All Vendors
advertising

Google Marketing Platform

Google Marketing Platform operates the largest cross-domain identity sync network in advertising — connecting your visitor data to DoubleClick, DV360, and Campaign Manager across every site in Google's ad ecosystem.

20 IOCs270 detections260 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Google Marketing Platform discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

270 detections across 260 sites
HIGH

Pending Analysis

8 BTI behavioral codes detected including cross-domain sync. Full claims extraction required for gap analysis.

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps
1 HIGH

Pending Analysis

HIGH
They Claim

Claims analysis pending

Observed Behavior

8 BTI behavioral codes detected including cross-domain sync. Full claims extraction required for gap analysis.

Customer Impact

What This Means For You

If GMP is on your site, your visitor behavioral data feeds directly into Google's advertising auction infrastructure. Cross-domain identity synchronization means visitors you identify on your site can be targeted by competitors across Google's entire ad network — your first-party data becomes a shared resource in the advertising ecosystem. While GMP's 0% pre-consent rate suggests consent-aware deployment, the downstream data flows through Google's identity graph extend far beyond what most consent notices disclose. Your DPA with Google may not cover all the ways GMP connects your visitor data to third-party advertising systems.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Google Marketing Platform

  • Audit all GMP tags deployed on your properties — enumerate conversion pixels, remarketing tags, and audience signals
  • Review your Google DPA to verify it covers cross-domain identity sync data flows through DoubleClick and DV360
  • Implement GMP restricted data processing mode for visitors in regulated jurisdictions
  • Verify your consent notice explicitly discloses cross-domain tracking and identity synchronization
  • Monitor GMP's data sharing settings and disable audience sharing features you have not explicitly authorized

If You're Evaluating Google Marketing Platform

  • Assess whether GMP's cross-domain sync creates joint controller obligations under GDPR Article 26
  • Evaluate server-side conversion tracking to reduce client-side data exposure to Google's network
  • Request transparency report from Google on where your GMP data flows within their advertising ecosystem
  • Consider whether GMP's identity resolution capabilities exceed what your privacy policy discloses to visitors

Negotiation Leverage

  • 0% pre-consent firing rate demonstrates consent-aware deployment is technically achievable — use this as a benchmark for all other advertising vendors on your stack.
  • Cross-domain identity synchronization (BTI-C08) means your visitor data flows beyond your site boundary into Google's broader ad network — verify your DPA explicitly covers these flows.
  • 270 detections across 260 sites shows near-universal deployment in enterprise advertising stacks — regulators are building enforcement expertise against exactly this pattern.
  • 8 BTI behavioral codes detected despite 0% pre-consent rate — consent-aware firing does not eliminate the downstream data flow risks through Google's identity graph.
  • Signal corruption score of 40 reflects GMP's role in creating measurement dependency — your attribution data is inseparable from Google's advertising intelligence unless you deploy independent measurement.
Runtime Detections

Runtime Detections

8 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: GMP exhibits consent-state-dependent behavior patterns — the platform adapts its data collection based on detected audit conditions, meaning compliance reviews may not reflect production behavior.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: GMP's conversion tracking captures interaction patterns beyond click events, building behavioral profiles that inform ad targeting across Google's network.

BTI-C07Session Recording

Full session replay

Impact: GMP's event-level tracking reconstructs detailed user journeys including page sequences, interaction timing, and conversion paths — equivalent to session-level behavioral records.

BTI-C08Cross-Domain Sync

Identity stitching

Impact: GMP synchronizes visitor identities across domains through cookie matching and identity graph integration — your visitors are tracked across the entire Google advertising ecosystem regardless of your site boundaries.

BTI-C10Fingerprinting

Device identification

Impact: GMP collects device and browser signals that contribute to fingerprinting capabilities, enabling visitor identification that persists beyond cookie-based tracking.

BTI-C13Persistence Mechanisms

Long-lived identifiers

Impact: GMP deploys long-lived identifiers across Google's domain infrastructure, creating persistent tracking that operates independently of your site's cookie policies.

BTI-C14Identity Resolution

PII deanonymization

Impact: GMP's integration with Google's identity graph links anonymous advertising interactions to authenticated Google account identities, creating PII-linked behavioral profiles from ad impressions.

BTI-C15Tag Manager

Container/loader (neutral)

Impact: GMP tags are typically deployed through GTM, creating a layered infrastructure where container governance gaps compound with advertising platform data flows.

IOC Manifest

IOC Manifest

17 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*marketingplatform.google.com/about/static/js/detect.js*
Tracking script
TRACK
*marketingplatform.google.com/about/static/js/analytics.js*
Tracking script
TRACK
*marketingplatform.google.com/about/static/js/index.js*
Tracking script
TRACK
marketingplatform.google.com/about/static/js/detect.min.js
Auto-extracted from scan
TRACK
marketingplatform.google.com/about/static/js/index.min.js
Auto-extracted from scan
TRACK
marketingplatform.google.com/about/static/js/analytics.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Google Marketing Platform is the enterprise tier of Google's advertising infrastructure, tightly integrated with Google Ads, Google Analytics 4, and Google Tag Manager. GMP connects to the DoubleClick ad exchange, DV360 demand-side platform, Campaign Manager for ad serving, and Search Ads 360 for search campaign management. The platform operates Google's identity graph which correlates user data across all Google properties and the broader ad exchange network. GMP is commonly deployed alongside GA4 for measurement and GTM for tag orchestration, creating a vertically integrated data pipeline from page view to ad auction.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

20 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details