cookies are cleared.
Full session replay
Impact: Records user interactions during ad engagement, capturing behavioral data that can reconstruct user journeys and preferences without explicit consent.
Identity stitching
Ignoring CMP signals
Impact: Initializes tracking mechanisms before consent is collected, creating automatic GDPR/CCPA violations and exposing customers to regulatory action.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
109 detection signatures across scripts, domains, cookies, and network endpoints