All Vendors
dsp

Rokt

E-commerce relevance platform with session recording and behavioral biometrics. Extremely high CAC subsidization through real-time conversion data sharing.

7 IOCs4 detections50% pre-consent3 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Rokt discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

4 detections across 3 sites50% pre-consent activity
CRITICAL

Pre-Consent Activity

Rokt was observed loading and executing before user consent was obtained on 50% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Unknown

Observed Behavior

Requires claims extraction via CDT

Customer Impact

What This Means For You

Your checkout conversion rate improvements come at the cost of training Rokt's cross-merchant model. Competitors using Rokt benefit from your transaction patterns. If you achieve 5% conversion lift, competitors get same intelligence without paying your CPA.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Rokt

  • Immediately verify PCI-DSS scope - session recording of payment flow triggers compliance expansion
  • Audit consent timing - recording must not start until after explicit opt-in
  • Request data segregation guarantees - your conversion data should not train competitor offers
  • Implement client-side filtering to block capture of PII/payment fields

If You're Evaluating Rokt

  • First-party A/B testing tools (Optimizely, VWO) with data isolation
  • Checkout optimization without session recording (heatmaps, funnel analysis)
  • On-premise recommendation engines with no cross-merchant data sharing

Negotiation Leverage

  • Session recording at checkout creates PCI-DSS liability - DPA must address compliance responsibility
  • Cross-merchant model means your data trains competitors - require data segregation or discount pricing
  • Behavioral biometrics require GDPR Article 9 consent - verify consent mechanism supports lawful basis
  • CAC subsidization score of 90 is top quartile - demand pricing reflects competitive intelligence value
Runtime Detections

Runtime Detections

5 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Mouse movement and typing patterns constitute biometric data under GDPR Article 9. Requires explicit consent and heightened security controls.

BTI-C07Session Recording

Full session replay

Impact: Checkout session capture may record credit card entry, creating PCI-DSS scope expansion and requiring encryption/tokenization controls.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Tracking initiates before consent mechanism, creating strict liability under GDPR Article 82 (right to compensation).

BTI-C10Fingerprinting

Device identification

IOC Manifest

IOC Manifest

4 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

No indicators in this category

Ecosystem

Ecosystem & Supply Chain

Deploys at checkout across e-commerce platforms (Shopify, BigCommerce). Shares offer performance data across merchant network. Integrates with payment processors.
Loaded By (1)
Tealiumiq
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

7 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details