Rakutenadvertising | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Rakutenadvertising discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

1 detection across 1 site100% pre-consent activity

CRITICAL

Pre-Consent Activity

Rakutenadvertising was observed loading and executing before user consent was obtained on 100% of sites where it was detected.

GDPRePrivacy

HIGH

Pending Analysis

7 BTI behavioral codes detected across 1 detection on 1 site. Full claims extraction required for gap analysis.

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

1 HIGH

Pending Analysis

HIGH

They Claim

“Claims analysis pending”

Observed Behavior

7 BTI behavioral codes detected across 1 detection on 1 site. Full claims extraction required for gap analysis.

Customer Impact

What This Means For You

If Rakuten Advertising is deployed on your site, every visitor encounters 7 behavioral tracking codes before they can express consent preferences. The zero-cookie, fingerprinting-based approach means your CMP cannot effectively govern Rakuten's data collection — traditional cookie consent mechanisms do not cover fingerprinting and server-side identification. Your visitors' behavioral data flows into Rakuten Group's 1.6 billion member ecosystem, where it can be combined with data from their e-commerce, fintech, and telecom operations. Under GDPR, you are jointly responsible for ensuring valid consent for advertising tracking. Under the ePrivacy Directive, non-essential advertising tracking that fires pre-consent is a straightforward violation regardless of the technical mechanism used.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Rakutenadvertising

→Verify whether your CMP can effectively govern Rakuten Advertising's cookieless tracking methods — standard cookie blocking is insufficient
→Audit the 8 scripts Rakuten deploys for undisclosed capabilities beyond affiliate attribution
→Review your privacy notice to confirm advertising network identity resolution is disclosed as a processing activity
→Test pre-consent behavior in EU/UK markets specifically — 100% pre-consent on advertising tracking is high-priority regulatory risk

If You're Evaluating Rakutenadvertising

→Request Rakuten Advertising's full data flow documentation showing what data enters Rakuten Group's broader ecosystem
→Assess whether affiliate attribution can be achieved via server-side integration without on-site JavaScript deployment
→Evaluate whether your affiliate revenue justifies the regulatory exposure of 7 BTI codes firing 100% pre-consent
→Review Rakuten Group's cross-subsidiary data sharing policies to understand where your visitor data may flow across their conglomerate

Negotiation Leverage

→100% pre-consent firing rate on advertising tracking — direct ePrivacy Directive violation in EU/UK markets with no defensible position
→Zero cookies with active fingerprinting (C10) indicates deliberate evasion of cookie-based consent governance — demand disclosure of all cookieless identification methods
→Rakuten Group operates a 1.6 billion member ecosystem across e-commerce, fintech, and telecom — demand clarity on cross-subsidiary data sharing for visitor data captured from your properties
→7 BTI codes including session recording and identity resolution go far beyond standard affiliate tracking — request contractual limitations to conversion attribution only
→Request evidence that Rakuten Advertising's cookieless tracking methods are compatible with your CMP and consent architecture

Runtime Detections

7 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Rakuten Advertising deploys evasion infrastructure that may alter behavior during compliance audits, making it difficult to verify the full scope of tracking during standard privacy assessments.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: An advertising network collecting behavioral biometric data from your visitors creates enrichment signals that enhance ad targeting profiles — your visitors' interaction patterns improve Rakuten's advertising product.

BTI-C07Session Recording

Full session replay

Impact: Session replay on an advertising network means Rakuten can observe how visitors interact with your site beyond simple conversion tracking. This behavioral data feeds their broader advertising intelligence.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: 100% pre-consent firing rate means every visitor encounters Rakuten's full tracking stack before consent. In EU/UK markets, this is a direct ePrivacy Directive violation for non-essential advertising tracking.

BTI-C10Fingerprinting

Device identification

Impact: Zero cookies but active fingerprinting indicates deliberate cookieless tracking. This technique evades cookie consent mechanisms entirely, making traditional CMP-based governance ineffective.

BTI-C14Identity Resolution

PII deanonymization

Impact: PII deanonymization by an advertising network means your anonymous visitors are identified and added to Rakuten's advertising profiles. This data feeds a global ad network operated by a conglomerate with 1.6 billion members across its ecosystem.

BTI-C15Tag Manager

Container/loader (neutral)

Impact: Rakuten Advertising operates as a container/loader, deploying 8 scripts that may introduce additional tracking capabilities beyond the initial affiliate tag.

IOC Manifest

58 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

*rakutenadvertising.com/wp-content/themes/rakuten/dist/theme.js*

Tracking script

TRACK

*rakutenadvertising.com/wp-content/uploads/sites/2/*/10/wired-outline-169-scatter-chart-hover-common.json*

Tracking script

TRACK

*rakutenadvertising.com/wp-content/uploads/sites/2/*/09/wired-outline-*-artificial-intelligence-ai-alt-hover-pinch.json*

Tracking script

TRACK

*rakutenadvertising.com/wp-content/uploads/sites/2/*/10/wired-outline-*-marketing-campaign-hover-pinch.json*

Tracking script

TRACK

*rakutenadvertising.com/wp-content/uploads/sites/2/*/10/wired-outline-268-avatar-man-hover-glance.json*

Tracking script

TRACK

*rakutenadvertising.com/wp-content/uploads/sites/2/*/09/wired-outline-*-artificial-intelligence-ai-hover-pinch-1.json*

Tracking script

TRACK

*rakutenadvertising.com/wp-content/uploads/sites/2/*/10/wired-outline-27-globe-hover-rotate.json*

Tracking script

TRACK

*rakutenadvertising.com/wp-includes/js/wp-emoji-release.js*

Tracking script

TRACK

rakutenadvertising.com/wp-content/themes/rakuten/dist/theme.js

Auto-extracted from scan

TRACK

rakutenadvertising.com/wp-includes/js/wp-emoji-release.min.js

Auto-extracted from scan

Ecosystem

Ecosystem & Supply Chain

Rakuten Advertising is part of Rakuten Group, a Japanese conglomerate with a $10B+ market cap operating across e-commerce (Rakuten Ichiba), fintech (Rakuten Card, Rakuten Bank), telecom (Rakuten Mobile), and digital media (Rakuten Viber, Rakuten TV). The advertising division connects publishers and advertisers through affiliate marketing, display advertising, and attribution services. With a claimed ecosystem of 1.6 billion members globally, Rakuten Group has one of the largest first-party data pools in the world. Rakuten Advertising competes with CJ Affiliate, Impact, and Partnerize in the affiliate space.

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

66 detection signatures across scripts, domains, cookies, and network endpoints