All Vendors
cmp
CookieYes

CookieYes

CookieYes, a consent management platform trusted to enforce privacy compliance, fires 55.6% of its own vendors pre-consent across 26 monitored sites — including DoubleClick, Google Ads, and Bing Ads advertising platforms on its own website.

128 IOCs37 detections57% pre-consent27 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what CookieYes discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

37 detections across 27 sites57% pre-consent activity1 critical disclosure gap
CRITICAL

Pre-Consent Tracking

55.6% pre-consent tracking rate across monitored sites. 5 vendors loading pre-consent on own website

GDPR Article 7 - Consent RequirementsGDPR Recital 32 - Prior ConsentCCPA 1798.120 - Opt-Out Rights
CRITICAL

Pre-Consent Activity

CookieYes was observed loading and executing before user consent was obtained on 57% of sites where it was detected.

GDPRePrivacy
HIGH

Undisclosed Vendors

8+ vendors on website not in subprocessor list including Clarity, DoubleClick, Google Ads, Hotjar, Bing Ads, TrenDemon, Pubrio, Ahrefs

GDPR Article 13 - Information to be ProvidedGDPR Article 28 - Processor Requirements
HIGH

Advertising Data Flows

Google Workspace disclosed for productivity, but DoubleClick and Google Ads (advertising) undisclosed

GDPR Article 5(1)(a) - Transparency Principle
HIGH

Undisclosed Party

Not in privacy policy

Disclosure Gaps

Claims vs. Observed Behavior

3 gaps
1 CRIT2 HIGH
Classified:BTI-X01BTI-X02BTI-X04BTI-X05

Undisclosed Vendors

GDPR Article 13 - Information to be Provided · GDPR Article 28 - Processor RequirementsHIGH
They Claim

Transparent subprocessor disclosure

Observed Behavior

8+ vendors on website not in subprocessor list including Clarity, DoubleClick, Google Ads, Hotjar, Bing Ads, TrenDemon, Pubrio, Ahrefs

Comparison of /sub-processors-list/ content vs runtime detection on cookieyes.com

Advertising Data Flows

GDPR Article 5(1)(a) - Transparency PrincipleHIGH
They Claim

Subprocessors listed for specific purposes

Observed Behavior

Google Workspace disclosed for productivity, but DoubleClick and Google Ads (advertising) undisclosed

Runtime detection shows doubleclick.net and google-ads domains active on cookieyes.com

Customer Impact

What This Means For You

YOUR consent management is handled by a platform that cannot manage its own consent. YOUR visitors' consent choices are processed by CookieYes while CookieYes itself runs advertising platforms pre-consent on its own site. YOUR compliance posture depends entirely on CookieYes functioning correctly, yet their 55.6% pre-consent rate across monitored sites demonstrates systemic consent architecture failures. If YOUR CookieYes implementation mirrors their own site behavior, more than half YOUR vendors may fire before consent — turning YOUR CMP into compliance theater rather than actual protection.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use CookieYes

  • Audit your own site for pre-consent tracking — CookieYes may not be blocking vendors as expected given their 55.6% failure rate
  • Request their SOC2 report — they claim infrastructure certifications but not their own platform certification
  • Compare your detected vendors against the CookieYes-supposed-to-block list to verify actual enforcement
  • Implement server-side consent verification as a backstop — do not rely solely on CookieYes client-side blocking

If You're Evaluating CookieYes

  • Test CookieYes in staging and verify consent blocking actually works for all your vendors
  • Compare with OneTrust, Cookiebot, and Osano on their own site pre-consent behavior
  • Request documented evidence of consent blocking effectiveness, not just configuration capabilities
  • Verify CookieYes does not introduce its own tracking scripts on your properties

Negotiation Leverage

  • CMP credibility gap: A consent management platform with 55.6% pre-consent rate across monitored sites — use this to negotiate enhanced SLAs with consent blocking guarantees and financial penalties for failures
  • Advertising on a CMP: DoubleClick, Google Ads, and Bing Ads detected on cookieyes.com — a CMP running ad platforms pre-consent undermines the core product promise; leverage for price negotiations
  • Missing SOC2: CookieYes claims AWS and data center certifications but not their own SOC2 — require independent security audit documentation
  • 8 undisclosed vendors: Vendors on cookieyes.com not in subprocessor list — require complete vendor disclosure and verify CookieYes is not introducing undisclosed scripts on your properties
Runtime Detections

