How This Briefing Works
This report opens with key findings, then maps the gaps between what Illumin discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
26 detections across 24 sites15% pre-consent activity
MEDIUM
Pre-Consent Activity
Illumin was observed loading and executing before user consent was obtained on 15% of sites where it was detected.
GDPRePrivacy
HIGH
Pending Analysis
7 BTI behavioral codes detected across 26 deployments including cross-domain sync. Full claims extraction required for gap analysis.
Disclosure Gaps
Claims vs. Observed Behavior
1 gaps
1 HIGH
Pending Analysis
HIGH
They Claim
“Claims analysis pending”
Observed Behavior
7 BTI behavioral codes detected across 26 deployments including cross-domain sync. Full claims extraction required for gap analysis.
Customer Impact
What This Means For You
If Illumin is deployed on your site, your visitors are being tracked across domains — not just on your property but correlated with their behavior on up to 24 other sites in Illumin's network. Cross-domain sync means a user who visits your site and then a competitor's site has that journey mapped and identity-resolved through Illumin's platform. With a 15% pre-consent firing rate, this cross-domain tracking begins before your visitors consent. You may face joint controller liability under GDPR Art. 26 for data processing that occurs on other sites in Illumin's network, simply because their identity graph was seeded with data collected on your property.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
If You Use Illumin
- →Immediately audit whether Illumin's cross-domain sync (C08) is disclosed in your privacy policy and covered in your DPA
- →Verify your CMP blocks Illumin before consent — 15% pre-consent rate indicates likely consent flow gaps
- →Request Illumin's complete list of domains participating in their cross-domain identity sync
- →Assess whether GDPR Art. 26 joint controller obligations apply to your Illumin deployment
If You're Evaluating Illumin
- →Require Illumin to provide a data flow map showing exactly how visitor data from your site is used across their network before deployment
- →Demand contractual prohibition on cross-domain identity stitching using data collected from your property
- →Establish consent-gate verification as a deployment prerequisite with technical enforcement
- →Evaluate whether journey advertising benefits justify the joint controller liability exposure
Negotiation Leverage
- →Cross-domain sync (C08) triggers GDPR Art. 26 joint controller obligations — use as leverage to demand comprehensive data flow transparency and favorable liability allocation
- →15% pre-consent rate is documented evidence of consent violations — require contractual guarantee of consent-gate compliance with financial penalties for breach
- →51-script footprint is tied for highest in VRS 90 tier — demand script reduction roadmap and performance impact compensation
- →Rebrand from AcuityAds to Illumin may indicate regulatory pressure on previous practices — request disclosure of any regulatory actions or settlements
- →7 behavioral threat codes including identity resolution + cross-domain sync represents full identity stitching — demand explicit data minimization commitments aligned with GDPR Art. 5(1)(c)
Runtime Detections
Runtime Detections
7 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
Impact: Evasion infrastructure may cause Illumin to behave differently during compliance audits, making it difficult to observe the full scope of their cross-domain sync and identity stitching during vendor assessments.
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
Impact: Keystroke and mouse tracking through a journey advertising platform captures granular interaction patterns that feed into cross-domain behavioral profiles — your visitors' micro-behaviors contribute to identity graphs spanning 24 sites.
BTI-C07Session Recording
Full session replay
Impact: Full session replay within journey advertising means complete user sessions are captured and correlated with cross-domain identity data, creating comprehensive behavioral dossiers that extend far beyond advertising attribution.
BTI-C08Cross-Domain Sync
Identity stitching
Impact: Identity stitching across domains means a visitor identified on your site is correlated with their activity on other sites in Illumin's network. This creates undisclosed data sharing that may trigger GDPR joint controller obligations and CCPA 'sale' definitions.
BTI-C09Consent Bypass
Ignoring CMP signals
Impact: 15% pre-consent rate means Illumin initiates cross-domain tracking and identity resolution before users can express preferences — creating per-pageview violations across GDPR, ePrivacy Directive, and CCPA for affected visitors.
BTI-C10Fingerprinting
Device identification
Impact: Device fingerprinting enables persistent cross-domain identification that survives cookie deletion and browser privacy controls, making it nearly impossible for users to exercise their right to opt out of Illumin's identity graph.
BTI-C14Identity Resolution
PII deanonymization
Impact: PII deanonymization combined with cross-domain sync (C08) means Illumin is building identity-resolved journey maps across their entire network. Your visitors' identities resolved on your site become nodes in a cross-site behavioral graph.
