Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Oracle Eloqua is an enterprise B2B marketing automation platform that uses a JavaScript tracking script and first party cookies to profile visitors, link form submissions to known contacts and orchestrate multi channel campaigns.
Oracle Eloqua is an enterprise grade B2B marketing automation platform owned by Oracle. It supports lead management, email marketing, multi channel campaign orchestration, dynamic content, lead scoring and integration with CRM systems such as Oracle CX, Salesforce and Microsoft Dynamics. Eloqua is typically deployed by mid market and enterprise organisations with complex B2B sales cycles where marketing teams need to nurture leads over weeks or months and pass qualified contacts to sales.
The Eloqua tracking script is a small JavaScript snippet placed on the customer website. When a visitor loads a page, the script issues a request to a customer specific Eloqua tracking subdomain, typically in the form s###.t.eloqua.com, and to the endpoint s.aspx. The response sets first party cookies on the customer domain so subsequent visits can be linked. Eloqua collects URL, referrer, user agent, IP address, time on page and form submissions. When a visitor submits a form that maps to a known contact, the previously anonymous browsing history is retroactively associated with the contact record, building a long term behavioural profile.
Eloqua sets first party cookies such as ELOQUA (a persistent visitor identifier valid for around two years), ELQSTATUS (records whether tracking is active and consent has been granted) and the temporary _elqQ queue used during page load. Because these cookies build a persistent profile linked to identified contacts, they are not strictly necessary and require informed consent under the ePrivacy Directive and Article 6(1)(a) GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
By default, Eloqua processes data on Oracle infrastructure in the United States. Oracle is certified under the EU US Data Privacy Framework and offers Standard Contractual Clauses as additional safeguards. Oracle also offers an EU pod that hosts Eloqua data within the European Union, which is a practical mitigation for organisations subject to strict data residency requirements. Even with an EU pod, customers should perform a transfer impact assessment because Oracle remains a US parent company subject to US law including FISA 702 and Executive Order 12333.
Some controllers argue that B2B marketing communications fall under a soft opt in or under legitimate interest. This argument is fragile under EU law. The ePrivacy Directive Article 5(3) on cookies and similar technologies does not distinguish between B2B and B2C contexts. National regulators including the CNIL, the ICO, the BfDI and the AEPD all require prior informed consent for non essential tracking cookies regardless of audience. The Eloqua tracking script therefore requires consent in the EEA and the UK, even on B2B properties.
Run a Data Protection Impact Assessment before deploying Eloqua, document the lawful basis, retention periods, EU pod choice and transfer mechanism. Integrate the Eloqua tracking script with your consent management platform so that it is loaded only after the visitor grants marketing consent. Use the Eloqua first party cookie configuration to align cookie domain and SameSite attributes with your privacy posture, and update your privacy notice and cookie policy to disclose Eloqua, its purpose and the data flows involved.
Websites using Oracle Eloqua must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended when deploying Oracle Eloqua because it performs systematic monitoring of website visitors at scale, builds long term behavioural profiles linked to identified contacts, transfers personal data to the United States and supports cross channel marketing activities. Document scope, lawful basis, retention, EU pod choice, transfer mechanism (DPF, SCCs) and rights handling.
Sample consent text
We use Oracle Eloqua to measure your interactions with our content, link form submissions to your profile and personalise our B2B marketing communications. Eloqua sets first party cookies and may transfer data to Oracle in the United States. By clicking Accept, you consent to this processing. You can withdraw your consent at any time in our cookie preferences.
Third-party domains contacted
eloqua.coms.eloqua.comt.eloqua.coms###.t.eloqua.comsecure.eloqua.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ELOQUA | first_party | ~2 years | Persistent visitor identifier used by the Eloqua tracking script to link page views across sessions and to attribute form submissions to a known contact. |
| ELQSTATUS | first_party | ~2 years | Indicates whether tracking is active and whether the visitor has granted consent for Eloqua to record activity. |
| _elqQ | first_party | session | Temporary queue cookie used during page load to buffer tracking events before they are sent to the Eloqua tracking endpoint. |
| JSESSIONID | first_party | session | Session cookie set on Eloqua hosted landing pages and forms to maintain server side session state. |
| CSRF token | first_party | session | Anti CSRF token used by Eloqua hosted forms to protect against cross site request forgery on form submissions. |
Oracle Eloqua places tracking cookies for advertising — comply with GDPR using FlowConsent.
