GDPR accusations against Oracle and Salesforce 'without merit'

European data privacy body suing tech giants over firms' adtech processing and sharing of personal data

Oracle and Salesforce are being accused in UK and Dutch courts of breaching GDPR for the way they process and share personal data through third-party cookies.

The Privacy Collective, a non-governmental foundation committed to pursuing claims for data misuse in breach of privacy rights, has already filed a class action suit in the Netherlands and will be filing a similar suit in the High Court in England later this month, alleging that the use of their third-party cookies ‘Bluekai' and ‘Krux' breaches the informed consent required from users under GDPR.

The cookies are hosted on a number of popular websites including Reddit, Comparethemarket, Amazon, Spotify and Dropbox.

The group - which claims to be representing millions of individuals - believes that if the suits are successful, the collective claims could top €10bn.

However, both Oracle and Salesforce have vehemently denied the accusations and separately stated the claims are "without merit".

Dorian Daly, Oracle's EVP and general counsel, slammed the move, adding that the company will "vigorously defend these baseless claims".

"The Privacy Collective knowingly filed a meritless action based on deliberate misrepresentations of the facts," he stated.

"As Oracle previously informed the Privacy Collective, Oracle has no direct role in the real-time bidding process (RTB), has a minimal data footprint in the EU, and has a comprehensive GDPR compliance program.

"Despite Oracle's fulsome explanation, the Privacy Collective has decided to pursue its shake-down through litigation filed in bad faith."

Salesforce has also refuted the claims, stating that it "disagrees with these allegations and intends to demonstrate they are without merit".

Real-time bidding (RTB) is the process at the heart of the lawsuits; it is a behind the scenes process in which consumer profiles are auctioned off to advertisers in real-time. When a consumer visits a website, a cookie is then placed on the consumer's device to track and monitor their behaviour. The Privacy Collective alleges that Oracle and Salesforce are collecting and sharing this data without the consent or knowledge of the consumer.

Rebecca Rumbul is acting as the class representative and claimant in the UK action and stated that such marketing tools can be used to prey on vulnerable internet users.

"Everyone who has ever used the internet is at risk from this technology," she stated.

"It may be largely hidden but it is far from harmless. If data collected from internet use is not adequately controlled, it can be used to facilitate highly targeted marketing that may expose vulnerable minors to unsuitable content, fuel unhealthy habits such as online gambling or prey on other addictions."

GDPR has been in force since May 2018 and has been at the centre of a number of headlines recently, including an accusation from a UK privacy body that the government did not assess whether its Covid-19 Track and Trace programme was in compliance with the regulation.

The Information Commissioner's Office (ICO) also acknowledged that the current A-levels grading scandal may have breached GDPR's "restrictions on organisations making solely automated decisions that have a legal or similarly significant effect on individuals" and that is monitoring the situation.

Meanwhile, British Airways revealed that it anticipates its landmark £183m fine from the ICO for breaching customers' data privacy under the regulation to be cut by up to 90 per cent, provisioning £20m to cover the lowered penalty.