By Robert Bateman

Tech giants Oracle and Salesforce are facing class-action lawsuits in the U.K. and the Netherlands over allegations that they are “misusing the personal data” of millions of people.

The legal claims relate to how the companies contribute to “real-time bidding” (RTB), a controversial advertising practice that involves the auctioning of personal data collected via web cookies and other tracking technologies.

The U.K. suit, led by privacy advocate Rebecca Rumbul, is seeking damages of approximately $13 billion, which would amount to about $650 for every U.K. internet user.

The parallel Netherlands case, led by the nonprofit Privacy Collective, is seeking approximately $19.5 billion.

Paused for Google Case

The claims originally were filed last August, but the U.K. case was paused in anticipation of the outcome of a separate legal claim, known as Lloyd v. Google. The outcome of that case, expected early this year, will determine whether Rumbul’s class action will proceed.

“Oracle and Salesforce — while they aren’t household names like Google and Facebook — are absolute leaders in their field,” Rumbul told Digital Privacy News.

“They are multi-billion-dollar organizations,” she added. “And they’ve kind of been able to fly under the radar with this kind of tech because people don’t really know who they are and what they’re doing.”

“It’s the auctioning off of our personal data to the highest bidder without our consent.”

Rebecca Rumbul, U.K. privacy advocate.

“The volume of people who probably have these sorts of cookies on their system is in the tens of millions in the U.K. alone.”

Companies Respond

An Oracle spokesperson told Digital Privacy News: “The claim filed by Dr. Rebecca Rumbul against Oracle is wholly unfounded, highly speculative and misdirected.

“The claim appears to arise from grievances that Dr. Rumbul has with the entire adtech industry and RTB process generally. 

“It attributes those grievances to Oracle without any logical justification, with blatant disregard for Oracle’s limited involvement in the adtech industry and RTB, and ignoring Oracle’s comprehensive privacy compliance framework,” the representative said.

“As with the similar claim filed by the Privacy Collective in the Netherlands, the claim is at a very early procedural stage — and Dr. Rumbul has agreed not to pursue it further until after the Supreme Court appeal in Lloyd v. Google, the outcome of which could bring a swift end to this matter.  

“Oracle will rigorously defend the claim regardless of the outcome of the Lloyd v. Google appeal.”

In addition, a Salesforce spokesperson told Digital Privacy News:

The court action “attributes those grievances to Oracle without any logical justification, with blatant disregard for Oracle’s limited involvement in the adtech industry and RTB, and ignoring Oracle’s comprehensive privacy compliance framework.”

Oracle Corp.

“At Salesforce, trust is our number one value — and nothing is more important to us than the privacy and security of our corporate customers’ data. 

“We design and build our services with privacy at the forefront, providing our corporate customers with tools to help them comply with their own obligations under applicable privacy laws — including the EU GDPR — to preserve the privacy rights of their own customers.

“Salesforce and another data-management platform provider received a privacy related complaint from a Dutch group called the Privacy Collective in the Netherlands in August 2020. 

“Salesforce and the same data-management platform provider, has since received a similar privacy complaint in the U.K. from Dr. Rebecca Rumbul,” the representative said. “The claim applies to the Salesforce Audience Studio service and does not relate to any other Salesforce service.

“Salesforce disagrees with the allegations and intends to demonstrate they are without merit.”

How RTB Works

The RTB process involves the live auctioning of personal data gathered via cookies and other tracking technologies.

A June 2019 report from the U.K.’s privacy regulator, the Information Commissioner’s Office (ICO), described how the process was “taking place unlawfully.”

Rumbul is one of several advocates to challenge the RTB process. In November, the digital-rights charity Open Rights Group said that it was suing the ICO because it had failed to act on a complaint about RTB.

“Salesforce disagrees with the allegations and intends to demonstrate they are without merit.”

Salesforce.com Inc.

“It’s the auctioning off of our personal data to the highest bidder without our consent,” Rumbul said.

She argued that Oracle, based in Austin, Texas, and Salesforce, with headquarters in San Francisco, contributed to the RTB ecosystem by tracking people’s online activity without obtaining consent.

Rumbul claimed that most “cookie banners,” online notifications ostensibly designed to obtain consent for the use of cookies, were not legally valid under the U.K.’s General Data Protection Regulation (GDPR).

“I’ve never come across a cookie banner that has indicated in any way that this cookie is going to hoover up everything I do online, package it up — and then sell it off to the highest bidder so they can put an ad in front of me,” Rumbul said. 

“It’s an illusion of choice,” she said. “You can’t opt out.”

Transcending Borders

Mike Audi, CEO of the privacy-focused software company TIKI, based in Worcester, Mass., said: “Online privacy violation continues to be an issue that transcends borders.

“Tracking users without their consent is a violation of their rights.

“For companies to access data, consent must be knowingly given,” Audi told Digital Privacy News. “Burying permissions in convoluted forms, opt-outs and long agreements is not only unethical — it’s an unfair business practice of misrepresentation.”

“Tracking users without their consent is a violation of their rights.”

Mike Audi, TIKI software company, Worcester, Mass.

While declining to comment directly on the actions of Salesforce and Oracle, Audi commended U.K. users for “standing up to big tech, whose power and reach is unprecedented and lightly regulated.”

Legal Move’s Significance

Rumbul’s action would be highly significant if it succeeds. Although “opt-out” class actions theoretically are possible in the U.K., they are far more common in other jurisdictions, such as the U.S.

Eleanor Powell, a senior associate at the London law firm Hausfeld, said: “Whilst Europe has a convincing history when it comes to data-protection legislation, at the moment, there is not a direct equivalent to a U.S. class action in the U.K.

“Steadily, however, collective actions brought on behalf of large groups of individuals under the pre-GDPR regime are determining some fundamentals around how such claims can proceed,” she continued.

Rumbul’s case hinges on the U.K. Supreme Court’s ruling in Lloyd v. Google. At an earlier stage in the case, the U.K. Court of Appeal recognized the validity of an opt-out class action for the first time in the country’s legal history.

Powell said that, depending on the court’s decision in that case, the U.K. could see many more privacy-related class actions in the future.

“At the moment, there is not a direct equivalent to a U.S. class action in the U.K.”

Eleanor Powell, Hausfeld law firm, London.

“If the Supreme Court upholds the Court of Appeal’s judgment, we can reasonably expect to see the floodgates widen to data claims brought by a representative claimant on behalf of huge collectives of affected individuals,” Powell told Digital Privacy News.

Rumbul observed: “In the U.K., we have not had a history of class actions. The GDPR provides — we think — for that to happen.

“We’re very much hoping that the judiciary will find in our favor,” she told Digital Privacy News. “Because, if we cannot go forward in this manner, there are very few legal routes open to people like me, who are trying to go up against multi-billion-dollar companies.”

Robert Bateman is a writer in Brighton, U.K.

Sources:

• The Privacy Collective: Frequently Asked Questions