How This Briefing Works
This report opens with key findings, then maps the gaps between what Gumgum discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Gumgum was observed loading and executing before user consent was obtained on 7% of sites where it was detected.
Claims vs. Observed Behavior
consent
“Unknown - requires claims extraction via CDT”
Deploys behavioral biometrics + cross-domain syncing + consent bypass + tag manager persistence
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Gumgum
- →Remove Gumgum from tag manager immediately - tag-based deployment prevents consent enforcement
- →Request deletion of all behavioral biometric data and cross-domain sync records
- →Demand list of all cookie-sync partners to assess total liability exposure
If You're Evaluating Gumgum
- →Reject any vendor using tag manager deployment for ad tracking - requires direct script control for compliance
- →Demand written confirmation: no behavioral biometrics, no cross-domain syncing, no pre-consent loading
- →Migrate to privacy-safe advertising: contextual targeting (no tracking), consent-first programmatic, or direct publisher relationships without behavioral profiling
Negotiation Leverage
- →Gumgum deploys four-layer consent violation creating exponential liability: behavioral biometrics + cross-domain syncing + tag manager persistence + pre-consent loading
- →Tag manager deployment makes consent compliance impossible - vendor can modify tracking server-side without customer control
- →Cross-domain syncing multiplies per-visitor penalties by number of ad network partners - exponential enforcement exposure
- →Vendor must eliminate all four violation layers or accept 100% liability for compounded GDPR/ePrivacy regulatory enforcement
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Impact: Visual attention tracking (scroll depth, viewability timing, interaction patterns) creates behavioral fingerprints. GDPR Article 9 classifies biometric data as special category requiring explicit consent - pre-consent capture creates heightened penalty exposure.
Identity stitching
Impact: Cookie syncing with ad network partners before consent creates per-visitor violation multiplied by number of sync recipients. Enforcement agencies can assess penalties per data transfer - 10 sync partners = 10x liability multiplier.
Ignoring CMP signals
Impact: Tracking initialization before consent creates strict liability under GDPR Article 7 and ePrivacy Directive. Combined with biometric capture and cross-domain syncing, elevates to special category data + unauthorized transfer violation.
Container/loader (neutral)
Impact: Deployment via tag manager enables vendor to modify tracking behavior server-side without customer visibility. Customer cannot verify consent-first loading or data minimization even after configuration - creates ongoing compliance risk.
IOC Manifest
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
No indicators in this category
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
10 detection signatures across scripts, domains, cookies, and network endpoints