All Vendors
advertising
Rubicon Project

Rubicon Project

Largest independent SSP processing 4.7 billion daily impressions with 21.7% pre-consent tracking rate. Openly discloses selling data for targeted advertising while providing no subprocessor list. 13+ third-party trackers fire pre-consent on magnite.com including Demandbase, Hotjar, and TrenDemon.

148 IOCs23 detections22% pre-consent19 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Rubicon Project discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

23 detections across 19 sites22% pre-consent activity
HIGH

Pre-Consent Activity

Rubicon Project was observed loading and executing before user consent was obtained on 22% of sites where it was detected.

GDPRePrivacy
HIGH

Transparency

13+ third-party vendors detected on their own website firing pre-consent

GDPR Art 28CCPA 1798.110
HIGH

Undisclosed Party

Not in privacy policy

HIGH

Undisclosed Sharing

Hidden data recipients

HIGH

Compliance Claim Mismatch

False certification claims

Disclosure Gaps

Claims vs. Observed Behavior

3 gaps
1 HIGH2 MED
Classified:BTI-X01BTI-X02BTI-X05BTI-X08

Transparency

GDPR Art 28 · CCPA 1798.110HIGH
They Claim

No specific subprocessor list provided

Observed Behavior

13+ third-party vendors detected on their own website firing pre-consent

Runtime scan of magnite.com shows Demandbase, Hotjar, LinkedIn, Marketo, TrenDemon, and others

Data Selling

CCPA 1798.120MEDIUM
They Claim

Openly discloses data selling

Observed Behavior

Sells user data for targeted advertising

Privacy policy states: selling or processing of User Information for purposes of targeted advertising

Customer Impact

What This Means For You

If Magnite (Rubicon Project) handles your programmatic advertising, their SSP processes 4.7 billion daily impressions while operating a 21.7% pre-consent rate and openly disclosing data selling for targeted advertising. Under CCPA §1798.115, you must disclose data sale relationships — Magnite's transparency about selling is notable but creates disclosure obligations for you. Their 75+ data partner integrations and 86.5 million advertiser connections mean your publisher inventory data, audience segments, and pricing signals traverse an extensive infrastructure. No subprocessor list is published while 13+ vendors fire pre-consent on magnite.com including Demandbase, Hotjar, and TrenDemon. Their claimed 90-day retention period and GPC support are positive, but the pre-consent behavior and missing subprocessor disclosure create compliance gaps.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Rubicon Project

  • Audit your consent implementation to ensure Rubicon/Magnite pixels fire only after consent — 21.7% pre-consent rate across the industry
  • Review data processing agreements for explicit subprocessor enumeration — Magnite publishes no subprocessor list
  • Implement server-side integration where possible to control data exposure through the bid stream
  • Monitor bid stream for unauthorized data collection that could leak your audience intelligence to competitors
  • Update your privacy policy to disclose Magnite's data selling practices if using their programmatic services

If You're Evaluating Rubicon Project

  • Request complete subprocessor list and DPA before integration — the absence of a published list is a transparency gap
  • Verify consent flow compatibility with your CMP and test that Magnite honors GPC opt-out signals
  • Assess if 90-day data retention aligns with your data minimization requirements under GDPR Art 5(1)(e)
  • Consider their open data selling disclosure implications for your organization's privacy posture
  • Compare pre-consent compliance against alternative SSPs for reduced consent architecture risk

Negotiation Leverage

  • Subprocessor list requirement: Magnite provides no subprocessor list while 13+ vendors fire pre-consent on their site. Require complete enumeration of all data processing partners as a baseline contract condition.
  • Pre-consent SLA: 21.7% pre-consent rate. Require contractual guarantee that Magnite pixels fire only after consent on your property with GPC signal compliance verification.
  • Data sale transparency: Magnite openly discloses data selling. Require contractual specification of exactly what data categories from your property are sold and to which recipients, with right to opt out of specific data partnerships.
  • Bid stream protection: As a major SSP, bid stream data contains valuable audience intelligence. Require contractual protections against unauthorized data collection from bid requests originating from your inventory.
  • Retention limitation: Magnite claims 90-day retention. Require contractual commitment with audit verification that data from your property is deleted within the stated retention period.
Runtime Detections

Runtime Detections

8 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C13Persistence Mechanisms

Long-lived identifiers

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

143 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.magnite.com/wp-content/plugins/searchwp-live-ajax-search/assets/javascript/dist/script.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/main.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.BiMJC0lh.js*
Tracking script
TRACK
*www.magnite.com/wp-content/plugins/searchwp/assets/js/frontend/search-forms.js*
Tracking script
TRACK
*www.magnite.com/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.BpJuBn8R.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.BKJJFns1.js*
Tracking script
TRACK
*www.magnite.com/wp-content/plugins/sitepress-multilingual-cms/res/js/cookies/language-cookie.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.D7beO4zX.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.Bx2M1YVX.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.BB3eRF5A.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.CsJvyADC.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.DJSkLFXs.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.LfNAw1dd.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.xXzsAias.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.BvJChKk7.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.BjPa3afE.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.B8BqXKQm.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.D_4_hn_4.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.Cf3Ni8_Y.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.DxgYCWsv.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.DUe4Cf8C.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.D6_LSZ0f.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.OmulAZ5x.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.CgUwN7hj.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.DDAjt5Qx.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.mVKlhoAA.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.CegR8EeP.js*
Tracking script
TRACK
*www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.DlKwKMKN.js*
Tracking script
TRACK
www.magnite.com/wp-content/plugins/sitepress-multilingual-cms/res/js/cookies/language-cookie.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/main.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-includes/js/jquery/jquery.min.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/plugins/searchwp-live-ajax-search/assets/javascript/dist/script.min.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/plugins/searchwp/assets/js/frontend/search-forms.min.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.BiMJC0lh.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.BpJuBn8R.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.BKJJFns1.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.D7beO4zX.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.Bx2M1YVX.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.BB3eRF5A.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.CsJvyADC.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.LfNAw1dd.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.DJSkLFXs.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.xXzsAias.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.BvJChKk7.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.BjPa3afE.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.B8BqXKQm.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.D_4_hn_4.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.Cf3Ni8_Y.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.DxgYCWsv.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.DUe4Cf8C.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.D6_LSZ0f.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.OmulAZ5x.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.CgUwN7hj.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.DDAjt5Qx.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.CegR8EeP.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.mVKlhoAA.js
Auto-extracted from scan
TRACK
www.magnite.com/wp-content/themes/magnite-rebuild/assets/_chunk.DlKwKMKN.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Magnite operates as the largest independent SSP in the programmatic ecosystem. They are loaded by publishers via header bidding wrappers (Prebid.js), ad servers, and direct integrations. Magnite connects publishers to DSPs and ad networks, processing bid requests and auction data. Their acquisition of SpotX (video SSP) and SpringServe (ad server) expanded their supply chain position. They integrate with 75+ data partners for audience enrichment and 3K+ direct publisher connections. On the buy side, 86.5M advertisers access inventory through Magnite's exchange.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

148 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details