Oracle Sued By Privacy Advocates Over Data Collection Practices
Wade Tyler Millward
‘Oracle’s misconduct has put Plaintiffs’ and Class members’ privacy and autonomy at risk, and violated their dignitary rights, privacy, and economic well-being,’ according to the lawsuit.
A group of privacy advocates have sued Oracle, accusing the database and cloud services giant of wrongfully collecting and selling the private data of hundreds of millions of people and allegedly violating California state law and United States federal law.
“Oracle’s misconduct has put Plaintiffs’ and Class members’ privacy and autonomy at risk, and violated their dignitary rights, privacy, and economic well-being,” according to the lawsuit.
CRN has reached out to Oracle for comment.
[RELATED: ORACLE STARTS TO LAY OFF EMPLOYEES AHEAD OF EARNINGS: REPORT]
Why Was Oracle Sued?
CRN has also reached out to the attorneys with the San Francisco-based Lieff Cabraser Heimann & Bernstein law firm representing the plaintiffs in the lawsuit.
The law firm’s past work includes a $9.5 million settlement with a DXC Technology predecessor in 2018 over misclassified employees; a $115 million settlement fund from Anthem over a hacker attack in 2014 that Anthem didn’t discover until the next year; a $68 million settlement in 2016 with LifeLock over not protecting subscribers from hackers, and a $13 million settlement with LinkedIn in 2016 over email solicitations to join the social media network.
The named plaintiffs in the lawsuit are Michael Katz-Lacabe, Jennifer Golbeck and Johnny Ryan.
Katz-Lacabe is described in the lawsuit as a California-based privacy rights activist and founder of the Center for Human Rights and Privacy. Golbeck is described as a Florida resident and an associate professor at the University of Maryland, College Park, with specialties in social networks, privacy and web security.
Ryan is described as a resident of Ireland and senior fellow with the Irish Council for Civil Liberties (ICCL) and the Open Markets Institute. He previously served as chief innovation officer at the Irish Times news outlet, according to the lawsuit.
In a statement on ICCL’s website, the group alleges that Oracle has digital dossiers on 5 billion people worldwide, which generate more than $42 billion in annual revenue.
The plaintiffs seek class action certification, punitive damages, nominal damages, restitution from Oracle, and permanently stopping Oracle from collecting personal information of affected people. The plaintiffs seek more than $5 million from Oracle through the lawsuit.
The plaintiffs named Oracle America as the defendant, calling the entity a data broker registered with California.
Oracle was headquartered in Redwood City, Calif., until December 2020, when it relocated to Austin, Texas.
The plaintiffs – who say they don’t have a direct relationship with Oracle and no reasonable way to consent to any alleged surveillance – accuse Oracle of recording people’s personal information and selling that information using tools such as ID Graph, which matches individual identities through digital activity, according to the lawsuit.
The lawsuit also focuses on Oracle’s data management platform BlueKai, which includes the Oracle Data Marketplace.
According to the lawsuit, the two plaintiffs who live in the United States received documents from Oracle this year that indicate the company built electronic profiles on them based on internet browsing and activity, making their information available to third parties without consent.
“Oracle tracks the lives of the general public in a manner that is opaque, if not invisible, to the people it follows, as they have no direct relationship with Oracle,” according to the lawsuit. “The regularly conducted business practices of defendant Oracle America … amount to a deliberate and purposeful surveillance of the general population via their digital and online existence.”
The plaintiffs allege that Oracle tracks everything from people’s names and home addresses to what brick-and-mortar stores they visit and preferred payment methods for goods. Oracle gathers this information through cookies, tracking pixels, device identification, cross-device tracking and buying data from outside parties. Oracle then analyzes the data and sells it, according to the lawsuit.
Oracle tracking technology is so ubiquitous, according to the lawsuit, that trackers for its AddThis webpage bookmarking tool were found on four states’ online COVID-19 information pages and websites offering resources for undocumented immigrants and domestic violence survivors.
Oracle provides customers with detailed control panels to segment and target people based on the digital information Oracle has collected, according to the lawsuit.
The plaintiffs “have no reasonable basis to discern the identity of the persons and/or entities that buy or sell information about them on the Data Marketplace,” which could even include governments, police or paramilitary forces in China, Brazil, Mexico, Pakistan and the United Arab Emirates, according to the lawsuit.
Oracle’s $28 billion acquisition of health care information systems provider Cerner, completed in June, could lead to the creation of a unified national health records database owned by Oracle, potentially exposing sensitive health data to commercialization, according to the lawsuit.
“Given the complexity and disguised nature of Oracle’s collection and use of personal information, and the lack of any direct relationship between Oracle and the Plaintiffs and Class members, there is no reasonable basis for Plaintiffs and the Class members to know the extent to which Oracle is obtaining their data, tracking them, and selling their data or services derived from their data,” according to the lawsuit.
It continued: “There is asymmetry of knowledge between Oracle and the data subjects it exploits, including Plaintiffs and the members of the Class, in that Oracle has an complete knowledge of its data collection and data exploitation practices, but Plaintiffs and Class members have no direct relationship with Oracle regarding these practices and no reasonable basis to discern those practices nor the nature of the practices directed at them.”
Meanwhile, similar legal challenges in the Netherlands and United Kingdom against Oracle and Salesforce have stalled, according to TechCrunch. Privacy Collective, the organization behind the Dutch lawsuit, is appealing a ruling that the group doesn’t have legal standing. The U.K. lawsuit is awaiting the outcome of a privacy lawsuit against Google – in which the court said individuals must show that they suffered damage or a loss to claim compensation against Google.