All Vendors
advertising

DoubleClick

Google's ad serving backbone fires across 243 monitored sites with a 52% pre-consent rate, triggering 7 distinct BTI behavioral codes including cross-domain identity stitching and consent bypass.

10 IOCs362 detections52% pre-consent243 sites
85
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what DoubleClick discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

362 detections across 243 sites52% pre-consent activity
CRITICAL

Pre-Consent Activity

DoubleClick was observed loading and executing before user consent was obtained on 52% of sites where it was detected.

GDPRePrivacy
HIGH

Pending Analysis

7 BTI behavioral codes detected across 362 observations on 243 sites. Full claims extraction required for gap analysis.

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps
1 HIGH

Pending Analysis

HIGH
They Claim

Claims analysis pending

Observed Behavior

7 BTI behavioral codes detected across 362 observations on 243 sites. Full claims extraction required for gap analysis.

Customer Impact

What This Means For You

If DoubleClick is running on your site, your visitors' behavioral data flows into Google's advertising ecosystem where it becomes available to any advertiser — including your direct competitors. The 52% pre-consent firing rate means your site likely violates ePrivacy requirements regardless of your CMP configuration. With 7 BTI-C codes triggered, you face compounding regulatory exposure: GDPR fines for unlawful cross-domain data sharing, ePrivacy penalties for pre-consent tracking, and potential CCPA violations for undisclosed sale of personal information. Your privacy policy almost certainly does not disclose the full scope of identity stitching and cross-domain synchronization occurring through DoubleClick.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use DoubleClick

  • Audit your Google Ad Manager configuration against your stated privacy policy — verify every data flow is disclosed
  • Implement server-side consent gating that blocks DoubleClick requests until affirmative consent is recorded
  • Review Google's Data Processing Terms and verify your DPA covers all observed data flows including cross-domain sync
  • Monitor pre-consent network requests to confirm DoubleClick respects your CMP signals after configuration changes

If You're Evaluating DoubleClick

  • Request Google's data processing impact assessment for DoubleClick on your specific property
  • Assess whether header bidding alternatives could reduce dependency on Google's ad infrastructure
  • Evaluate the revenue impact of blocking DoubleClick pre-consent versus the regulatory exposure of allowing it
  • Consider privacy-preserving ad alternatives that do not require cross-domain identity stitching

Negotiation Leverage

  • 362 detections across 243 sites with 52% pre-consent rate — this is systematic, not incidental
  • 7 BTI behavioral codes triggered including defeat device (C01) and consent bypass (C09) — suggests active circumvention of consent controls
  • Cross-domain sync (C08) + identity resolution (C14) means Google is building audience profiles from your traffic and selling access to competitors
  • Maximum legal tail risk score (100) — ePrivacy pre-consent violations create per-instance liability for the site operator
  • Google's standard DPA does not cover several observed data flows — contractual gap creates uninsured exposure
Runtime Detections

Runtime Detections

7 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: DoubleClick deploys evasion infrastructure that can alter behavior during audits or consent checks, making compliance verification unreliable and creating a gap between observed and actual data collection.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Behavioral tracking capabilities feed into Google's interest-based advertising profiles. Mouse movement and interaction patterns collected on your site become targeting data available to any Google Ads buyer.

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Identity stitching across Google's ad network means a visitor on your site is matched to their activity across millions of other DoubleClick-enabled properties. Your site becomes one node in Google's cross-domain surveillance graph.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: 52% pre-consent firing rate means DoubleClick activates before consent management platforms can intervene. Under GDPR and ePrivacy, this creates direct liability for the site operator — not Google — as the data controller.

BTI-C10Fingerprinting

Device identification

Impact: Device fingerprinting enables persistent identification even when users clear cookies or use private browsing. This undermines user opt-out mechanisms and creates compliance exposure under regulations requiring meaningful consent withdrawal.

BTI-C13Persistence Mechanisms

Long-lived identifiers

Impact: Long-lived identifiers ensure tracking survives standard privacy measures like cookie deletion. Combined with cross-domain sync, this creates durable user profiles that persist across sessions, devices, and consent resets.

BTI-C14Identity Resolution

PII deanonymization

Impact: PII-level deanonymization ties anonymous site visitors to real identities within Google's ecosystem. This transforms your website from a controlled property into an identity collection point feeding Google's advertising data supply chain.

IOC Manifest

IOC Manifest

10 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*googleads.g.doubleclick.net/pagead/viewthroughconversion/*/*
Tracking script
TRACK
googleads.g.doubleclick.net
Tracking script
TRACK
googleads.g.doubleclick.net/pagead/viewthroughconversion/949204775/
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

DoubleClick is wholly owned by Google (Alphabet Inc.), acquired in 2007 for $3.1 billion and now integrated as Google Ad Manager. It operates as the backbone of Google's programmatic advertising stack, connecting to Google Ads, Display & Video 360, Campaign Manager, and the Google Marketing Platform. On monitored sites, DoubleClick frequently co-deploys with Google Analytics (GA4), Google Tag Manager, and other Google properties, creating a unified data collection layer. Its ad serving infrastructure touches virtually every major ad exchange and supply-side platform, making it one of the most interconnected nodes in the global advertising ecosystem.
Loaded By (19)
Clearbit6senseGoogleanalytics4Google AdsYoutubeAmplitudeAolPubmaticSeedtagCheqEnsightenBizibleCloudflare InsightsConstantcontactJourneyOsanoMailchimpPubrioReplit
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

10 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details