How This Briefing Works
This dossier opens with key findings, then maps the gap between what Criteo discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 3 sites
vendor fires before consent
1 HIGH
Briefing
Criteo is a Paris-based public company (NASDAQ: CRTO) operating one of the largest retargeting and commerce media platforms globally, processing 5+ billion ads daily across 17,000+ customers. While Criteo maintains robust privacy documentation and participates in industry self-regulatory frameworks (IAB TCF #91, DAA, NAI), runtime analysis reveals significant gaps between stated practices and observed behavior. Most critically, 83.3% of Criteo detections occur pre-consent, directly contradicting their GDPR/CCPA compliance claims. Their privacy policy claims no direct identification, yet they explicitly partner with identity resolution vendors (Liveramp, ID5, Tapad) and process hashed emails for cross-device tracking. Organizations using Criteo face dual exposure: regulatory risk from pre-consent tracking patterns, and data leakage through an extensive network of 100+ disclosed advertising partners.
What This Means For You
If Criteo retargeting is deployed on your site, your visitors' behavioral data flows to 100+ disclosed advertising partners including SSPs, DSPs, and identity resolution vendors. Under CCPA §1798.115, you must disclose this data sharing — Criteo explicitly admits to selling personal information. The 83.3% pre-consent rate means the majority of Criteo tracking fires before users consent, creating GDPR Art 7 liability for you as the site operator. Criteo's "Shopper Graph" pools customer signals across all 17,000+ clients, meaning your high-intent visitor data feeds predictions that benefit competitors on the same platform. Their identity resolution partnerships with Liveramp, ID5, and Tapad enable cross-device tracking that extends far beyond your property.
Risk Channel Breakdown
Criteo operates a massive Shopper Graph analyzing 720M daily active users and 4.5B product SKUs. Their commerce AI correlates browsing patterns, purchase intent, and cross-device behavior to optimize ad placement. This creates attribution pollution: when Criteo claims credit for conversions, organizations cannot distinguish organic demand from Criteo-influenced behavior. The 17,000+ advertiser network means your customer intent data feeds into predictions benefiting competitors in the same verticals.
Criteo explicitly admits to selling and sharing personal information under CCPA. Their 100+ disclosed partners include SSPs, DSPs, data platforms, and identity resolution vendors. When Criteo fires on a prospect page, that demand signal flows to Google, Meta, Microsoft, Taboola, Outbrain, and dozens of others. Your high-intent visitors become retargeting fodder across the entire programmatic ecosystem. The cross-device linking (via Liveramp, ID5, Tapad partnerships) means this exposure persists across devices and sessions.
Criteo deploys extensive JavaScript on client sites for retargeting pixel functionality. Their technology collects browsing events, product views, cart contents, and purchase data. This creates supply chain risk: any compromise of Criteo infrastructure exposes client customer data. The 83.3% pre-consent firing rate suggests permissive deployment patterns that may not respect site-specific consent configurations, expanding attack surface beyond intended scope.
The gap between Criteo stated compliance (GDPR, CCPA, IAB TCF) and observed 83.3% pre-consent tracking rate creates direct regulatory exposure. Their CCPA policy explicitly acknowledges data sales, requiring proper disclosure to California consumers. The claim of no direct identification while partnering with identity resolution vendors creates material misrepresentation risk. Organizations deploying Criteo inherit these disclosure obligations and gaps.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
Long-lived identifiers
PII deanonymization
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Hidden data recipients
False certification claims
Collection exceeds disclosed scope
Security claims vs evidence
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Criteo's public claims against observed runtime behavior and identified 4 contradictions.
"GDPR compliant, IAB TCF member #91"
83.3% pre-consent tracking rate across 66 detections
3 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 20, observed 22
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →