Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Oracle Eloqua is an enterprise B2B marketing automation platform now part of Oracle Marketing. It tracks website visitors via a JavaScript tag, runs email marketing campaigns, manages lead scoring and integrates with CRMs. For European customers, EU tenants are usually hosted in Amsterdam or Frankfurt, but support and admin access can take place from the United States. Oracle is certified under the EU US Data Privacy Framework.
Oracle Eloqua is an enterprise B2B marketing automation platform originally launched in 1999, acquired by Oracle in 2012 and now positioned within Oracle Marketing. It is used by enterprise marketing teams to capture leads, score behaviour, send drip campaigns, nurture prospects and feed CRM systems such as Oracle Sales, Salesforce and Microsoft Dynamics. Eloqua is hosted on Oracle Cloud Infrastructure, with each customer assigned to a regional pod.
Eloqua deploys a JavaScript tag (elqcfg.min.js or elqcfg-static.js) on customer pages. It sets first party cookies (ELOQUA, ELQSTATUS) that contain a GUID linking visits across the same browser. Eloqua tracks pages viewed, time on site, referrer, downloaded files, form submissions, email opens and clicks. When a visitor submits a form, the cookie GUID is linked to the contact record and all past anonymous activity becomes attributed.
Oracle Eloqua acts as a data processor under Art. 28 GDPR. The Elqcfg cookies are not strictly necessary for the website to function, so under Art. 5(3) ePrivacy and the EDPB cookie guidelines they require consent. Email opens are tracked via a 1x1 pixel and clicks via redirect URLs, both of which involve processing personal data and require a lawful basis (consent in B2C, legitimate interest may apply in B2B with safeguards).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The Eloqua tracker must be loaded only after the visitor consents to non essential cookies. Email marketing to EU contacts also requires consent under ePrivacy and Art. 6(1)(a) GDPR for B2C, while B2B may use legitimate interest with a clear opt out. Lead scoring that triggers significant decisions (sales contact, exclusion, pricing) may fall under Art. 22 GDPR, requiring human review and a right to explanation.
European customers should request an Amsterdam or Frankfurt pod assignment to keep tenant data inside the EEA. Oracle support, engineering, and disaster recovery may still involve access from the United States, India or other jurisdictions. Oracle is certified under the EU US Data Privacy Framework and provides Standard Contractual Clauses through its Oracle Master Agreement. Sub processors include Oracle Cloud Infrastructure regions and selected partners.
Request an EU pod when provisioning your tenant, sign Oracle''s Data Processing Agreement, load the Eloqua tracker only after consent, separate email opt in by purpose (newsletter, product updates, events), document Oracle sub processors and the EU US Data Privacy Framework certification, set retention for cookie based visitor profiles and form submissions, and review lead scoring rules for any automated decisions subject to Art. 22 GDPR.
Websites using Oracle Eloqua must obtain user consent under GDPR regulations.
DPIA considerations
Oracle Eloqua processes extensive B2B contact and behavioural data. Key DPIA considerations: (1) the Elqcfg JavaScript tracker sets first party cookies and builds a visitor profile that links to email opens and form submissions, requiring consent under Art. 5(3) ePrivacy; (2) Oracle is the data processor under Art. 28 GDPR through the Oracle Cloud Services Agreement and Data Processing Agreement; (3) the customer's tenant is assigned to a specific Oracle pod whose location determines the primary processing region; (4) Oracle support and engineering staff in the US, India and other jurisdictions may access data, constituting onward transfers; (5) lead scoring can produce automated decisions affecting individuals, triggering Art. 22 GDPR safeguards; (6) data retention policies for cookie based visitor profiles and form submissions must be configured.
Sample consent text
We use Oracle Eloqua, an enterprise marketing automation platform, to track website behaviour, send personalised email campaigns and score leads. Oracle Eloqua sets first party cookies linked to your visit and any forms you submit. Your data is processed in our EU Oracle pod and may be accessed by Oracle support teams in the US and India under Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
eloqua.comen25.comoracle.comoraclecloud.comimg.en25.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ELOQUA | Marketing | 13 months | First party visitor GUID set by the Eloqua tracker on the customer's domain. Links anonymous visits and identifies the contact after a form submission. |
| ELQSTATUS | Marketing | 13 months | Indicates whether the Eloqua tracking script has loaded successfully and provides session continuity across pages. |
| ELOQUA_RW | Marketing | 13 months | Used when the tracker runs over HTTPS only deployments to preserve secure tracking across pages. |
| NTID | Marketing | 13 months | Oracle Eloqua network tracking identifier used to link multi domain visits to a single visitor profile. |
Oracle Eloqua places tracking cookies for advertising — comply with GDPR using FlowConsent.
Eloqua sets first party cookies on the customer's own domain through the Elqcfg JavaScript tag. The main cookies are ELOQUA (13 month visitor GUID), ELQSTATUS (status of the tracking) and ELOQUA_RW (when secure tracking is enabled). Form submissions link the cookie GUID to the contact record in the Eloqua database.
Yes, the Eloqua tracker is not strictly necessary, so under Art. 5(3) ePrivacy and the EDPB cookie guidelines you must obtain consent before loading elqcfg.min.js. Form submissions can rely on the user's clear action plus a consent or legitimate interest basis as appropriate. Email tracking pixels also require a lawful basis.
Consent (Art. 6(1)(a) GDPR) for visitor tracking cookies and B2C email marketing. Legitimate interest (Art. 6(1)(f) GDPR) for B2B lead nurturing, lead scoring and CRM enrichment where balanced against the data subject's rights and rights to object. Contract (Art. 6(1)(b) GDPR) for known customer communications related to a service.
Each Eloqua tenant is assigned to a pod such as Amsterdam (P06), Frankfurt (P07), Ashburn (P01), Chicago (P02), Sydney (P05) or Tokyo (P03). EU customers should be on an EU pod to keep primary data in the EEA. Oracle support, engineering and disaster recovery may access data from the US, India and other jurisdictions under SCCs and the EU US Data Privacy Framework.
A DPIA is recommended for any significant Eloqua deployment because it combines visitor tracking, behavioural scoring, profile enrichment and cross border data flows. The DPIA should cover lead scoring logic (Art. 22 GDPR), data retention for cookie profiles and forms, sub processor access from the US, and email tracking by default in the platform.
Provision your tenant on an EU pod, sign the Oracle DPA and Master Agreement, load the Elqcfg tracker behind a consent banner, use blind form submits or honour Do Not Track where appropriate, separate consent purposes for email marketing, configure cookie and contact retention rules, document Oracle sub processors, and review lead scoring rules for automated decisioning.
EU based marketing automation alternatives include Brevo (formerly Sendinblue, France), ActiveCampaign (US with EU options), HubSpot (US with EU data centres for some products), Mautic (open source, can be self hosted), SALESmanago (Poland) and Selligent (Belgium). Self hosting Mautic in an EU data centre removes most cross border transfer issues.
Disclose Oracle as a data processor and name your assigned pod region, describe the ELOQUA and ELQSTATUS cookies and their 13 month duration, explain that anonymous tracking links to identified contacts after a form submission, mention email opens and click tracking, document SCCs and the EU US Data Privacy Framework certification, and offer a clear opt out for tracking and marketing.