How This Briefing Works
This dossier opens with key findings, then maps the gap between what Rubicon Project discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 17 sites
vendor fires before consent
1 HIGH
Briefing
Magnite (formerly Rubicon Project) is the largest independent sell-side advertising platform, formed from the 2020 merger of Rubicon Project and Telaria. Operating as a major SSP with 4.7B daily impressions globally, Magnite powers programmatic advertising across CTV, display, and video. While positioning itself as a transparent, publisher-focused platform, runtime analysis reveals 21.7% pre-consent tracking and their own website deploys 13+ third-party trackers before user consent. The company openly discloses data selling for targeted advertising and claims 90-day retention with GPC support.
What This Means For You
If Magnite (Rubicon Project) handles your programmatic advertising, their SSP processes 4.7 billion daily impressions while operating a 21.7% pre-consent rate and openly disclosing data selling for targeted advertising. Under CCPA §1798.115, you must disclose data sale relationships — Magnite's transparency about selling is notable but creates disclosure obligations for you. Their 75+ data partner integrations and 86.5 million advertiser connections mean your publisher inventory data, audience segments, and pricing signals traverse an extensive infrastructure. No subprocessor list is published while 13+ vendors fire pre-consent on magnite.com including Demandbase, Hotjar, and TrenDemon. Their claimed 90-day retention period and GPC support are positive, but the pre-consent behavior and missing subprocessor disclosure create compliance gaps.
Risk Channel Breakdown
As a major SSP processing billions of impressions daily, Magnite sits at a critical junction in the ad tech supply chain. Measurement corruption can occur when bid stream data leaks advertiser intent signals before campaigns execute, enabling competitors to intercept demand signals.
Magnite's integration with 75+ data partners and 86.5M advertisers creates extensive data flow pathways. Publisher inventory data, audience segments, and pricing signals traverse their infrastructure, creating potential for demand signal leakage to competing buyers or platforms.
With 3K+ direct integrations and operations in 190 countries, Magnite's technical footprint represents significant attack surface. Their acquisition history (SpotX, SpringServe) means legacy codebases and integration points that may harbor security inconsistencies.
Despite GDPR compliance claims and Data Privacy Framework participation, 21.7% of Rubicon detections show pre-consent firing. Their own website exhibits consent banner violations by loading 13+ tracking vendors before user interaction, contradicting their stated privacy commitments.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Device identification
Long-lived identifiers
PII deanonymization
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
False certification claims
Collection exceeds disclosed scope
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Rubicon Project's public claims against observed runtime behavior and identified 3 contradictions.
"No specific subprocessor list provided"
13+ third-party vendors detected on their own website firing pre-consent
2 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
googletagmanager, googleanalytics4, linkedinads…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →