faithie - stock.adobe.com

Oracle and Salesforce sued over online ad tracking

Class action lawsuits filed in Amsterdam and London will accuse Oracle and Salesforce of breaching GDPR in their processing and sharing of personal data to sell online advertising

Oracle and Salesforce face precedent-setting class action lawsuits in Dutch, English and Welsh courts that claim their processing and sharing of personal data collected by third-party cookies in order to sell targeted online advertising breaches the General Data Protection Regulation (GDPR).

The cases are being brought by The Privacy Collective, a non-profit foundation set up for the purpose, and centre on the use of third-party cookies to support dynamic ad pricing for targeted online advertising.

The collective said Oracle and Salesforce were just two of a great many companies that use cookies to track, monitor and collect the personal data of internet users and share it in a process called real-time bidding.

These are behind-the-scenes auctions in which consumers’ data is sold to advertisers, which use these profiles to tailor ads that many people perceive “follow” them from website to website, even if they have never expressed an interest in the product for sale.

The data typically collected to support this practice includes people’s interests, their locations, income, relationship status, gender and/or sexual orientation, age and education.

The lawsuit claims that the collection and sharing of this data by Oracle and Salesforce is being done without clear consent and therefore goes against GDPR, and in fact has been in breach of the regulations since they came into force.

Also, said the collective, Oracle’s and Salesforce’s participation in the process of real-time bidding means it is essentially impossible for either of them to provide adequate information and obtain the needed consent, and also means they lose control of the information to the third-party ad companies that use their platforms.

“Everyone who has ever used the internet is at risk from this technology,” said Rebecca Rumbul, class representative and a claimant in England and Wales. “It may be largely hidden, but it is far from harmless.

“If data collected from internet use is not adequately controlled, it can used to facilitate highly targeted marketing that may expose vulnerable minors to unsuitable content, fuel unhealthy habits such as online gambling or prey on other addictions. By supporting my action, internet users in England and Wales can do their bit to begin to hold these firms to account and make the internet a safer and more regulated place.”

The collective says the claims could exceed €10bn, as it could potentially unite millions of claimants who have visited some of the world’s most prominent websites, including Spotify, Comparethemarket, Reddit, Dropbox, Ikea, Booking.com, Thesaurus.com, Urban Dictionary, The Student Room, Rotten Tomatoes, IMDB, BBC Good Food, Matalan, Pretty Little Thing, Debenhams, Reed.co.uk, Barclaycard.com and Amazon.

Read more about cookies and privacy

The Dutch action will be the largest-ever class action in the Netherlands over GDPR and is being led by Amsterdam-based law firm Bureau Brandeis. The case to be filed in England and Wales in September 2020 will be led by City of London practice Cadwalader.

Melis Acuner, a partner at Cadwalader, said: “Thousands of organisations are processing billions of bid requests each week with, at best, inconsistent application of adequate technical and organisational measures to secure the data, and with little or no consideration as to the requirements of data protection law about international transfers of personal data. The GDPR gives us the tool to assert individuals’ rights. The class action means we can aggregate the harm done.”

Bureau Brandeis’ lead lawyer, Christiaan Alberdingk Thijm, added: “Your data is being sold off in real time to the highest bidder, in a flagrant violation of EU data protection regulations. This ad-targeting technology is insidious in that most people are unaware of its impact or the violations of privacy and data rights it entails.

“Within this adtech environment, Oracle and Salesforce perform activities that violate European privacy rules on a daily basis, but this is the first time they are being held to account. These cases will draw attention to astronomical profits being made from people’s personal information, and the risks to individuals and society of this lack of accountability.”

Oracle's executive vice president and general counsel, Dorian Daley, said: “The Privacy Collective knowingly filed a meritless action based on deliberate misrepresentations of the facts.  As Oracle previously informed the Privacy Collective, Oracle has no direct role in the real-time bidding process (RTB), has a minimal data footprint in the EU, and has a comprehensive GDPR compliance program. Despite Oracle’s fulsome explanation, the Privacy Collective has decided to pursue its shake-down through litigation filed in bad faith. Oracle will vigorously defend against these baseless claims.”

A Salesforce spokesperson said: “At Salesforce, trust is our number one value and nothing is more important to us than the privacy and security of our corporate customers’ data. We design and build our services with privacy at the forefront, providing our corporate customers with tools to help them comply with their own obligations under applicable privacy laws, including the EU GDPR, to preserve the privacy rights of their own customers.

“Salesforce and another data management platform provider have received a privacy-related complaint from a Dutch group called The Privacy Collective. The claim applies to the Salesforce Audience Studio service and does not relate to any other Salesforce service.

“Salesforce disagrees with the allegations and intends to demonstrate they are without merit.”

The spokesperson added: “Our comprehensive privacy programme provides tools to help our customers preserve the privacy rights of their own customers.

Read more on Privacy and data protection