Gamned | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Gamned discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

3 detections across 2 sites67% pre-consent activity

CRITICAL

Pre-Consent Activity

Gamned was observed loading and executing before user consent was obtained on 67% of sites where it was detected.

GDPRePrivacy

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

Customer Impact

What This Means For You

Marketing teams gain ad targeting capability but inherit exponential consent liability (per-visitor × per-sync-partner). Legal teams face GDPR dual violation: consent bypass PLUS unauthorized data transfers to third parties. Budget owners pay for advertising that creates multi-jurisdiction enforcement exposure.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Gamned

→Disable Gamned pixel immediately - no ad platform justifies pre-consent deployment
→Request list of all cookie-sync partners: assess total liability exposure
→Demand deletion of all historical cross-domain tracking data

If You're Evaluating Gamned

→Require Gamned to implement consent-first architecture before any contract consideration
→Demand contractual liability assumption: vendor pays 100% of penalties for consent violations and unauthorized data transfers
→Migrate to privacy-safe advertising: contextual targeting (no tracking), consent-first programmatic, or direct publisher relationships

Negotiation Leverage

→Gamned creates exponential consent liability through cross-domain syncing: per-visitor violations multiplied by number of ad network partners
→Vendor must eliminate pre-consent tracking AND cookie syncing, or assume 100% liability for multi-jurisdiction regulatory penalties
→Programmatic advertising works with consent-first architecture - pre-consent deployment is vendor choice, not technical requirement
→Current architecture violates GDPR Article 7 (consent) + ePrivacy Article 5(3) (cookies) + potential Article 44 (data transfers) across jurisdictions

Runtime Detections

2 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Cookie syncing with third-party ad networks before consent creates liability for each sync partner. GDPR enforcement agencies can assess penalties per data recipient - 5 sync partners = 5x violation multiplier.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Ad tracking and identity syncing load before consent opportunity, creating strict liability under GDPR Article 7 and ePrivacy Directive Article 5(3). Combined with cross-domain data sharing, elevates to data transfer violation.

IOC Manifest

4 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

No indicators in this category

Ecosystem

Ecosystem & Supply Chain

Gamned operates in programmatic advertising ecosystem alongside Criteo, The Trade Desk, and Google Ad Manager. Standard cookie-syncing architecture for ad platforms, but pre-consent deployment violates ePrivacy requirements. Higher risk than consent-first ad platforms (contextual advertising, post-consent programmatic).

Loads (1)

Vwo

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

7 detection signatures across scripts, domains, cookies, and network endpoints