Oracle and Salesforce to Face GDPR Lawsuit

A consumer privacy campaign group has filed a lawsuit against American companies Salesforce and Oracle over an alleged breach of the EU's General Data Protection Regulation laws. 

The Privacy Collective claims that the companies collect users' personal data without proactive user consent and then auction it off to other companies without users' knowledge. The group has claimed that the suit could cost the California-based companies up to $10bn in fines.

On Friday, the class-action lawsuit was filed in Amsterdam, becoming the biggest class action to be lodged over an alleged violation of GDPR in the history of the Netherlands. The suit asks for a €500 payment for each user who has not consented to the use of their sensitive personal data. 

A similar claim will be filed later this month by the Privacy Collective at the High Court in London.  

Salesforce is an American cloud-based software company headquartered in San Francisco. Oracle Corporation is an American multinational computer technology corporation that operates from headquarters in Redwood Shores.

The Privacy Collective alleges that the two tech companies used third-party cookies Bluekai and Krux to misuse consumers’ personal data. The cookies, which are hosted on multiple websites including Ikea, Twitch, