How This Briefing Works
This report opens with key findings, then maps the gaps between what Criteo discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Criteo was observed loading and executing before user consent was obtained on 84% of sites where it was detected.
Consent Compliance
83.3% pre-consent tracking rate across 66 detections
Undisclosed Sharing
Hidden data recipients
Compliance Claim Mismatch
False certification claims
Scope Creep
Collection exceeds disclosed scope
Claims vs. Observed Behavior
Consent Compliance
“GDPR compliant, IAB TCF member #91”
83.3% pre-consent tracking rate across 66 detections
Runtime analysis shows Criteo fires before consent banner interaction on majority of page loads
Identity Resolution
“Does not use any data that allows us to identify you directly”
Partners with Liveramp, ID5, Tapad for identity resolution; processes hashed emails
Our Partners page lists 9+ identity matching vendors; CCPA policy confirms hashed email collection
Data Sale Transparency
“Participates in self-regulatory frameworks”
Explicitly admits selling and sharing personal information under CCPA
CCPA policy states: we have shared, and/or sold, the above mentioned categories of personal information
Subprocessor Disclosure
“Our Partners lists advertising partners”
Corporate site uses undisclosed vendors (ZoomInfo, Demandbase, Cheq) for own operations
Runtime scan of criteo.com shows 70+ vendors, many not in disclosure list
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Criteo
- →Audit consent implementation — verify Criteo fires ONLY after consent, given their 83.3% pre-consent rate industry-wide
- →Update your privacy policy to disclose data sale under CCPA — Criteo explicitly admits to selling personal information
- →Review your DPA for identity resolution scope — confirm hashed email handling and Liveramp/ID5/Tapad partnerships align with your privacy commitments
- →Implement server-side Criteo integration to reduce client-side exposure and gain more control over data flows
- →Monitor attribution claims — Criteo self-reported conversions should be cross-validated against independent analytics
If You're Evaluating Criteo
- →Request IAB TCF consent string handling documentation and verify integration with your CMP before deployment
- →Understand the Shopper Graph data pooling model — your customer signals feed predictions for all 17,000+ clients including potential competitors
- →Clarify identity resolution partner data access, specifically Liveramp, ID5, and Tapad involvement on your property
- →Evaluate privacy-preserving alternatives: server-side retargeting and first-party data solutions avoid the pre-consent exposure
- →Factor in joint regulatory liability — partnering with a vendor that admits to data sale at 83.3% pre-consent creates significant GDPR and CCPA exposure
Negotiation Leverage
- →Pre-consent SLA: 83.3% of Criteo detections fire before consent. Require contractual guarantee of 0% pre-consent activity on your property with liquidated damages per violation, and mandate server-side integration to reduce client-side exposure.
- →Data sale limitation: Criteo explicitly admits selling personal information under CCPA. Require contractual prohibition on selling data derived from your visitors, with quarterly audit rights to verify compliance.
- →Shopper Graph isolation: Criteo pools customer signals across 17,000+ clients. Require contractual data isolation ensuring your visitor behavioral data is not used to enrich competitor campaigns or feed cross-client prediction models.
- →Identity resolution disclosure: Criteo partners with Liveramp, ID5, and Tapad for cross-device tracking. Require complete enumeration of identity resolution data flows triggered by their pixel on your property, with right to opt out of specific partners.
- →Attribution verification: Criteo self-reported conversions may inflate their contribution. Require contractual right to independent attribution verification and access to raw conversion data for cross-validation against your analytics.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
Long-lived identifiers
PII deanonymization
Container/loader (neutral)
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
153 detection signatures across scripts, domains, cookies, and network endpoints