Security news that informs and inspires

GDPR Lawsuit Targets Oracle, Salesforce Use of AdTech Cookies

A consumer privacy campaign group has filed a lawsuit against Salesforce and Oracle for allegedly violating the European Union’s General Data Protection Regulation over the companies' use of data collected by third-party cookies.

The lawsuit from the Privacy Collective claimed that Oracle and Salesforce were collecting personal data without proactive user consent and then selling the information to other companies via an auction without users’ knowledge. The Privacy Collective filed the class-action lawsuit in Amsterdam and plans to file another in London later this month.

The crux of the lawsuit focuses on how companies share information about internet users through “real-time bidding,” an auction process used in online advertising to dynamically determine wich ads get displayed to users. When a user visits a page, the publisher offers the advertising space to advertisers in an auction, and provides information about the user to help advertisers decide how much to bid. Hundreds of advertisers take part in the auction and can access that information. The personal data—frequently collected via third-party cookies and other tracking technologies—may include location, device identifiers, and general demographics such as gender and age of the potential viewer. Only the auction winner’s ad will be displayed to the internet user, but all the advertisers taking part can see the data. The auction and bidding happens in milliseconds, hence the name “real-time” bidding.

“There’s a lot of conduct going on behind the scenes that the average internet user has no knowledge of,” Christiaan Alberdingk Thijm, co-founder of Bureau Brandeis, the firm representing the claimants, told DutchNews.nl. “They have all this information and you are put into a certain ‘audience’. On the basis of this shadow identity they will ensure you see, read, listen to and buy for a certain price what they think is fit for you.”

The Privacy Collective alleged that Oracle and Salesforce used third-party cookies Bluekai and Krux to misuse consumers’ personal data. The cookies are used for dynamic ad pricing services and can be found on a range of websites including Amazon, Booking.com, Dropbox, Ikea, Reddit, and Spotify. Oracle acquired BlueKai in 2014 and Salesforce acquired Krux in 2016.

Under GDPR, organizations must obtain explicit—freely given, specific, informed, and unambiguous—consent to place cookies on user devices. Privacy groups claim that advertisers do not properly obtain consent to place cookies and other tracking technologies to collect personal data for use in RTB. The mere fact that the information is broadcast to so many other advertisers is the opposite of privacy by default, and the opposite of what is meant when users are asked to give informed consenst on how their information is used.

Many companies use the information to build a profile of the user (male in 30s living in an urban area who is married and likes to go hiking), which goes beyond just individual data points, as it reveals preferences and online activities. All the information can eventually be linked into a universal profile per consumer. The Privacy Collective claimed that the use of third-party cookies and RTB result in unlawful processing of users’ personal data without proper consent. Users cannot avoid having their information being compiled into a profile, and cannot control how the personal details are being used.

This global ID practice is illegal under GDPR, and this lawsuit is bringing it to light," Dutch data management company Relay42 wrote. "It's about more than just operating outside of consumer expectations or understanding—consumers flat-out have not given permission for their data to be used in this way.

“Salesforce disagrees with the allegations and intends to demonstrate they are without merit. Our comprehensive privacy program provides tools to help our customers preserve the privacy rights of their own customers,” Salesforce told the Dutch news site.

“As Oracle previously informed the Privacy Collective, Oracle has no direct role in the real-time bidding process, has a minimal data footprint in the EU, and has a comprehensive GDPR compliance program,” Dorian Daley, Oracle executive vice president and general counsel, said in a statement.

Earlier this month, a group of Congressional lawmakers urged the Federal Trade Commission to look into whether real-time bidding violated federal laws barring unfair and deceptive business practices.

“The significance of the ruling, when it comes, cannot be overstated” Elizabeth Kilburn, an associate in the law firm Wedlake Bell, wrote for Computer Business Review. Enterprises need to consider the role they play in adtech and their use of RTBs. Companies should “review processes, systems and documentation” relating to adtech and assess what special categories of personal data are being processed in connection with RTB, she recommended.