How This Briefing Works
This dossier opens with key findings, then maps the gap between what Ketch discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 16 sites
vendor fires before consent
Briefing
Consent management vendor embedding surveillance capabilities inside privacy controls. Behavioral capture (C06), session recording (C07), cross-domain tracking (C08), and consent bypass (C09) within a CMP creates privacy theater - the privacy tool becomes the surveillance mechanism.
What This Means For You
Organizations deploying Ketch face catastrophic irony exposure - the consent tool violates consent. Privacy programs built on Ketch produce inverse outcomes. Regulatory discovery of CMP surveillance creates existential compliance crisis. Customer trust damage from privacy-washing exceeds standard vendor violations.
Risk Channel Breakdown
Distorts attribution data
C08 cross-domain sync enables identity persistence across properties; C14 identity resolution merges browsing contexts
Expands attack surface
C06 behavioral biometrics capture interaction patterns; C07 session recording monitors user activity; C09 consent bypass allows CMP to operate outside its own consent framework
Threat Indicators
Runtime-observed (BTI-C)
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Ketch's public claims against observed runtime behavior and identified 1 contradiction.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 0, observed 1
googletagmanager, googleanalytics4, doubleclick…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →