QA mode · Tier:PUBLIC(override via ?tier=paid | premium)
← All Vendors
deanon
Bluecava

Bluecava

BlueCava, now owned by Adstra, pioneered device fingerprinting technology with $39.2M in funding — and explicitly rejects Do Not Track signals while maintaining a 50% pre-consent tracking rate and sharing data with undefined "Clients and Business Partners."

29 IOCs observed2 detections100% pre-consent1 sites
85
Vendor Risk Score
Tier: HOSTILE
Observation Coverage

BLACKOUT observes runtime behavior in the browser. This dossier reflects browser-side execution, which is one of five vendor data-egress classes. Server-to-server transfers, backend integrations, and offline data flows are outside this observation boundary.

BLACKOUT observes runtime behavior and cites the regulations that address that behavior pattern. Legal determinations are the customer's counsel's call.

How This Briefing Works

This dossier opens with key findings, then maps the gap between what Bluecava discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.

Key Findings

At a Glance

Detections
2

across 1 sites

Pre-Consent Rate
100%

vendor fires before consent

Disclosure Gaps
4

1 CRIT · 2 HIGH

Claims-vs-Reality Classified
BTI-X02BTI-X05BTI-X07BTI-X08BTI-X12
Summary

Briefing

BlueCava is a device fingerprinting and identity resolution technology now owned by Adstra (formerly ALC, Inc.). Originally founded in 2010 with $39.2M in funding led by Mark Cuban, BlueCava pioneered probabilistic device fingerprinting to identify unique device signatures across the internet. The technology enables cross-device tracking and household-level identity resolution. Critical findings include explicit rejection of Do Not Track signals, 50% pre-consent tracking rate despite GDPR/CCPA compliance claims, and no available security documentation or SOC2 certification.

Customer Impact

What This Means For You

YOUR users are being fingerprinted by technology designed to persist identification across cookie deletion and private browsing. YOUR privacy controls including Do Not Track signals are explicitly ignored by BlueCava's documented policy. YOUR data processing agreements likely cannot specify downstream recipients because BlueCava shares data with vaguely defined Clients, Business Partners, and affiliates — making YOUR GDPR Article 30 records of processing incomplete. If BlueCava's device fingerprints appear on YOUR properties, YOUR users have no effective way to opt out of cross-device tracking.

Collapse Engine

Risk Channel Breakdown

Oracle
Truth Collapse
40

BlueCava corrupts measurement by enabling cross-device attribution that conflates distinct users into household graphs. Their identity resolution technology infers relationships between devices, potentially attributing conversions to the wrong touchpoints or inflating reach metrics through device-level deduplication that may not reflect actual user journeys.

Broker
Control Collapse
100

Device fingerprints and advertising IDs are shared with undefined Clients and Business Partners. The vague subprocessor disclosure creates risk that demand signals (which sites users visit, purchase intent) flow to competitors or data brokers without site owner knowledge or control.

Reaper
Safety Collapse
0

Device fingerprinting technology creates persistent tracking surface that survives cookie deletion. The bluecava.com opt-out page reveals they generate unique device IDs that can only be reset (not deleted), maintaining a permanent attack vector. The 18-month retention period extends exposure window significantly.

Counselor
Legitimacy Collapse
100

Explicit rejection of DNT/GPC signals while claiming GDPR/CCPA compliance creates legal exposure. The 50% pre-consent tracking rate contradicts consent requirements. Organizations using BlueCava inherit liability for these consent violations and the gap between disclosed and actual data practices.

BTI Codes

Threat Indicators

Runtime-observed (BTI-C)

BTI-C01
Defeat Device

Evasion infrastructure, auditor bypass

BTI-C09
Consent Bypass

Ignoring CMP signals

BTI-C10
Fingerprinting

Device identification

BTI-C14
Identity Resolution

PII deanonymization

Claims-vs-Reality (BTI-X)

BTI-X02
Undisclosed Sharing

Hidden data recipients

BTI-X05
Compliance Claim Mismatch

False certification claims

BTI-X07
Opt-Out Failure

Tracking continues after opt-out

BTI-X08
Scope Creep

Collection exceeds disclosed scope

BTI-X12
Assurance Gap

Gated or missing due diligence docs

5
BTI Consequences Identified

Per-code narrative explanations of what each detected behavior means for your organization

Available in VIDB Subscription

Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →

Disclosure Gaps

Claims vs. Reality

4
Gaps Observed
1 CRITICAL2 HIGH1 MEDIUM

BLACKOUT analyzed Bluecava's public claims against observed runtime behavior and identified 4 contradictions.

BTI-X02BTI-X05BTI-X07BTI-X08BTI-X12
Featured Gap
Consent Mechanism
CRITICAL
They Claim

"GDPR and CCPA compliant"

BLACKOUT Observed

50% pre-consent tracking rate detected; explicit rejection of Do Not Track signals

3 more gaps — with regulatory citations and evidence pointers — available with subscription.

Available in VIDB Subscription

Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →

Recommended Actions

What To Do

Recommended Actions
8

4 for current users · 4 for evaluators

Negotiation Leverage
4

contractual leverage points

Available in VIDB Subscription

Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →

Ecosystem

Supply Chain & Pairings

Available in VIDB Subscription

Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →

Profile: bluecavaFirst Seen: 2026-01-22Last Updated: 2026-02-24