All Vendors
dsp

Kevel

Kevel DSP platform deploys cross-domain synchronization and consent bypass mechanisms in ad decisioning infrastructure.

21 IOCs3 detections100% pre-consent2 sites
70
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Kevel discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

3 detections across 2 sites100% pre-consent activity
CRITICAL

Pre-Consent Activity

Kevel was observed loading and executing before user consent was obtained on 100% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

tracking_infrastructure

HIGH
They Claim

Unknown - requires claims extraction

Observed Behavior

C08+C09 detected - cross-domain identity sync with pre-consent execution

Customer Impact

What This Means For You

Publishers using Kevel inherit cross-domain tracking and consent-timing liability. Privacy audits revealing identity synchronization and pre-consent execution create dual compliance exposures. Ad targeting built on non-consented cross-domain data produces legally questionable monetization.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Kevel

  • Audit Kevel cross-domain sync scope - map all domains participating in identity coordination
  • Enforce consent gate before Kevel initialization to address C09 bypass
  • Document consent timestamp vs ad platform execution for compliance records
  • Verify ad decisioning works with delayed post-consent loading

If You're Evaluating Kevel

  • Request Kevel technical documentation of cross-domain sync and consent integration
  • Evaluate contextual advertising alternatives eliminating identity tracking
  • Consider server-side ad decisioning to reduce browser-based tracking surface
  • Investigate first-party ad platforms without cross-domain capabilities

Negotiation Leverage

  • Kevel deploys C08 cross-domain sync + C09 consent bypass - vendor must explain identity coordination and pre-consent execution
  • Demand disclosure of all domains participating in identity synchronization
  • Require consent-aware initialization capabilities - no pre-consent ad decisioning
  • Negotiate opt-out of cross-domain sync features if contextual targeting sufficient
  • Establish liability terms for cross-domain tracking and consent violations
Runtime Detections

Runtime Detections

2 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

IOC Manifest

IOC Manifest

14 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*cdn.cdp.audience.kevel.com/pcdp_1.0.js*
Tracking script
TRACK
cdn.cdp.audience.kevel.com/pcdp_1.0.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Operates within programmatic advertising infrastructure. Cross-domain capabilities suggest integration with identity resolution networks coordinating across publisher inventory and advertiser properties.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

21 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details