Friday 14 August 2020 9:00 am

Salesforce and Oracle accused of breaching GDPR in €10bn lawsuit

A class-action lawsuit has accused tech giants Oracle and Salesforce of breaching EU General Data Protection Regulation (GDPR) in their processing and sharing of data for advertising purposes.

Non-profit organisation The Privacy Collective, which filed the lawsuit, alleged the two companies are misusing consumers’ personal data through their third-party cookies Bluekai and Krux, which are used for dynamic ad pricing services.

It said the class-action lawsuit, filed today in Amsterdam with a similar claim to be filed at the High Court in London later this month, could cost Oracle and Salesforce up to €10bn.

The Privacy Collective said the Dutch case is the biggest-ever class action in the Netherlands over a violation of GDPR.

Read more: Tiktok under scrutiny by French privacy watchdog over data use

Oracle and Salesforce’s cookies are hosted on a number of popular websites, including Comparethemarket, Dropbox,, Ikea and Twitch.

The Privacy Collective accused the tech giants of breaking GDPR rules by allegedly facilitating sales via harmful ads, holding personal information that consumers did not proactively consent to sharing, and inconsistently securing personal data.

“Everyone who has ever used the internet is at risk from this technology. It may be largely hidden but it is far from harmless,” said Dr Rebecca Rumbul, class representative and a claimant on the suit in England and Wales.

“If data collected from internet use is not adequately controlled, it can used to facilitate highly targeted marketing that may expose vulnerable minors to unsuitable content, fuel unhealthy habits such as online gambling or prey on other addictions.”

Cookies such as Bluekai and Krux are hosted on websites and then, with their consent, stored on a user’s device to track and monitor their behaviour online.

Read more: Privacy Shield: Top court rejects US-EU data transfer tool

The claimants say that the personal data collected is then being shared by Salesforce and Oracle with hundreds of other companies via a real-time bidding process, without the proper consent or knowledge of the user. 

Oracle general counsel Dorian Daley said called the action “meritless” and a “shake-down”, accusing the Privacy Collective of basing its claim on “deliberate misrepresentations of the facts”. 

“Oracle will vigorously defend against these baseless claims,” he added.

Meanwhile the case being prepared in England will be led by law firm Cadwalader and is due to be filed next month.

A spokesperson for Salesforce said it “disagrees with the allegations and intends to demonstrate they are without merit”.