IOC Manifest
IOC Manifest
243 INDICATORS
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*illumin.com/wp-content/plugins/cookie-notice/js/front.js*
Tracking script
TRACK
*illumin.com/wp-content/themes/hello-elementor-child/custom/global.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/pixelyoursite/dist/scripts/tld.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/pixelyoursite/dist/scripts/public.js*
Tracking script
TRACK
*illumin.com/wp-content/themes/hello-elementor-child/custom/shortcodes.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/pixelyoursite/dist/scripts/jquery.bind-first-0.2.3.js*
Tracking script
TRACK
*illumin.com/wp-includes/js/jquery/jquery-migrate.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor/assets/lib/font-awesome/js/v4-shims.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/pixelyoursite/dist/scripts/js.cookie-2.1.3.js*
Tracking script
TRACK
*illumin.com/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/board-members-elementor/assets/js/board-members.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/illumin-elementor/assets/js/related-slider.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/financial-history-ajax-elementor-v2/assets/js/financial-history.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor/assets/js/frontend-modules.js*
Tracking script
TRACK
*illumin.com/wp-content/themes/hello-elementor-child/custom/insights-loop-search.js*
Tracking script
TRACK
*illumin.com/wp-content/themes/hello-elementor/assets/js/hello-frontend.js*
Tracking script
TRACK
*illumin.com/wp-content/uploads/essential-addons-elementor/eael-*.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/essential-addons-for-elementor-lite/assets/front-end/js/view/general.js*
Tracking script
TRACK
*illumin.com/wp-content/uploads/essential-addons-elementor/eael-13.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor-pro/assets/lib/smartmenus/jquery.smartmenus.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/platform-elementor/assets/js/platform.js*
Tracking script
TRACK
*illumin.com/wp-includes/js/imagesloaded.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/page-scroll-to-id/js/page-scroll-to-id.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor/assets/js/webpack.runtime.js*
Tracking script
TRACK
*illumin.com/wp-includes/js/jquery/ui/core.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor/assets/js/frontend.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/page-links-to/dist/new-tab.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor/assets/lib/swiper/v8/swiper.js*
Tracking script
TRACK
*illumin.com/wp-content/themes/hello-elementor-child/custom/jquery.selectBox.js*
Tracking script
TRACK
*illumin.com/wp-includes/js/hoverIntent.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/megamenu/js/maxmegamenu.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.js*
Tracking script
TRACK
*illumin.com/wp-includes/js/dist/i18n.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor-pro/assets/js/frontend.js*
Tracking script
TRACK
*illumin.com/wp-includes/js/dist/hooks.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor-pro/assets/js/elements-handlers.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor-pro/assets/js/menu-title-keyboard-handler.*.bundle.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor-pro/assets/js/mega-menu.*.bundle.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor/assets/js/text-editor.*.bundle.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor/assets/js/shared-frontend-handlers.*.bundle.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor/assets/lib/dialog/dialog.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor-pro/assets/js/mega-menu-stretch-content.*.bundle.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor-pro/assets/js/nav-menu.*.bundle.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor-pro/assets/js/ajax-pagination.*.bundle.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor-pro/assets/js/load-more.*.bundle.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor-pro/assets/js/loop.*.bundle.js*
Tracking script
TRACK
*illumin.com/wp-content/plugins/elementor-pro/assets/js/carousel.*.bundle.js*
Tracking script
TRACK
*illumin.com/wp-includes/js/wp-emoji-release.js*
Tracking script
TRACK
illumin.com/wp-content/themes/hello-elementor-child/custom/global.js
Auto-extracted from scan
TRACK
illumin.com/wp-includes/js/jquery/jquery.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-includes/js/jquery/jquery-migrate.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/themes/hello-elementor-child/custom/shortcodes.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/cookie-notice/js/front.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/pixelyoursite/dist/scripts/jquery.bind-first-0.2.3.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/pixelyoursite/dist/scripts/js.cookie-2.1.3.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/pixelyoursite/dist/scripts/tld.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/pixelyoursite/dist/scripts/public.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor/assets/lib/font-awesome/js/v4-shims.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/board-members-elementor/assets/js/board-members.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/financial-history-ajax-elementor-v2/assets/js/financial-history.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/illumin-elementor/assets/js/related-slider.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/page-scroll-to-id/js/page-scroll-to-id.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/themes/hello-elementor-child/custom/insights-loop-search.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/themes/hello-elementor/assets/js/hello-frontend.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/essential-addons-for-elementor-lite/assets/front-end/js/view/general.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/uploads/essential-addons-elementor/eael-21728.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-includes/js/jquery/ui/core.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor/assets/js/frontend.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor-pro/assets/lib/smartmenus/jquery.smartmenus.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/uploads/essential-addons-elementor/eael-13.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/platform-elementor/assets/js/platform.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor/assets/lib/swiper/v8/swiper.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-includes/js/imagesloaded.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/page-links-to/dist/new-tab.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/themes/hello-elementor-child/custom/jquery.selectBox.js
Auto-extracted from scan
TRACK
illumin.com/wp-includes/js/hoverIntent.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/megamenu/js/maxmegamenu.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-includes/js/dist/hooks.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-includes/js/dist/i18n.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor-pro/assets/js/elements-handlers.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor/assets/lib/dialog/dialog.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor/assets/js/shared-frontend-handlers.03caa53373b56d3bab67.bundle.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor-pro/assets/js/mega-menu.82093824ddb3f5531ab4.bundle.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor-pro/assets/js/mega-menu-stretch-content.480e081cebe071d683e8.bundle.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor-pro/assets/js/menu-title-keyboard-handler.f0362773c21105d2c65c.bundle.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor/assets/js/text-editor.45609661e409413f1cef.bundle.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor-pro/assets/js/nav-menu.8521a0597c50611efdc6.bundle.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor-pro/assets/js/carousel.3620fca501cb18163600.bundle.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor-pro/assets/js/load-more.8b46f464e573feab5dd7.bundle.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor-pro/assets/js/loop.89cc81d2188312a17a17.bundle.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-content/plugins/elementor-pro/assets/js/ajax-pagination.2090b5f4906bcda1dcc2.bundle.min.js
Auto-extracted from scan
TRACK
illumin.com/wp-includes/js/wp-emoji-release.min.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Illumin (formerly AcuityAds) operates as a journey advertising platform in the programmatic advertising ecosystem. Their rebrand from AcuityAds signals a strategic shift toward journey-based advertising, which inherently requires cross-domain tracking to map user paths across touchpoints. With detections across 24 sites and cross-domain sync capabilities, Illumin functions as both an ad execution platform and a cross-site identity infrastructure layer. The 51-script footprint — the highest alongside BuyerCaddy in the VRS 90 tier — suggests deep integration with publisher sites and ad exchanges. Their identity resolution and cross-domain capabilities position them as a data broker within advertising infrastructure.
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
247 detection signatures across scripts, domains, cookies, and network endpoints