Oracle’s Huge Ad Database Operates Without User Consent, Lawsuits Say

Oracle is facing a class action lawsuit over its alleged use of extensive data aggregation to match sensitive information of hundreds of millions of customers without informed consent.

In addition to its role as a data management, cloud and enterprise solutions company, Oracle also acts as a data broker and operates Oracle Data Marketplace – the world’s largest third-party data marketplace.

The complaint alleges that Oracle’s current consent notice for data collection does not support the use of cookies and tracking pixels from Oracle’s BlueKai data management platform to collect and store data. sensitive individuals, including address, life events such as marriage or childbirth, education, and purchase history.

This, he says, creates an inordinately detailed picture of each of the millions of customers in his database. The main grievance described in the complaint relates to the aggregation of this data in Oracle’s “identification graph”, which matches sensitive data drawn from disaggregated sources to existing data profiles on US citizens and individuals around the world. entire, in order to inform targeted advertising.

Oracle Chairman Larry Ellison is credited with claiming there were five billion people in Oracle’s ID chart in 2016.

Internal documentation released by Oracle credits its BlueKai cookies and ID graphs with successfully collecting data from more than 155 million US households. Other tools such as AddThis, a widget service acquired by Oracle in 2016, track user activity on more than 15 million websites, enabling the identification of 1.9 billion unique users.

The complaint notes that the cookies and pixels provided with AddThis are used without user notice or consent.

Much of the complaint relates to this issue of consent. The plaintiffs allege that Oracle is guilty of invasion of privacy under the California Constitution, which lists “privacy” as an inalienable right of California citizens, and of violating the California Invasion of Privacy Act.

“Oracle knows, or reasonably ought to know, that Internet users such as Plaintiffs and Class Members do not have sufficient knowledge or basis to reasonably understand the extent to which Oracle obtains their data, tracks their activity, and compiles into digital records, nor the profoundly invasive and detailed nature of those records,” the complaint reads.

Unlike the UK and EU GDPR, the US does not have federal digital privacy legislation, so national privacy laws are one of the few ways individuals can assert their privacy rights in court.

In 2020, a lawsuit filed in the Netherlands accused Oracle of GDPR violations in its processing of personal data through third-party cookies. BlueKai was specifically named in this lawsuit, with an expert noting that “everyone who has ever used the internet is at risk with this technology.”

“It may be largely hidden, but it’s far from harmless,” said Dr Rebecca Rumbul, the group’s representative and plaintiff in the lawsuit in England.

At the time, Oracle called the lawsuit a “baseless action based on willful misrepresentation of facts.” Earlier in 2022, the lawsuit was dismissed, although the new complaint claims that in response to the UK/NL lawsuit, Oracle “ceased some of the practices complained of in this lawsuit just weeks after it was filed”.

Oracle declined to provide comment to IT Professional.

Featured Resources

Dematerialize in 90 days

The three steps to fast and efficient scanning

Free download

Navigate your hybrid cloud vision

Ensure business continuity and reduce IT acquisition costs with an on-premises private cloud

Free download

Successful Enterprise Application Modernization Requires Hybrid Cloud Infrastructure

Maximize business results with a secure and reliable modern infrastructure

Free download

Find out how you can get over 200% ROI with Workplace

How Workplace can help your frontline workers

Free download