How This Briefing Works
This report opens with key findings, then maps the gaps between what GoogleAds discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
GoogleAds was observed loading and executing before user consent was obtained on 66% of sites where it was detected.
Claims vs. Observed Behavior
consent
“Unknown - requires claims extraction via CDT”
Deploys pre-consent advertising tracking
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use GoogleAds
- →Configure Google Ads consent mode: enables conversion tracking after consent without pre-consent loading
- →Audit current tag implementation: remove remarketing pixels from pre-consent loading
- →Review Google Tag Manager setup: ensure Ads tags fire only after consent signal
If You're Evaluating GoogleAds
- →Implement Google Consent Mode v2 for privacy-compliant advertising measurement
- →Evaluate consent impact on attribution: quantify performance difference between pre-consent and post-consent tracking
- →Consider alternative attribution: server-side conversion APIs, contextual advertising without tracking
Negotiation Leverage
- →Google Ads creates consent liability through pre-consent deployment despite availability of privacy-compliant alternatives (Consent Mode)
- →Unlike niche surveillance vendors, Google Ads provides clear ROI - focus on technical compliance (Consent Mode implementation) not contract termination
- →Google provides consent-first tooling (Consent Mode v2) - current violation is implementation choice, not technical limitation
- →Document business necessity and implement technical controls: consent-first loading, server-side attribution, or legitimate interest assessment if consent impacts performance
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Identity stitching
Ignoring CMP signals
Impact: Advertising tracking loads before user consent opportunity, creating per-visitor GDPR Article 7 violation. Google Ads scale amplifies exposure - high-traffic sites face penalty calculations based on millions of visitors.
PII deanonymization
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
63 detection signatures across scripts, domains, cookies, and network endpoints