A class action lawsuit has been filed in Amsterdam by the consumer privacy organization, The Privacy Collective, over alleged breaches of the E.U’s General Data Protection Regulation (GDPR) by the U.S. firms Salesforce and Oracle. The lawsuit alleges both companies have violated the GDPR by collecting the personal data of E.U citizens without first obtaining user consent. The lawsuit alleges both companies have been selling the personal data of users to other companies, and that users of their software have not been informed that their personal data is being collected or sold.
The Privacy Collective claims that both companies use third party cookies to collect personal data, specifically Bluekai and Krux. These cookies are used for dynamic ad pricing services and are used on many different websites including those of Booking.com and Comparethemarket.com. The lawsuit alleges Salesforce and Oracle have retained consumer data collected through the cookies and have implemented an inconsistent approach to securing sensitive information, and that information is being used to facilitate sales via the use of harmful advertisements. Profiles are created on users and that information is sold to other companies via real-time bidding, all without explicit consent from users.
The lawsuit seeks damages at least $10bn, based on damages of €500 per affected user that has not provided consent for their personal data to be collected, processed and sold. The plaintiffs are being represented by Bureau Brandeis co-founder, Christiaan Alberdingk Thijm, who claims the lawsuit is “one of the largest cases of unlawful use of personal data in the history of the internet.’
Salesforce and Oracle both deny breaches of privacy laws and claim the allegations are without merit and claim to have a GDPR program and are fully compliant. A similar lawsuit is due to be filed in the High Court in London later this month, with funding provided by Innsworth.
The lawsuit may attract the attention of GDPR regulators. The GDPR requires all companies to proactively obtain consent from E.U. citizens before their personal data is collected and processed. The failure to obtain consent can result in major financial penalties. The most severe breaches of the GDPR can see a financial penalty imposed of up to €20 million or 4% of global annual turnover, whichever is the greater.