How This Briefing Works
This dossier opens with key findings, then maps the gap between what Illumin discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 1 sites
vendor fires before consent
1 HIGH
Briefing
Illumin is a journey advertising platform (rebranded from AcuityAds) detected across 26 deployments on 24 sites. BLACKOUT identified 7 behavioral threat codes including defeat device infrastructure (C01), behavioral biometrics (C06), session recording (C07), cross-domain sync (C08), consent bypass (C09), fingerprinting (C10), and identity resolution (C14). The cross-domain sync capability (C08) combined with identity resolution means Illumin actively stitches user identities across separate domains — not just tracking within your site but correlating visitors across their 24-site deployment network. With a 51-script footprint, 15% pre-consent rate, and maximum scores for CAC subsidization and legal tail risk, Illumin represents one of the more aggressive advertising platforms in its tier.
What This Means For You
If Illumin is deployed on your site, your visitors are being tracked across domains — not just on your property but correlated with their behavior on up to 24 other sites in Illumin's network. Cross-domain sync means a user who visits your site and then a competitor's site has that journey mapped and identity-resolved through Illumin's platform. With a 15% pre-consent firing rate, this cross-domain tracking begins before your visitors consent. You may face joint controller liability under GDPR Art. 26 for data processing that occurs on other sites in Illumin's network, simply because their identity graph was seeded with data collected on your property.
Risk Channel Breakdown
Signal corruption score of 40 — elevated above peers — reflects Illumin's cross-domain sync (C08) actively distorting attribution by correlating user behavior across domains. Your conversion data is not isolated; it's being synthesized with behavioral signals from other sites in Illumin's network, corrupting the integrity of your measurement.
Maximum CAC subsidization score (100) indicates Illumin's cross-domain identity stitching creates a direct channel for competitive intelligence leakage. Journey data showing how users move between your site and competitors' sites flows through Illumin's platform — your customer acquisition signals become visible to their network.
Expands attack surface
Maximum legal tail risk (100) driven by 15% pre-consent firing rate, cross-domain identity sync without explicit consent, and fingerprinting. Cross-domain tracking triggers GDPR's joint controller obligations under Art. 26 — you may be jointly liable with Illumin for data processing across their entire network of sites.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Illumin's public claims against observed runtime behavior and identified 1 contradiction.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →