All Vendors
deanon
Bluecava

Bluecava

BlueCava, now owned by Adstra, pioneered device fingerprinting technology with $39.2M in funding — and explicitly rejects Do Not Track signals while maintaining a 50% pre-consent tracking rate and sharing data with undefined "Clients and Business Partners."

41 IOCs2 detections50% pre-consent2 sites
85
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Bluecava discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

2 detections across 2 sites50% pre-consent activity1 critical disclosure gap
CRITICAL

Consent Mechanism

50% pre-consent tracking rate detected; explicit rejection of Do Not Track signals

GDPR Article 6CCPA 1798.135California Privacy Rights Act GPC requirements
CRITICAL

Pre-Consent Activity

Bluecava was observed loading and executing before user consent was obtained on 50% of sites where it was detected.

GDPRePrivacy
HIGH

Data Recipient Disclosure

Vague categories including Clients, Business Partners, subsidiaries with no specific list

GDPR Article 13GDPR Article 28
HIGH

Technology Scope

Cross-device fingerprinting, household identity graphs, persistent advertising IDs that survive cookie deletion

ePrivacy Directive Article 5(3)
HIGH

Undisclosed Sharing

Hidden data recipients

Disclosure Gaps

Claims vs. Observed Behavior

4 gaps
1 CRIT2 HIGH1 MED
Classified:BTI-X02BTI-X05BTI-X07BTI-X08BTI-X12

Data Recipient Disclosure

GDPR Article 13 · GDPR Article 28HIGH
They Claim

Shares data with service providers

Observed Behavior

Vague categories including Clients, Business Partners, subsidiaries with no specific list

No subprocessor list available on website

Technology Scope

ePrivacy Directive Article 5(3)HIGH
They Claim

Device identification for advertising

Observed Behavior

Cross-device fingerprinting, household identity graphs, persistent advertising IDs that survive cookie deletion

BlueCava opt-out page confirms identity of your device sharing and advertising ID generation

Security Assurance

GDPR Article 32MEDIUM
They Claim

None made

Observed Behavior

No security documentation, SOC2, or trust center available

Website audit found no security/compliance pages

Customer Impact

What This Means For You

YOUR users are being fingerprinted by technology designed to persist identification across cookie deletion and private browsing. YOUR privacy controls including Do Not Track signals are explicitly ignored by BlueCava's documented policy. YOUR data processing agreements likely cannot specify downstream recipients because BlueCava shares data with vaguely defined Clients, Business Partners, and affiliates — making YOUR GDPR Article 30 records of processing incomplete. If BlueCava's device fingerprints appear on YOUR properties, YOUR users have no effective way to opt out of cross-device tracking.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Bluecava

  • Audit consent implementation — 50% pre-consent rate indicates consent mechanism failure for device fingerprinting
  • Update privacy policy to specifically disclose BlueCava/Adstra and the device fingerprinting capability
  • Implement GPC signal recognition — BlueCava rejects DNT but GPC has stronger legal backing under CCPA
  • Request specific named list of data recipients instead of vague Clients and Business Partners categories

If You're Evaluating Bluecava

  • Assess whether device fingerprinting aligns with your privacy posture — this technology is designed to circumvent user privacy controls
  • Request Adstra's complete data sharing partner list before any engagement
  • Compare with privacy-respecting alternatives that honor DNT and GPC signals
  • Verify regulatory compliance in all jurisdictions — device fingerprinting faces increasing regulatory scrutiny

Negotiation Leverage

  • Do Not Track rejection: BlueCava explicitly ignores DNT signals — use this documented policy to negotiate GPC (Global Privacy Control) signal recognition as a contract requirement
  • Device fingerprinting persistence: Technology designed to survive cookie deletion and private browsing — leverage for enhanced consent and opt-out requirements in your contract
  • Vague data recipients: Data shared with undefined Clients, Business Partners, and affiliates — require named recipient disclosure as a non-negotiable condition
  • 50% pre-consent rate: Half of tracking fires before consent — negotiate consent architecture requirements and contractual penalties for pre-consent data collection
Runtime Detections

Runtime Detections

4 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C14Identity Resolution

PII deanonymization

IOC Manifest

IOC Manifest

29 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*bluecava.com/js/jquery-1.8.2.js*
Tracking script
TRACK
*bluecava.com/js/jquery.carouFredSel-6.2.1-packed.js*
Tracking script
TRACK
*bluecava.com/js/bluecava.js*
Tracking script
TRACK
*sync.graph.bluecava.com/js/bc.js*
Tracking script
TRACK
bluecava.com/js/jquery-1.8.2.min.js
Auto-extracted from scan
TRACK
bluecava.com/js/jquery.carouFredSel-6.2.1-packed.js
Auto-extracted from scan
TRACK
sync.graph.bluecava.com/js/bc.js
Auto-extracted from scan
TRACK
bluecava.com/js/bluecava.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

BlueCava operates as the device fingerprinting and identity resolution engine within the Adstra data platform. Supply chain position: BlueCava technology is typically loaded via ad tech integrations, tag managers, or direct script inclusion. It feeds device fingerprints and identity graphs to Adstra's broader data licensing and audience solutions. Downstream: Adstra clients in AdTech, agencies, brands, and publishers consume the identity data for targeting, attribution, and cross-device campaigns. The bluecava.com domain now serves solely as an opt-out mechanism, with all commercial operations consolidated under Adstra. Observed loading pattern: indirect (via other scripts/pixels), suggesting integration through tag management or ad platforms rather than direct deployment.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

41 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details