Salesforce and Oracle face GDPR lawsuit relating to cookies

17 Aug 2020

Image: © tashka2000/

The Privacy Collective claims that its lawsuit against the two companies could amount to €10bn in damages being paid out to consumers.

European non-profit foundation The Privacy Collective has filed class-action lawsuits against Oracle and Salesforce, claiming that the two companies have breached GDPR in relation to how they process and share personal data collected in cookies.

The lawsuit has been filed in the Netherlands, with plans for a separate lawsuit in England and Wales to be filed later this month.

The Privacy Collective claims that Oracle and Salesforce are unlawfully collecting and processing the data of millions of internet users to carry out real-time bidding ad auctions, which is incompatible with the EU’s strict laws around consent to process personal data.

Christiaan Alberdingk Thijm, lead lawyer in the case, said: “This is one of the largest cases of unlawful processing of personal data in the history of the internet. Almost every Dutch individual who reads or views information online is structurally affected by the practices of Oracle and Salesforce. Practices that merely serve a commercial purpose.”

The claim

The Privacy Collective claims that Oracle and Salesforce collect data from website visitors on a large scale and, by combining this with additional information, can create a personal profile of each individual user. These profiles are then used to offer personalised online ads and are unlawfully shared with commercial parties such as ad-tech companies, the lawsuit alleges.

“Most people do not know that they have such an online ‘shadow profile’,”Alberdingk Thijm added. “They don’t know what it looks like and have certainly not given legitimate consent. These parties violate internet users’ right to privacy. The right to protection of personal data and the right to protection of privacy are recognised as fundamental rights.”

The litigation argues that the two companies are misusing data through their third-party tracking cookies, BlueKai and Krux, which are hosted on websites such as Amazon, Dropbox, Reddit and Spotify, among many others.

Salesforce purchased Krux in 2016 and Oracle bought BlueKai for a reported $400m in 2014.

‘Giving GDPR teeth’

Joris van Hoboken, a board member of The Privacy Collective and a professor in information law, said that claiming damages in a class action suit is “an important tool to ensure the enforcement of the GDPR” and “gives GDPR teeth”.

The collective has called upon individual consumers to register in order to show support. It claims, based on the suspected number of affected users in the Netherlands, that the total extent of the damages could exceed €10bn.

Led by Dutch law firm Bureau Brandeis, the lawsuit marks the largest ever class action in the Netherlands related to the violation of GDPR.

Class representative and claimant in England and Wales, Dr Rebecca Rumbul, told TechCrunch: “There is, I think, no way that any normal person can really give informed consent to the way in which their data is going to be processed by the cookies that have been placed by Oracle and Salesforce.

“When you start digging into it, there are numerous, fairly pernicious ways in which these cookies can and probably do operate – such as cookie syncing and the aggregation of personal data – so there’s really, really serious privacy concerns there.”

Kelly Earley was a journalist with Silicon Republic