All Vendors
dsp

Celtra

Celtra creative management platform deploys extensive advertising surveillance including behavioral biometrics, session recording, cross-domain synchronization, tag management, and consent bypass. The platform demonstrates high-risk data broker patterns.

96 IOCs4 detections100% pre-consent3 sites
70
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Celtra discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

4 detections across 3 sites100% pre-consent activity
CRITICAL

Pre-Consent Activity

Celtra was observed loading and executing before user consent was obtained on 100% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

2 gaps

disclosure

CRITICAL
They Claim

Pending privacy policy review

Observed Behavior

Session recording during ad interactions observed—requires explicit disclosure verification

Customer Impact

What This Means For You

Customers face GDPR violations and potential wiretapping liability from session recording during ad interactions. Session recordings may capture form data, search queries, or product browsing behavior on advertiser sites—creating data breach notification obligations if recordings contain PII. Cross-domain synchronization enables Celtra to track users from ad click through conversion, creating extensive profiling without consent. Tag manager functionality creates undisclosed third-party data sharing liability. Behavioral biometrics may violate Illinois BIPA. Advertisers face reputational risk if session recording of ad interactions becomes public.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Celtra

  • IMMEDIATE: Audit all Celtra creative deployments to verify session recording is disabled or explicitly disclosed
  • Implement strict consent-gating for ALL Celtra tracking across ad placements and advertiser sites
  • Disable behavioral biometrics and cross-domain synchronization in Celtra campaign settings
  • Configure creative templates to use privacy-preserving modes (no session recording)
  • Deploy tag manager allowlisting to prevent unauthorized script injection via Celtra infrastructure
  • Conduct monthly audits of session recording behavior and cross-domain tracking capabilities
  • Enable data minimization controls to limit retention to active campaign periods only (30 days maximum)
  • Review Celtra privacy policy disclosures and update advertiser privacy policies to reflect session recording if active

If You're Evaluating Celtra

  • Request DPA with explicit prohibitions on session recording and cross-domain audience profiling
  • Require technical documentation on cross-domain synchronization methodology and partner ecosystem
  • Verify Celtra honors IAB TCF consent strings and Global Privacy Control (GPC) across all ad placements
  • Demand contractual indemnification for GDPR fines and wiretapping liability arising from session recording
  • Assess alternative creative platforms without session recording capabilities
  • Negotiate right to audit Celtra consent processing logs and cross-domain sync partners
  • Request deletion of all historical session recordings and cross-domain tracking data for users without explicit behavioral advertising consent

Negotiation Leverage

  • Celtra session recording (BTI-C07) during ad interactions creates wiretapping liability—require immediate technical verification that recording is disabled or demand contractual indemnification
  • Cross-domain synchronization (BTI-C08) across advertiser/publisher properties creates extensive tracking—demand explicit opt-in before any cross-domain linking
  • Tag manager (BTI-C15) enables undisclosed script injection—require contractual restrictions and real-time disclosure of injected tags
  • Consent bypass (BTI-C09) with session recording active creates maximum regulatory exposure—require technical implementation of consent verification before tracking initialization
  • Behavioral biometrics (BTI-C06) enables fingerprinting beyond cookie deletion—negotiate contractual prohibition or explicit user disclosure requirement
  • Request documentation on data retention periods, cross-domain sync partners, and advertiser access to session recordings
  • Demand prohibition on using advertiser campaign interaction data for Celtra's own creative optimization benchmarks or cross-customer insights
  • Negotiate maximum 30-day retention for behavioral data with automated deletion and right to audit retention compliance
Runtime Detections

Runtime Detections

5 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Captures mouse movements, scroll patterns, interaction timing, and engagement metrics during ad exposure to build unique user fingerprints for cross-campaign targeting.

BTI-C07Session Recording

Full session replay

Impact: Records user interactions with dynamic ads including form fills, product browsing, and click behavior—potentially capturing sensitive data without consent.

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Synchronizes user identifiers and interaction data across advertiser sites, publisher properties, and ad networks, enabling comprehensive cross-site tracking.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Initializes comprehensive tracking infrastructure before consent collection, creating automatic legal violations across all ad placements.

BTI-C15Tag Manager

Container/loader (neutral)

Impact: Deploys tag management infrastructure that can dynamically inject additional tracking scripts beyond declared creative elements.

IOC Manifest

IOC Manifest

90 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*celtra.com/wp-includes/js/jquery/jquery-migrate.js*
Tracking script
TRACK
*celtra.com/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*celtra.com/wp-content/themes/celtra/build/app.js*
Tracking script
TRACK
*celtra.com/cdn-cgi/challenge-platform/scripts/jsd/main.js*
Tracking script
TRACK
*celtra.com/cdn-cgi/challenge-platform/h/b/scripts/jsd/*/main.js*
Tracking script
TRACK
celtra.com/wp-includes/js/jquery/jquery.min.js
Auto-extracted from scan
TRACK
celtra.com/wp-includes/js/jquery/jquery-migrate.min.js
Auto-extracted from scan
TRACK
celtra.com/wp-content/themes/celtra/build/app.js
Auto-extracted from scan
TRACK
celtra.com/cdn-cgi/challenge-platform/scripts/jsd/main.js
Auto-extracted from scan
TRACK
celtra.com/cdn-cgi/challenge-platform/h/b/scripts/jsd/7f3d2ee44814/main.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Celtra integrates with demand-side platforms (DSPs), supply-side platforms (SSPs), ad servers (Google Ad Manager, Sizmek), and creative optimization tools. The platform synchronizes data across advertising ecosystem for frequency capping, attribution, and audience targeting. Cross-domain capabilities enable user tracking from ad exposure through advertiser site conversion. Tag manager functionality allows dynamic loading of analytics, attribution, and conversion pixels.
Loads (1)
Hubspot
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

96 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details