WebKit recently updated WebKit to address
“An attacker seeking to track site visitors can take advantage of the user’s HSTS cache to store one bit of information on that user’s device.”
in an interesting and understandable technical blog post by Brent Fulgham.
It’s the same loophole used by Criteo and possibly other retargeters.
Said another way, your retargeting vendors are probably more akin to malicious attackers than they are to traditional agencies.
It pains me to see that the profession of marketing has devolved to the state where many advertisers have resorted to hacking customer and prospect computers.
Are you attacking your own customers with your retargeting efforts? And if you are, are you doing business in the EU or targeting EU citizens? Are you sure?
Bonus question: If you’re using Criteo or another retargeting vendor (not “partner”), do they contractually indemnify you for transgressions of GDPR? I’d read that contract today. May 28 is fast approaching.