NL

Share on facebook
Share on linkedin
Share on twitter

This article was originally published in Forbes.

Class-action lawsuits filed in the UK and Netherlands will accuse tech giants Oracle and Salesforce of breaching GDPR in the way they process and share personal data to sell online advertising.

The cases are being brought by The Privacy Collective, a European non-profit foundation that is dedicated to claiming compensation for the wrongful use of personal data.

The group claims the two companies are misusing consumers’ personal data through their third-party cookies ‘Bluekai’ and ‘Krux’, which are used to track, monitor and collect the personal data of internet users and share it in a process called real-time bidding. These cookies are hosted on a number of popular websites, the group claims, such as Amazon, Booking.com, Dropbox, Reddit and Spotify.

The Privacy Collective is accusing both Oracle and Salesforce of breaching GDPR rules by facilitating sales via harmful ads, holding personal information that consumers did not proactively consent to sharing, and inconsistently securing personal data.

“Everyone who has ever used the internet is at risk from this technology. It may be largely hidden but it is far from harmless,” said Dr Rebecca Rumbul, class representative and a claimant on the suit in England and Wales. 

“If data collected from internet use is not adequately controlled, it can used to facilitate highly targeted marketing that may expose vulnerable minors to unsuitable content, fuel unhealthy habits such as online gambling or prey on other addictions.”

The lawsuit has been filed in Amsterdam, with a similar claim to be filed at the High Court of London later in August. The Privacy Collective said the Dutch case is the biggest-ever class action in the country that concerns GDPR and could cost Oracle and Salesforce up to €10 billion. 

Everyone who has ever used the internet is at risk from this technology.

Oracle's EVP and general counsel Dorian Daley hit back at lawsuit, and slammed it as "meritless action based on deliberate misrepresentations of the facts". 

"As Oracle previously informed the Privacy Collective, Oracle has no direct role in the real-time bidding process (RTB), has a minimal data footprint in the EU, and has a comprehensive GDPR compliance program," Daley said in a statement. 

"Despite Oracle's fulsome explanation, the Privacy Collective has decided to pursue its shake-down through litigation filed in bad faith. Oracle will vigorously defend against these baseless claims." 

A spokesperson for Salesforce said it “disagrees with the allegations and intends to demonstrate they are without merit”.