Didomi | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Didomi discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

4 gaps

pending

UNKNOWN

They Claim

“Awaiting scanner verification”

Observed Behavior

No scanner data available for Didomi runtime behavior

identity

HIGH

They Claim

“Consent stored as first-party cookies only”

Observed Behavior

Didomi acknowledges IDs function as device identifiers linking multiple users to single end users

incentive_alignment

HIGH

They Claim

“Privacy-first consent management”

Observed Behavior

A/B testing banners and marketing 90% consent rates reveals optimization for consent manufacturing

signal_propagation

HIGH

They Claim

“User-controlled preferences”

Observed Behavior

Consent strings shared with up to 100 Google ATP vendors per ad request plus all TCF vendors

Customer Impact

What This Means For You

Organizations deploying Didomi face a fundamental alignment problem: their consent infrastructure provider is incentivized to maximize consent rates for advertising purposes. Didomi's A/B testing and consent optimization features create pressure to tune banners for higher opt-in rates rather than clearer disclosure — a dynamic regulators are increasingly scrutinizing. TCF consent strings generated by Didomi propagate to hundreds of ad-tech vendors, meaning every consent interaction creates downstream data distribution that the deploying organization may not fully inventory. The device-level identifiers stored by Didomi's SDK (didomi_token, DCS) persist across sessions and survive cookie clearing via localStorage, creating identity tracking infrastructure embedded in what organizations procure as a privacy tool. For regulated industries, the gap between "consent management" and "consent optimization for ad revenue" creates material compliance risk under GDPR's requirement for freely given, informed consent.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for Didomi

→Audit Didomi consent string propagation: map every vendor receiving TCF and Google ATP consent signals from your implementation and verify each has a legal basis for receiving user data.\n2. Disable or restrict A/B testing of consent banners — regulators view consent rate optimization as evidence of manipulative design patterns (dark patterns).\n3. Inspect Didomi's localStorage and cookie footprint: inventory all identifiers set by the SDK and assess whether device-level tracking aligns with your privacy policy disclosures.\n4. Review Didomi's benchmark report methodology: determine whether your organization's consent data is included in aggregated analytics products and whether your DPA covers this use.\n5. Evaluate consent string scope: reduce the number of TCF vendors and Google ATP vendors receiving consent signals to the minimum required for your actual ad-tech partnerships.

Negotiation Leverage

→Didomi's negotiation pressure points center on the consent optimization conflict of interest. Demand written commitment that A/B testing data from your implementation is not included in Didomi's aggregated benchmark reports or consent intelligence products. Require contractual limits on the number of TCF and ATP vendors receiving consent strings from your properties — the current cap of 100 ATP vendors per ad request suggests unconstrained vendor proliferation is the default. Challenge the device-level identifier architecture: if didomi_token functions as a device ID per Didomi's own documentation, this should be disclosed as tracking technology in your privacy policy, creating additional compliance burden that Didomi should help mitigate. Use Didomi's "90% consent rate" marketing against them in regulatory contexts — if your DPA reviews this claim, it raises questions about whether consent collected through Didomi's optimized banners meets the "freely given" standard under GDPR Article 7. Negotiate for Basic Consent Mode (tags blocked until consent) rather than Advanced Mode defaults.

IOC Manifest

16 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

*metrics.didomi.io/vt251nfse7v1ar9.js*

Tracking script

TRACK

*metrics.didomi.io/la883joxqptr53f.js*

Tracking script

TRACK

metrics.didomi.io/vt251nfse7v1ar9.js

Auto-extracted from scan

TRACK

metrics.didomi.io/la883joxqptr53f.js

Auto-extracted from scan

Ecosystem

Ecosystem & Supply Chain

Didomi sits at the center of the consent-to-advertising pipeline. Primary integrations: IAB TCF v2.2 (consent string generation for hundreds of registered vendors), Google Consent Mode v2 (consent signals to Google Ads, GA4, Tag Manager), Google Additional Consent Mode (addtl_consent parameter for non-TCF Google Ad Tech Providers), Google Ad Manager/AdSense/AdMob (ad serving gated on consent status). The platform offers SDKs for Web, iOS, Android, AMP, React, React Native, and CTV. Preference management centers integrate with CRM and marketing automation systems. AWS Marketplace distribution extends enterprise reach. Didomi's benchmark reports aggregate consent data across 1,500+ customers spanning media, e-commerce, gaming, and financial services, creating a consent intelligence network that maps global privacy preference patterns.

Loaded By (1)

Equativ

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

16 detection signatures across scripts, domains, cookies, and network endpoints