How This Briefing Works
This dossier opens with key findings, then maps the gap between what Bluecava discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 1 sites
vendor fires before consent
1 CRIT · 2 HIGH
Briefing
BlueCava is a device fingerprinting and identity resolution technology now owned by Adstra (formerly ALC, Inc.). Originally founded in 2010 with $39.2M in funding led by Mark Cuban, BlueCava pioneered probabilistic device fingerprinting to identify unique device signatures across the internet. The technology enables cross-device tracking and household-level identity resolution. Critical findings include explicit rejection of Do Not Track signals, 50% pre-consent tracking rate despite GDPR/CCPA compliance claims, and no available security documentation or SOC2 certification.
What This Means For You
YOUR users are being fingerprinted by technology designed to persist identification across cookie deletion and private browsing. YOUR privacy controls including Do Not Track signals are explicitly ignored by BlueCava's documented policy. YOUR data processing agreements likely cannot specify downstream recipients because BlueCava shares data with vaguely defined Clients, Business Partners, and affiliates — making YOUR GDPR Article 30 records of processing incomplete. If BlueCava's device fingerprints appear on YOUR properties, YOUR users have no effective way to opt out of cross-device tracking.
Risk Channel Breakdown
BlueCava corrupts measurement by enabling cross-device attribution that conflates distinct users into household graphs. Their identity resolution technology infers relationships between devices, potentially attributing conversions to the wrong touchpoints or inflating reach metrics through device-level deduplication that may not reflect actual user journeys.
Device fingerprints and advertising IDs are shared with undefined Clients and Business Partners. The vague subprocessor disclosure creates risk that demand signals (which sites users visit, purchase intent) flow to competitors or data brokers without site owner knowledge or control.
Device fingerprinting technology creates persistent tracking surface that survives cookie deletion. The bluecava.com opt-out page reveals they generate unique device IDs that can only be reset (not deleted), maintaining a permanent attack vector. The 18-month retention period extends exposure window significantly.
Explicit rejection of DNT/GPC signals while claiming GDPR/CCPA compliance creates legal exposure. The 50% pre-consent tracking rate contradicts consent requirements. Organizations using BlueCava inherit liability for these consent violations and the gap between disclosed and actual data practices.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Ignoring CMP signals
Device identification
PII deanonymization
Claims-vs-Reality (BTI-X)
Hidden data recipients
False certification claims
Tracking continues after opt-out
Collection exceeds disclosed scope
Gated or missing due diligence docs
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Bluecava's public claims against observed runtime behavior and identified 4 contradictions.
"GDPR and CCPA compliant"
50% pre-consent tracking rate detected; explicit rejection of Do Not Track signals
3 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →