How This Briefing Works
This report opens with key findings, then maps the gaps between what Bombora discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Bombora was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Compliance Claim Mismatch
False certification claims
Scope Creep
Collection exceeds disclosed scope
Claims vs. Observed Behavior
Pre-Consent Tracking
“Google Consent Mode v2 defaults set to denied for all purposes”
GA4 fires pre-consent with full visitor data (CID, screen resolution, platform, language) despite consent mode defaults being denied - cookieless pings still collect behavioral data
CDT MCP network request inspection, GA4 collect request with CID 1580430798.1771804437 observed pre-consent
Consent Architecture Gap
“Usercentrics CMP is loaded as consent management platform”
CMP script is loaded but no consent banner was rendered during testing - consent mechanism exists in code but does not gate data collection in practice
CDT MCP snapshot and network analysis, Usercentrics script loaded but no banner element in DOM
Identity Resolution Scope
“Bombora assigns UIDs to devices but states it does not identify individuals by name”
UIDs combined with cookie syncing, hashed emails, and cross-device tracking create a persistent identity graph that effectively identifies individuals even without using names
Privacy policy verbatim: assigns UIDs, cookie syncing, user matching, hashed emails, cross-device tracking
Scope Creep
“Bombora describes its scope as business-level Company Surge intent data”
Privacy policy explicitly discloses cookie syncing, user matching, hashed email processing, cross-device tracking, and individual-level UID assignment - scope far exceeds business profiles
Privacy policy analysis, marketing vs policy comparison
Data Retention
“Claims data is retained only as long as necessary for stated purposes”
No specific retention period is disclosed anywhere in the privacy policy - the statement is circular and unenforceable
Full privacy policy review via CDT MCP, no numeric retention period found
Selective Consent Gating
“HubSpot is consent-gated with type=text/plain until user consents”
While HubSpot is properly consent-gated, this creates a false impression of privacy rigor when GA4 and GTM fire freely pre-consent
CDT MCP script inspection: HubSpot type=text/plain, GA4 fires immediately
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Bombora
- →Audit your properties for the ml314.com/bombora.com tag and understand what data flows to the cooperative
- →Review your Bombora DPA for specific retention periods - their privacy policy provides none
- →Verify whether your consent architecture covers Bombora's tag deployment (their own CMP showed gaps)
- →Map which competitors receive intent signals derived from YOUR audience data via the cooperative
- →Confirm Bombora's IAB TCF registration covers your specific use case and jurisdiction
If You're Evaluating Bombora
- →Request a complete data flow diagram showing how your property data moves through the cooperative
- →Ask for specifics on cookie syncing partners and user matching methodology
- →Demand clarity on the netFactor/VisitorTrack integration and whether it applies to your data
- →Benchmark Bombora's consent architecture against your own compliance requirements
- →Evaluate whether the Data Co-op model creates acceptable competitive intelligence risk for your business
Negotiation Leverage
- →Bombora's own website fires GA4 pre-consent despite implementing Consent Mode v2 with denied defaults - this demonstrates their internal compliance standards and may indicate how they advise cooperative publishers
- →The Usercentrics CMP is loaded but no consent banner renders - ask whether this is the same CMP configuration recommended to cooperative members
- →Privacy policy explicitly discloses data sale under CCPA while marketing materials emphasize privacy-first cooperative model - use this gap as leverage for contractual protections
- →No specific data retention period is disclosed - demand contractual retention limits with deletion verification
- →netFactor (VisitorTrack) acquisition expanded capabilities from content consumption to visitor identification - ensure your DPA covers the combined entity's full capability set
- →IAB TCFv2.2 registration (ID 163) provides a baseline but does not cover all processing activities disclosed in the privacy policy - identify the gaps
- →Dual GTM containers suggest complex tag management that may not be fully reflected in their data processing disclosures - request tag audit documentation
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Identity stitching
PII deanonymization
Container/loader (neutral)
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
161 detection signatures across scripts, domains, cookies, and network endpoints