How This Briefing Works
This report opens with key findings, then maps the gaps between what Relevant Digital discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Relevant Digital was observed loading and executing before user consent was obtained on 7% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Relevant Digital
- →Require data processing addendum with explicit cross-domain tracking and tag injection disclosure
- →Demand consent framework integration that blocks ID syncing until user acceptance
- →Implement audience targeting minimization to reduce behavioral profiling scope
- →Configure campaign delivery to balance behavioral and contextual targeting
- →Establish retention limits for visitor profiles and identity graphs
If You're Evaluating Relevant Digital
- →Test consent mechanism to verify DSP tracking respects publisher consent frameworks
- →Verify geographic data processing boundaries for GDPR compliance in EU campaigns
- →Review tag injection capabilities and change control processes for tracking modifications
- →Assess bidstream data sharing with exchanges and third-party enrichment platforms
- →Request disclosure of secondary campaign data use for vendor intelligence or platform optimization
Negotiation Leverage
- →Relevant Digital deploys cross-domain tracking and tag injection across programmatic inventory—demand contractual liability protection for GDPR/CCPA violations and explicit DPA terms
- →Full campaign visibility exposes targeting strategy and media allocation to vendor infrastructure—negotiate limits on secondary data use for competitive intelligence
- →Tag injection capability allows tracking modifications without advertiser approval—require change control processes and tag deployment audit rights
- →Audience attribution signals may distort campaign performance measurement—establish baseline methodology for programmatic effectiveness
- →Legal tail risk of 100% reflects programmatic infrastructure requirements—evaluate whether DSP targeting capabilities justify regulatory exposure or consider privacy-preserving alternatives like contextual-only bidding
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Relevant Digital can detect ad verification tools and alter tracking behavior during brand safety assessments, masking production data collection.
Keystroke/mouse tracking
Impact: Ad interaction patterns and engagement signals create behavioral profiles for audience targeting and campaign optimization.
Identity stitching
Impact: Identity synchronization across publisher properties enables visitor tracking throughout programmatic ecosystem for retargeting.
Ignoring CMP signals
Impact: DSP tracking infrastructure processes visitor data regardless of publisher consent state, collecting behavioral signals before permission.
Device identification
Impact: Device and browser fingerprinting creates persistent identifiers for cross-site audience targeting and frequency capping.
Container/loader (neutral)
Impact: Dynamic tag injection allows real-time modification of tracking scope across campaigns without advertiser security review.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
155 detection signatures across scripts, domains, cookies, and network endpoints