How This Briefing Works
This dossier opens with key findings, then maps the gap between what Connexity discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 1 sites
vendor fires before consent
1 HIGH
Briefing
Connexity is a retail performance marketing platform acquired by Taboola in 2021, generating $5B in annual sales for retailers through affiliate marketing and comparison shopping. The company explicitly admits to selling personal data including identifiers, commercial information, geolocation, and behavioral inferences to advertising networks. While they demonstrate unusual transparency about data sales, their consent management shows significant gaps: the CMP advertises 9 third parties while BLACKOUT detected 24 distinct vendors, with GoogleAnalytics4 and LinkedIn firing pre-consent. Organizations using Connexity should understand they are participating in a data-selling ecosystem with incomplete consent disclosure.
What This Means For You
YOUR retail performance data processed through Connexity feeds into a platform that explicitly sells personal information to advertising networks and marketing companies. YOUR customers' purchase records and browsing behavior may be sold to competitors via Connexity's disclosed data sales practices. YOUR CMP configuration for Connexity likely covers only 9 vendors while 24 operate at runtime — YOUR consent mechanism is incomplete. As a Taboola subsidiary, YOUR retail data exists within a native advertising conglomerate with cross-platform targeting capabilities.
Risk Channel Breakdown
Connexity operates as an affiliate marketing intermediary, meaning conversion attribution is shared across their network. Their multi-touch attribution model and data sharing with advertising networks creates measurement uncertainty - you cannot isolate Connexity performance from their data syndication partners.
Connexity explicitly sells identifiers, commercial information, and behavioral inferences to advertising networks and marketing companies. This includes purchase records and browsing behavior that could reveal your demand signals to competitors who also participate in their network.
As a Taboola subsidiary, Connexity integrates into a large content recommendation and advertising ecosystem. Their extensive third-party vendor network (24 detected) expands attack surface through script injection points and data hand-offs to partners like HGinsights, TrenDemon, and Versium.
The CMP/consent disclosure gap (9 stated vs 24 detected) creates GDPR Article 7 consent validity issues. Pre-consent firing of GoogleAnalytics4 and LinkedIn violates ePrivacy Directive. Their honest data sale disclosure helps transparency but undisclosed subprocessors undermine GDPR Article 28 processor documentation requirements.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Device identification
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
CMP vendor list vs runtime
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Connexity's public claims against observed runtime behavior and identified 3 contradictions.
"CMP states 9 third parties for user consent choice"
24 distinct third-party vendors detected on connexity.com
2 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 3, observed 4
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →