The Blue Cava Webinar: Everything I feared (and more)

UPDATE: The enforcement group of the Digital Advertising Alliance brought action against Blue Cava based on the some of the issues outlined in this post, which resulted in policy changes.

Today I listened in on a sales webinar for Blue Cava, which provides device fingerprinting services that identify a user’s machine based not on cookies, but unique and immutable characteristics of the device and browser. The privacy implications are controversial because Blue Cava works expressly to frustrate consumer choice when it comes to tracking — deleting or blocking cookies through normal browser processes doesn’t work to stop it; the only way to do so is to use an opt-out process on the Blue Cava site.

• As expected, outside of fraud prevention, the chief business benefit is increased ad effectiveness relative to cookie-based targeting. Not a surprise, since you’re tracking people who don’t think they’re being tracked.
• Blue Cava also is developing their own repository of behavioral data (across all installations), which is associated with their device ID.
• Installation sounds simple — just add Javascript tags to your pages or ads, then Blue Cava will pass you a unique identifier when the item loads. The website (or advertiser) then can positively identify the user and customize ads on that basis.
• Blue Cava works on any device, although it isn’t clear whether they need the same fancy methods for a mobile device, to the extent they can use the built-in mobile identifier.
• Blue Cava also promises to associate multiple devices with the same person or household, by attaching the IP address to the Blue Cava identifier. So, your behavior on one device now is associated with other devices from your home or office. Surprisingly, this particularly invasive practice isn’t even described in Blue Cava’s own privacy policy.
• They characterized their opt-out process as superior because it is more persistent than cookies, although we don’t now much about how they enforce the opt-out on the back-end, and their policy stipulates they won’t ever let you opt-out of fraud detection. In their words: “we don’t let you opt out of certain tracking activities that we use to define the reputation status of a device. When a device does good things and bad things we keep a record of it.” Also, they don’t currently provide opt-out applications for the mobile devices that they track (just browsers).
• Biggest surprise in the call: Blue Cava assured listeners that, in most cases, their kind of tracking can be added to a website without any change to the site’s privacy policy. That’s ludicrous, and it’s terribly risky advice to be giving to your potential customers.

Bottom line: Blue Cava’s marketing technology is a bad idea for consumers, and one which threatens to undermine industry progress toward enhanced notice-and-choice. Companies using Blue Cava will put their brand at risk; our spider already watches thousands of sites for Blue Cava server interactions, and we won’t be shy about calling them out. There’s also little question that for a site to implement Blue Cava without express and clear disclosure will not only only turn off consumers, but also risks serious legal blowback.

Read more about why websites need to make careful decisions about tracking  partners >>