How This Briefing Works
This dossier opens with key findings, then maps the gap between what LiveRamp discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 12 sites
vendor fires before consent
2 CRIT · 1 HIGH
Briefing
LiveRamp is a publicly-traded identity resolution and data connectivity platform (NYSE: RAMP), formerly Acxiom, headquartered in San Francisco. As a core infrastructure provider enabling cross-device identity matching and audience targeting across 92% of the advertising ecosystem, LiveRamp occupies a central position in the ad-tech supply chain. Critical finding: LiveRamp deploys Clearbit (a competitor identity resolution vendor) and Criteo (retargeting) on their own website, with 10 vendors firing pre-consent. This represents a significant gap between their stated "consumer privacy is a priority" position and observable runtime behavior. An identity resolution company using rival identity resolution on their own visitors raises serious questions about data practices.
What This Means For You
If LiveRamp powers your identity resolution and audience targeting, you are trusting the backbone of 92% of the advertising ecosystem. LiveRamp discloses only 5 subprocessors (AWS, GCP, Snowflake, Azure, Cognizant) while 21+ vendors are detected at runtime on liveramp.com — including Clearbit, a competitor identity resolution vendor owned by HubSpot. Under GDPR Art 28, this material subprocessor gap means you cannot verify the full data processing chain. LiveRamp's deployment of Clearbit on their own site means marketers evaluating LiveRamp are being identified by a competing identity platform, raising questions about data practice symmetry. With 600+ advertiser connections, your audience data flows through the largest identity resolution network — any systemic privacy gap has industry-wide implications.
Risk Channel Breakdown
LiveRamp sits at the heart of marketing measurement infrastructure - their identity graph connects first-party data to advertising platforms. When their own measurement practices include undisclosed vendors, it raises questions about data leakage to competitors and corrupted attribution chains. Using Clearbit on their own site means visitor intelligence potentially flows to a competing identity vendor.
As a data connectivity platform that enables audience sharing across 600+ advertisers, LiveRamp has extensive visibility into demand signals. Their use of Clearbit (owned by HubSpot) on their own site potentially exposes intent data about prospective customers to a competitor ecosystem. Marketers evaluating LiveRamp are being identified and potentially retargeted by competing platforms.
LiveRamp processes identity data at massive scale. The disconnect between their compliance certifications (SOC2, GDPR, CCPA) and pre-consent tracking behavior on their own properties creates regulatory exposure for customers who rely on LiveRamps stated compliance posture. If LiveRamp cannot maintain compliant behavior on properties they control, questions arise about their data handling for customer data.
LiveRamp claims SOC2 Type II, GDPR, and CCPA compliance while operating a website that fires 10 vendors pre-consent including identity resolution and retargeting. This creates consent divergence - users who reject tracking via their Ketch CMP may still have data captured by pre-consent vendors. The subprocessor list discloses only 5 infrastructure vendors while runtime shows 21+ third parties receiving data.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
Behavior contradicts marketing
False certification claims
Collection exceeds disclosed scope
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed LiveRamp's public claims against observed runtime behavior and identified 4 contradictions.
"Subprocessor list shows 5 vendors (AWS, GCP, Snowflake, Azure, Cognizant)"
Runtime scan detects 21+ third-party vendors receiving data including Clearbit, Criteo, Marketo, Salesloft, Bizible, Wistia, TrenDemon, Pubrio, Intellimize
3 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 5, observed 5
rubicon, googletagmanager, googleanalytics4…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →