GDPR Legal Action for Oracle & Salesforce for Improper Data Collection Practices

In the United States a legal action has been filed by a consumer privacy campaign group against Salesforce and Oracle, alleging that both entities have breached the European Union’s General Data Protection Regulation with the data collection activity.

The group, known as the Privacy Collective, is claiming that Salesforce and Oracle had not received adequate authorization from users’ prior to collecting their private data. Additionally they auctioned it to other companies without the data subjects being informed that this would be done. The legal action was filed in the Netherlands last Friday and is seeking a €500 payment for each user who did not provide authorization for this use of their sensitive personal data.

The Privacy Collective is claiming that the two groups made a profit by selling profiles that were formulated using the personal data that they gathered in this fashion. They did so by making the data available to buy, via real-time bidding.  In addition to this the suit alleges that the two tech firms used third-party cookies Bluekai and Krux to improper use consumers’ personal data. The cookies, which are hosted on multiple websites including Ikea, Twitch, Dropbox,, and Comparethemarket, are used for dynamic ad pricing services. Finally, there is an allegationthat Oracle and Salesforce stored personal data that consumers had not proactively consented to share and took an inconsistent approach to securing sensitive information. The suit further accuses the companies of facilitating sales using harmful advertisements.

The group has claimed that the suit could cost the California-based companies up to $10bn in fines. Legal representative for Oracle Dorian Daley said: “Oracle has no direct role in the real-time bidding process, has a minimal data footprint in the EU, and has a comprehensive GDPR [privacy] compliance program.”

Meanwhile a Salesforce representative released a statement which said: “Salesforce disagrees with the allegations and intends to demonstrate they are without merit. Our comprehensive privacy program provides tools to help our customers preserve the privacy rights of their own customers.”

The legal action is the biggest class action to be lodged over an alleged violation of GDPR in the history of the Netherlands and come before a similar action is due to be filed at the UK High Court in London later in August.