All Vendors
advertising

Mediamath

Programmatic advertising DSP with pre-consent pixel deployment and cross-site user tracking.

14 IOCs3 detections100% pre-consent2 sites
70
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Mediamath discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

3 detections across 2 sites100% pre-consent activity
CRITICAL

Pre-Consent Activity

Mediamath was observed loading and executing before user consent was obtained on 100% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

disclosure

MEDIUM
They Claim

Pending claims extraction

Observed Behavior

Counselor score (40) suggests consent mechanisms are bypassed. Privacy policy likely lacks specific disclosure of bid stream participants and cross-site tracking scope.

Customer Impact

What This Means For You

Removing MediaMath disrupts programmatic advertising campaigns and retargeting flows. Marketing loses granular attribution for display ad conversions. However, retention creates risk: GDPR complaints for unlawful processing, ePrivacy enforcement for non-compliant cookie use, revenue loss if major browsers block third-party cookies used by MediaMath.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Mediamath

  • Gate all MediaMath pixels behind explicit consent for advertising cookies
  • Audit Data Processing Agreement for bid stream data sharing disclosures
  • Confirm MediaMath complies with IAB Transparency & Consent Framework
  • Review privacy policy for adequate disclosure of programmatic data flows

If You're Evaluating Mediamath

  • Require consent before any MediaMath script loads
  • Demand contractual limits on bid stream participant data access
  • Assess first-party data clean room alternatives to third-party cookie dependence
  • Consider server-side ad decisioning to reduce client-side tracking exposure

Negotiation Leverage

  • MediaMath contract permits sharing visitor data with "platform partners" - demand exhaustive partner list and sharing purpose limitations
  • Bid stream data persists in partner systems beyond MediaMath retention - negotiate contractual liability for downstream violations
  • Confirm MediaMath honor browser-based tracking opt-outs (GPC, DNT) and consent withdrawal requests
  • Request evidence of IAB TCF compliance and consent string validation before pixel activation
Runtime Detections

Runtime Detections

1 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C09Consent Bypass

Ignoring CMP signals

IOC Manifest

IOC Manifest

3 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

No indicators in this category

Ecosystem

Ecosystem & Supply Chain

MediaMath connects to major ad exchanges, SSPs, and DMPs. User profiles flow through real-time bidding infrastructure where hundreds of partners receive visitor data. Often bundled with header bidding wrappers that amplify pre-consent exposure.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

14 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details