How This Briefing Works
This report opens with key findings, then maps the gaps between what Bidvertiser discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Fingerprinting Disclosure
Homepage explicitly states: Unique user delivery guaranteed by our accurate fingerprinting
Pre-Consent Activity
Bidvertiser was observed loading and executing before user consent was obtained on 36% of sites where it was detected.
Pre-Consent Tracking
35.5% of detections occur pre-consent
Undisclosed Vendors
10+ vendors detected on their own site including identity resolution services
Undisclosed Party
Not in privacy policy
Claims vs. Observed Behavior
Fingerprinting Disclosure
“GDPR compliance claimed in privacy policy”
Homepage explicitly states: Unique user delivery guaranteed by our accurate fingerprinting
Homepage text at bidvertiser.com under In-House Technology section
Pre-Consent Tracking
“GDPR compliance with consent-based processing”
35.5% of detections occur pre-consent
Analysis of 31 detections across 30 sites
Undisclosed Vendors
“Privacy policy lists 3 subprocessors (Google Analytics, PayPal, Braintree)”
10+ vendors detected on their own site including identity resolution services
Runtime scan of bidvertiser.com showing Contactout, Firmable, TrenDemon, multiple Google services
DNT Non-Compliance
“None - explicitly states DNT not honored”
Consistent with claim but increases regulatory risk
Privacy policy states: We do not support Do Not Track
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Bidvertiser
- →Audit your consent flow to ensure BidVertiser code loads only after valid explicit consent including fingerprinting disclosure
- →Update your privacy policy to disclose BidVertiser, browser fingerprinting, and their undisclosed subprocessors
- →Request their current subprocessor list — privacy policy only names Cloudflare
- →Assess whether browser fingerprinting aligns with your compliance posture under ePrivacy Directive
If You're Evaluating Bidvertiser
- →Assess whether admitted browser fingerprinting is compatible with your privacy standards
- →Request complete subprocessor list beyond Cloudflare before any engagement
- →Compare with ad networks that do not use fingerprinting or invasive ad formats
- →Require contractual prohibition on fingerprinting YOUR visitors without explicit consent disclosure
Negotiation Leverage
- →Admitted fingerprinting: BidVertiser homepage states unique user delivery via fingerprinting — use this self-admission to negotiate consent requirements or termination rights under ePrivacy Directive
- →Identity resolution undisclosed: Contactout and Firmable detected but not in privacy policy — require named vendor disclosure and DPA coverage for all detected vendors
- →Single subprocessor: Only Cloudflare listed while multiple vendors detected — require complete subprocessor list as a contract condition
- →Pop-under ad formats: Invasive formats combined with fingerprinting create compounded regulatory risk — negotiate format restrictions and enhanced consent requirements
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Device identification
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
100 detection signatures across scripts, domains, cookies, and network endpoints