Bluecava

BlueCava corrupts measurement by enabling cross-device attribution that conflates distinct users into household graphs. Their identity resolution technology infers relationships between devices, potentially attributing conversions to the wrong touchpoints or inflating reach metrics through device-level deduplication that may not reflect actual user journeys.

Device fingerprints and advertising IDs are shared with undefined Clients and Business Partners. The vague subprocessor disclosure creates risk that demand signals (which sites users visit, purchase intent) flow to competitors or data brokers without site owner knowledge or control.

Device fingerprinting technology creates persistent tracking surface that survives cookie deletion. The bluecava.com opt-out page reveals they generate unique device IDs that can only be reset (not deleted), maintaining a permanent attack vector. The 18-month retention period extends exposure window significantly.

Explicit rejection of DNT/GPC signals while claiming GDPR/CCPA compliance creates legal exposure. The 50% pre-consent tracking rate contradicts consent requirements. Organizations using BlueCava inherit liability for these consent violations and the gap between disclosed and actual data practices.