Oracle Eloqua sets first party cookies on the customer domain through its tracking script. The main cookies are ELOQUA, a persistent visitor identifier with a lifetime of around two years, ELQSTATUS, which records whether tracking is active and consent has been granted, and the temporary _elqQ cookie used as a queue during page load. Customer specific session cookies and CSRF tokens may also be set on Eloqua hosted landing pages and forms. Because these cookies build a long term profile linked to identified contacts, they are not strictly necessary and require prior consent in the EEA and the UK.
Yes. The Eloqua tracking script and its first party cookies perform behavioural profiling that goes well beyond what is strictly necessary to deliver a service requested by the visitor. Under Article 5(3) of the ePrivacy Directive and Article 6(1)(a) GDPR, you must obtain prior, informed, freely given and specific consent before loading the Eloqua tracking script. This applies on both B2C and B2B properties because EU consent rules do not exempt business audiences.
For the deposit and reading of Eloqua tracking cookies, the legal basis is consent under Article 6(1)(a) GDPR and Article 5(3) of the ePrivacy Directive. For the subsequent processing of B2B contact data inside Eloqua for marketing campaigns, the legal basis is typically consent or, for very limited operational purposes, legitimate interest under Article 6(1)(f) subject to a documented balancing test. Special categories of data should not be processed without an explicit Article 9 basis.
Yes by default. Eloqua is hosted on Oracle infrastructure in the United States. Oracle relies on the EU US Data Privacy Framework and on Standard Contractual Clauses for transfers to other regions. Oracle also offers an EU pod that hosts Eloqua data within the European Union, which is the preferred option for EU controllers. Even with the EU pod, perform a transfer impact assessment because Oracle remains a US parent company subject to US surveillance laws such as FISA 702 and EO 12333.
Yes, a DPIA is strongly recommended and often mandatory. Eloqua performs systematic monitoring of website visitors at scale, builds long term behavioural profiles, links anonymous behaviour to identified contacts and transfers personal data to a third country. This combination of factors meets several DPIA triggers under Article 35 GDPR and the EDPB guidelines. The DPIA should document scope, lawful basis, retention, EU pod choice, transfer mechanism, security measures and rights handling.
Place the Eloqua tracking script behind your consent management platform so it loads only after marketing consent. Choose the EU pod if you serve EU users at scale. Sign an Oracle data processing agreement and review the SCCs annexes. Run a DPIA and a transfer impact assessment. Update your privacy notice and cookie policy to disclose Eloqua. Configure shorter cookie lifetimes where possible and offer a clear withdrawal mechanism. Train marketing teams on lawful basis, retention and minimisation.
Common alternatives in the enterprise B2B marketing automation space include HubSpot Marketing Hub, Adobe Marketo Engage and Salesforce Marketing Cloud Account Engagement (formerly Pardot). Each has its own data residency posture and consent maturity. For organisations seeking EU based vendors, options include Brevo (formerly Sendinblue), Mautic (open source) and ActiveCampaign with EU data residency. The right choice depends on CRM integration, EU residency requirements and consent management capabilities.
List Oracle Eloqua under the marketing or analytics category of your cookie policy. Disclose the cookie names (ELOQUA, ELQSTATUS, _elqQ), their type (first party), their duration (up to about two years for ELOQUA, session for _elqQ) and their purpose (visitor profiling, form attribution, campaign personalisation). State the recipient (Oracle America Inc.), the country of transfer (United States, with optional EU pod), the transfer mechanism (DPF, SCCs) and the link to withdraw consent. Update the policy each time you change pod or scope.