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

126 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.cookieyes.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-dropdown/script.js*
Tracking script
TRACK
*www.cookieyes.com/wp-content/plugins/mailin/js/mailin-front.js*
Tracking script
TRACK
*www.cookieyes.com/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*www.cookieyes.com/wp-includes/js/jquery/jquery-migrate.js*
Tracking script
TRACK
*www.cookieyes.com/wp-content/themes/cookieyes-new/scan-page/scan.js*
Tracking script
TRACK
*www.cookieyes.com/wp-content/themes/cookieyes-new/assets/js/jquery.cookie.js*
Tracking script
TRACK
*www.cookieyes.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js*
Tracking script
TRACK
*www.cookieyes.com/wp-content/themes/cookieyes-new/assets/js/menu-script.js*
Tracking script
TRACK
*www.cookieyes.com/wp-content/themes/cookieyes-new/assets/js/scanner-adlp.js*
Tracking script
TRACK
*www.cookieyes.com/wp-content/plugins/add-search-to-menu/public/js/ivory-search.js*
Tracking script
TRACK
*www.cookieyes.com/wp-content/themes/cookieyes-new/assets/js/popper.js*
Tracking script
TRACK
*www.cookieyes.com/wp-content/themes/cookieyes-new/assets/js/custom-js.js*
Tracking script
TRACK
*www.cookieyes.com/wp-content/themes/cookieyes-new/assets/bootstrap/js/bootstrap.bundle.js*
Tracking script
TRACK
*www.cookieyes.com/wp-content/plugins/enlighter/cache/enlighterjs.js*
Tracking script
TRACK
*www.cookieyes.com/wp-includes/js/dist/vendor/wp-polyfill.js*
Tracking script
TRACK
*www.cookieyes.com/*
Tracking script
TRACK
cdn-cookieyes.com
Tracking script
TRACK
www.cookieyes.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-dropdown/script.min.js
Auto-extracted from scan
TRACK
www.cookieyes.com/wp-includes/js/jquery/jquery.js
Auto-extracted from scan
TRACK
www.cookieyes.com/wp-includes/js/jquery/jquery-migrate.js
Auto-extracted from scan
TRACK
www.cookieyes.com/wp-content/themes/cookieyes-new/scan-page/scan.js
Auto-extracted from scan
TRACK
www.cookieyes.com/wp-content/plugins/mailin/js/mailin-front.js
Auto-extracted from scan
TRACK
www.cookieyes.com/wp-content/themes/cookieyes-new/assets/bootstrap/js/bootstrap.bundle.min.js
Auto-extracted from scan
TRACK
www.cookieyes.com/wp-content/themes/cookieyes-new/assets/js/popper.min.js
Auto-extracted from scan
TRACK
www.cookieyes.com/wp-content/themes/cookieyes-new/assets/js/custom-js.js
Auto-extracted from scan
TRACK
www.cookieyes.com/wp-content/themes/cookieyes-new/assets/js/menu-script.js
Auto-extracted from scan
TRACK
www.cookieyes.com/wp-content/themes/cookieyes-new/assets/js/scanner-adlp.js
Auto-extracted from scan
TRACK
www.cookieyes.com/wp-content/themes/cookieyes-new/assets/js/jquery.cookie.min.js
Auto-extracted from scan
TRACK
www.cookieyes.com/wp-includes/js/dist/vendor/wp-polyfill.js
Auto-extracted from scan
TRACK
www.cookieyes.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js
Auto-extracted from scan
TRACK
www.cookieyes.com/wp-content/plugins/enlighter/cache/enlighterjs.min.js
Auto-extracted from scan
TRACK
www.cookieyes.com/wp-content/plugins/add-search-to-menu/public/js/ivory-search.min.js
Auto-extracted from scan
TRACK
www.cookieyes.com/
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

CookieYes operates as infrastructure in the consent management layer, positioning between websites and their visitors to collect and manage consent signals. They claim 1.5M+ business customers including Decathlon, KFC, Dominos, Heineken, Forbes, Toyota, and Renault. As a Google-certified CMP partner with IAB TCF v2.2 certification, they are embedded in the advertising consent supply chain. Their WordPress plugin origin means deep penetration in the SMB market. CookieYes is loaded by site owners (direct relationship) and controls what other vendors can execute based on consent state. The irony is that their own website deploys the exact tracking patterns their product claims to control for customers.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

128 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details