How This Briefing Works
This report opens with key findings, then maps the gaps between what Exoclick discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Exoclick was observed loading and executing before user consent was obtained on 4% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Exoclick
- →Immediately audit all ad network integrations to identify Exoclick deployment
- →If discovered, execute emergency tag removal and data deletion request under GDPR Article 17
- →Conduct legal review of association risk and potential regulatory notification requirements
- →Implement ad network approval process requiring privacy and reputational risk assessment
If You're Evaluating Exoclick
- →Consider whether reputational risk of adult content association justifies any use case
- →Evaluate retargeting alternatives with mainstream-only inventory and privacy-first architectures
- →Assess whether behavioral targeting performance justifies extreme GDPR liability
- →Request executive stakeholder review before any future deployment given reputational risk
Negotiation Leverage
- →Exoclick VRS 80 = Broker (90) + Counselor (100) threat. Adult content association creates reputational risk that likely violates acceptable use policies.
- →Session recording (BTI-C07) on adult sites = extreme PII exposure. Regulatory investigation would focus discovery on this data processing.
- →Consent bypass (BTI-C09) = systematic GDPR violation demonstrating willful non-compliance. No technical remediation exists; platform architecture is non-compliant.
- →Behavioral profiles from adult browsing used for mainstream targeting = cross-context tracking violating user privacy expectations.
- →Ask: What is your data breach notification history? How is session recording data secured? What is the legal basis for special category data processing? Expect no satisfactory answers.
- →Recommendation: Contract termination. No amount of performance justifies the reputational and regulatory risk profile.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Tag-level deception allows Exoclick to present different tracking behavior based on detection of privacy tools, defeating consent management and creating regulatory exposure.
Keystroke/mouse tracking
Impact: Mouse movements, keystroke patterns, and scroll behavior captured across adult content sites creates sensitive personal data profiles that enable invasive cross-site tracking.
Full session replay
Impact: Full session capture including page interactions and form inputs on adult sites creates extreme PII exposure and reputational risk if data breach occurs.
Ignoring CMP signals
Impact: Tracking continues after consent rejection, creating per-violation GDPR fines and demonstrating systematic disregard for user privacy rights.
Device identification
Impact: Device fingerprinting creates persistent identifiers that track users across adult and mainstream sites, creating cross-context tracking that users cannot detect or control.
IOC Manifest
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
40 detection signatures across scripts, domains, cookies, and network endpoints