How This Briefing Works
This dossier opens with key findings, then maps the gap between what Rakutenadvertising discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 1 sites
vendor fires before consent
1 HIGH
Briefing
Rakuten Advertising is the affiliate and advertising network arm of Rakuten Group, a Japanese conglomerate with operations spanning e-commerce, fintech, telecom, and digital media. BLACKOUT runtime analysis reveals 7 BTI behavioral codes firing at a 100% pre-consent rate, including session recording (C07), identity resolution (C14), and consent bypass (C09). Despite deploying 8 scripts, Rakuten Advertising sets zero cookies — relying instead on fingerprinting (C10) and other cookieless identification methods that are harder for users to detect or block. This represents the next generation of advertising surveillance: persistent tracking without the cookie trail.
What This Means For You
If Rakuten Advertising is deployed on your site, every visitor encounters 7 behavioral tracking codes before they can express consent preferences. The zero-cookie, fingerprinting-based approach means your CMP cannot effectively govern Rakuten's data collection — traditional cookie consent mechanisms do not cover fingerprinting and server-side identification. Your visitors' behavioral data flows into Rakuten Group's 1.6 billion member ecosystem, where it can be combined with data from their e-commerce, fintech, and telecom operations. Under GDPR, you are jointly responsible for ensuring valid consent for advertising tracking. Under the ePrivacy Directive, non-essential advertising tracking that fires pre-consent is a straightforward violation regardless of the technical mechanism used.
Risk Channel Breakdown
Signal corruption score of 25 reflects Rakuten Advertising's impact on your measurement environment. Affiliate tracking that deploys session recording and behavioral biometrics captures data far beyond conversion attribution — your analytics picture is incomplete without accounting for this data flow.
CAC subsidization scores 100. Rakuten Advertising's cross-domain identity resolution feeds directly into their affiliate attribution network. Your visitor behavioral data is used to optimize Rakuten's advertising ecosystem, which serves your competitors as readily as it serves you.
Expands attack surface
Legal tail risk scores 100. An advertising network firing 100% pre-consent with identity resolution and fingerprinting creates maximum ePrivacy and GDPR exposure. Zero cookies deployed with 8 scripts suggests deliberate use of cookieless tracking methods designed to evade traditional consent mechanisms.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Rakutenadvertising's public claims against observed runtime behavior and identified 1 contradiction.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →