QA mode · Tier:PUBLIC(override via ?tier=paid | premium)
← All Vendors
advertising
Connexity

Connexity

Connexity, a Taboola subsidiary generating $5B in annual retail sales, explicitly admits to selling personal data including identifiers, purchase records, and behavioral inferences — while its CMP discloses only 9 of 24 detected vendors.

156 IOCs observed2 detections100% pre-consent1 sites
80
Vendor Risk Score
Tier: HOSTILE
Observation Coverage

BLACKOUT observes runtime behavior in the browser. This dossier reflects browser-side execution, which is one of five vendor data-egress classes. Server-to-server transfers, backend integrations, and offline data flows are outside this observation boundary.

BLACKOUT observes runtime behavior and cites the regulations that address that behavior pattern. Legal determinations are the customer's counsel's call.

How This Briefing Works

This dossier opens with key findings, then maps the gap between what Connexity discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.

Key Findings

At a Glance

Detections
2

across 1 sites

Pre-Consent Rate
100%

vendor fires before consent

Disclosure Gaps
3

1 HIGH

Claims-vs-Reality Classified
BTI-X01BTI-X02BTI-X10
Summary

Briefing

Connexity is a retail performance marketing platform acquired by Taboola in 2021, generating $5B in annual sales for retailers through affiliate marketing and comparison shopping. The company explicitly admits to selling personal data including identifiers, commercial information, geolocation, and behavioral inferences to advertising networks. While they demonstrate unusual transparency about data sales, their consent management shows significant gaps: the CMP advertises 9 third parties while BLACKOUT detected 24 distinct vendors, with GoogleAnalytics4 and LinkedIn firing pre-consent. Organizations using Connexity should understand they are participating in a data-selling ecosystem with incomplete consent disclosure.

Customer Impact

What This Means For You

YOUR retail performance data processed through Connexity feeds into a platform that explicitly sells personal information to advertising networks and marketing companies. YOUR customers' purchase records and browsing behavior may be sold to competitors via Connexity's disclosed data sales practices. YOUR CMP configuration for Connexity likely covers only 9 vendors while 24 operate at runtime — YOUR consent mechanism is incomplete. As a Taboola subsidiary, YOUR retail data exists within a native advertising conglomerate with cross-platform targeting capabilities.

Collapse Engine

Risk Channel Breakdown

Oracle
Truth Collapse
25

Connexity operates as an affiliate marketing intermediary, meaning conversion attribution is shared across their network. Their multi-touch attribution model and data sharing with advertising networks creates measurement uncertainty - you cannot isolate Connexity performance from their data syndication partners.

Broker
Control Collapse
100

Connexity explicitly sells identifiers, commercial information, and behavioral inferences to advertising networks and marketing companies. This includes purchase records and browsing behavior that could reveal your demand signals to competitors who also participate in their network.

Reaper
Safety Collapse
0

As a Taboola subsidiary, Connexity integrates into a large content recommendation and advertising ecosystem. Their extensive third-party vendor network (24 detected) expands attack surface through script injection points and data hand-offs to partners like HGinsights, TrenDemon, and Versium.

Counselor
Legitimacy Collapse
100

The CMP/consent disclosure gap (9 stated vs 24 detected) creates GDPR Article 7 consent validity issues. Pre-consent firing of GoogleAnalytics4 and LinkedIn violates ePrivacy Directive. Their honest data sale disclosure helps transparency but undisclosed subprocessors undermine GDPR Article 28 processor documentation requirements.

BTI Codes

Threat Indicators

Runtime-observed (BTI-C)

BTI-C01
Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06
Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07
Session Recording

Full session replay

BTI-C09
Consent Bypass

Ignoring CMP signals

BTI-C10
Fingerprinting

Device identification

Claims-vs-Reality (BTI-X)

BTI-X01
Undisclosed Party

Not in privacy policy

BTI-X02
Undisclosed Sharing

Hidden data recipients

BTI-X10
CMP Disclosure Mismatch

CMP vendor list vs runtime

3
BTI Consequences Identified

Per-code narrative explanations of what each detected behavior means for your organization

Available in VIDB Subscription

Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →

Disclosure Gaps

Claims vs. Reality

3
Gaps Observed
1 HIGH2 MEDIUM

BLACKOUT analyzed Connexity's public claims against observed runtime behavior and identified 3 contradictions.

BTI-X01BTI-X02BTI-X10
Featured Gap
Consent Disclosure
HIGH
They Claim

"CMP states 9 third parties for user consent choice"

BLACKOUT Observed

24 distinct third-party vendors detected on connexity.com

2 more gaps — with regulatory citations and evidence pointers — available with subscription.

Available in VIDB Subscription

Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →

Recommended Actions

What To Do

Recommended Actions
8

4 for current users · 4 for evaluators

Negotiation Leverage
4

contractual leverage points

Available in VIDB Subscription

Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →

Ecosystem

Supply Chain & Pairings

Subprocessor Disclosure Gap
1undisclosed

Claims 3, observed 4

Available in VIDB Subscription

Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →

Profile: connexityFirst Seen: 2026-01-22Last Updated: 2026-02-24