LiveRamp | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what LiveRamp discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

16 detections across 13 sites19% pre-consent activity2 critical disclosure gaps

CRITICAL

Subprocessor Disclosure

Runtime scan detects 21+ third-party vendors receiving data including Clearbit, Criteo, Marketo, Salesloft, Bizible, Wistia, TrenDemon, Pubrio, Intellimize

GDPR Article 28CCPA 1798.140(v)

CRITICAL

Pre-Consent Tracking

10 vendors fire pre-consent on liveramp.com including identity resolution (Clearbit) and retargeting (Criteo)

GDPR Article 6ePrivacy Directive Article 5(3)CCPA 1798.120

MEDIUM

Pre-Consent Activity

LiveRamp was observed loading and executing before user consent was obtained on 19% of sites where it was detected.

GDPRePrivacy

HIGH

Privacy Marketing Claims

Website deploys aggressive tracking stack including identity resolution and retargeting before user consent

FTC Section 5 (Deceptive Practices)

HIGH

Undisclosed Party

Not in privacy policy

Disclosure Gaps

Claims vs. Observed Behavior

4 gaps

2 CRIT1 HIGH1 MED

Classified:BTI-X01BTI-X02BTI-X04BTI-X05BTI-X08

Subprocessor Disclosure

GDPR Article 28 · CCPA 1798.140(v)CRITICAL

They Claim

“Subprocessor list shows 5 vendors (AWS, GCP, Snowflake, Azure, Cognizant)”

Observed Behavior

Runtime scan detects 21+ third-party vendors receiving data including Clearbit, Criteo, Marketo, Salesloft, Bizible, Wistia, TrenDemon, Pubrio, Intellimize

Comparison of https://liveramp.com/legal/subprocessors/ against runtime detection on liveramp.com

Privacy Marketing Claims

FTC Section 5 (Deceptive Practices)HIGH

They Claim

“We put people first...consumer privacy a priority”

Observed Behavior

Website deploys aggressive tracking stack including identity resolution and retargeting before user consent

Competitive Intelligence Risk

MEDIUM

They Claim

“LiveRamp is a neutral identity resolution platform”

Observed Behavior

Uses competing identity vendor (Clearbit/HubSpot) to identify visitors, potentially feeding prospect data to competitor ecosystem

Clearbit detected pre-consent on liveramp.com

Customer Impact

What This Means For You

If LiveRamp powers your identity resolution and audience targeting, you are trusting the backbone of 92% of the advertising ecosystem. LiveRamp discloses only 5 subprocessors (AWS, GCP, Snowflake, Azure, Cognizant) while 21+ vendors are detected at runtime on liveramp.com — including Clearbit, a competitor identity resolution vendor owned by HubSpot. Under GDPR Art 28, this material subprocessor gap means you cannot verify the full data processing chain. LiveRamp's deployment of Clearbit on their own site means marketers evaluating LiveRamp are being identified by a competing identity platform, raising questions about data practice symmetry. With 600+ advertiser connections, your audience data flows through the largest identity resolution network — any systemic privacy gap has industry-wide implications.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use LiveRamp

→Audit your consent implementation against LiveRamp's own pre-consent behavior — if they cannot maintain compliance on their own site, review their handling of your data
→Compare your DPA and subprocessor list against LiveRamp's actual vendor stack — 21+ detected versus 5 disclosed is a material gap
→Request evidence of consent capture for any LiveRamp-processed data flowing through your identity resolution workflows
→Consider whether competitor identity vendors (Clearbit/HubSpot) receiving your prospect data through LiveRamp's site visits is acceptable risk
→Verify LiveRamp's data retention and deletion practices align with your contractual requirements

If You're Evaluating LiveRamp

→Request complete subprocessor list beyond the 5 infrastructure providers — 21+ vendors at runtime is a critical disclosure gap
→Ask specifically about the Clearbit deployment on liveramp.com — why does an identity resolution company use a competitor's identity resolution?
→Verify consent architecture for data onboarding workflows and cross-device matching before procurement
→Assess whether LiveRamp's central position in the ad ecosystem (92% coverage) creates concentration risk for your identity strategy
→Negotiate robust audit rights given the scale and criticality of identity data flowing through their platform

Negotiation Leverage

→Subprocessor reconciliation: 5 disclosed versus 21+ detected including Clearbit (competitor identity resolution), Criteo, Marketo, and TrenDemon. Require complete enumeration of all data recipients on liveramp.com and any data sharing that affects your audience data.
→Clearbit competitor exposure: LiveRamp deploys Clearbit (HubSpot-owned) on their own site, meaning your prospect evaluations are visible to a competitor ecosystem. Require written explanation of this relationship and contractual guarantee your data does not flow to competing identity platforms.
→Consent chain verification: As the identity backbone for 92% of ad ecosystem, consent provenance is critical. Require documented consent chain for all data processed through LiveRamp on your behalf under GDPR Art 7.
→Pre-consent SLA: 10 vendors fire pre-consent on liveramp.com. Require contractual guarantee that LiveRamp's data processing respects your consent signals with zero pre-consent activity.
→Data flow audit rights: Require quarterly right to audit which parties receive your audience data through LiveRamp's 600+ advertiser network, with right to restrict specific data flows.

Runtime Detections

7 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

12 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

No indicators in this category

Ecosystem

Ecosystem & Supply Chain

LiveRamp occupies a central position in the ad-tech supply chain as an identity resolution and data connectivity infrastructure provider. They enable data onboarding, audience matching, and cross-platform measurement for brands, agencies, publishers, and ad-tech platforms. Key integrations: Disney, Hulu, Pinterest, Snap, Spotify, Netflix, TikTok, and 600+ advertisers through their data marketplace. Cloud partnerships with AWS, GCP, Snowflake, and Azure. On their own site, they are LOADED BY: GoogleTagManager (container), Ketch (consent management). They LOAD: Clearbit (identity resolution - pre-consent), Criteo (retargeting - pre-consent), Google Analytics 4, DoubleClick, Marketo, Salesloft, Bizible, Wistia, TrenDemon, Intellimize, Pubrio, and others. This creates a data flow where visitor intent signals from a leading identity resolution vendor flow to competitor identity systems.

Commonly Deployed With

Rubicon Googletagmanager Googleanalytics4 Linkedinads Doubleclick Metapixel Tradedesk Marketo Bing Ads Reddit

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

14 detection signatures across scripts, domains, cookies, and network endpoints