The Privacy Collective, a London nonprofit whose mission is to protect privacy, has filed suit with the District Court of Amsterdam, accusing the software companies of breaching the European Union’s General Data Protection Regulation (GDPR) in their processing and sharing of people’s information by third-party tracking cookies.
The complaint alleges Oracle and Salesforce used personal data without consent.
A second suit is expected to be filed later this month at the High Court of Justice in London England, alleging violations of GDPR and the United Kingdom’s Privacy of Electronic Communications Regulations, which governs the use of personal data for marketing communications, TechCrunch reported.
If successful, the collective suits could cost the companies more than €10 billion ($11.8 billion).
Oracle, the California-based software maker, advertises that its Data Cloud and BlueKai Marketplace provides customers with access to 2 billion consumer profiles.
Salesforce, the San Francisco software company, promises its marketing cloud interacts with more than 3 billion browsers and devices monthly.
“There is, I think, no way that any normal person can really give informed consent to the way in which their data is going to be processed by the cookies that have been placed by Oracle and Salesforce,” Rebecca Rumbul, class action representative and claimant in England, told TechCrunch. “There’s plenty of evidence out there to show that how these cookies work means you can have very, very egregious outcomes for people at an individual level.”
Dorian Daley, Oracle’s attorney, told the news outlet the Privacy Collective filed a meritless suit based on misrepresentations of the facts.
“Oracle has no direct role in the real-time bidding process, has a minimal data footprint in the EU, and has a comprehensive GDPR compliance program,” Daley said.
A spokeswoman for Salesforce said trust is the firm’s top value and nothing is more important than the privacy and security of corporate customers’ data.
“We design and build our services with privacy at the forefront, providing our corporate customers with tools to help them comply with their own obligations under applicable privacy laws,” she said.
In June, the European Commission, the EU’s governing body, said in a report that while GDPR is “an overall success,” further actions are needed, especially among small to mid-sized companies, to promote what one top official calls “vigorous enforcement.”
Earlier this year, in a move that took everyone by surprise, Google announced that its Chrome browser would stop allowing third-party cookies by 2022.