The Privacy Collective, which is a non-profit that supports and pursues claims for the misuse of personal data, has filed a class action lawsuit in Amsterdam against technology giants Salesforce and Oracle. The suit alleges that the companies have violated the General Data Protection Regulation (GDPR) by misusing personal data in their dynamic advertisement-pricing services, specifically through their Bluekai and Krux third-party cookies.
It says the case is the Netherland’s biggest class action over a GDPR breach so far, and combined with another lawsuit that will be filed soon in London’s High Court, the action could leave the two tech giants with a total bill of €10 billion.
Many popular websites use the cookies from Salesforce and Oracle, but The Privacy Collective accuses the companies of enabling the use of harmful advertisements and storing personal information, which is not consistently secured, about consumers without their active consent for sharing such data.
Class representative Dr Rebecca Rumbul, who is also a claimant on the suit that will be filed in England and Wales, said:
“Everyone who has ever used the internet is at risk from this technology. It may be largely hidden but it is far from harmless. If data collected from internet use is not adequately controlled, it can be used to facilitate highly targeted marketing that may expose vulnerable minors to unsuitable content, fuel unhealthy habits such as online gambling or prey on other addictions.”
The Krux and Bluekai cookies supplied by the company are hosted by websites, and with their users’ consent, they are then downloaded onto their devices and used to track their browsing activity, with the data then being used to deliver relevant advertisements.
The suit alleges that Oracle and Salesforce are collecting personal data with these and then using a real-time bidding system to sell and share it with other companies. It further claims that this is being done without the users’ knowledge or appropriate consent, even though technology companies are required by the GDPR to obtain informed consent before collecting and sharing personal data.
Both Salesforce and Oracle dispute the claim’s merits. A spokesperson for Oracle accused The Privacy Collective of intentionally filing an action that is “meritless” and rooted in “deliberate misrepresentations”, adding that:
“As Oracle previously informed the Privacy Collective, Oracle has no direct role in the real-time bidding process (RTB), has a minimal data footprint in the EU, and has a comprehensive GDPR compliance program.”
Over in England, meanwhile, the Cadwalader law firm is preparing to file its case for England and Wales.
The case reflects consumers’ growing concerns about the use of personal data, and the GDPR provides a strict framework for protecting it. If your company is not yet fully compliant with the GDPR, we at Pro-Networks, through our IT support and services, can help you to achieve compliance, which in turn can bring benefits in terms of improved consumer trust, better cybersecurity, and a culture of good work practices.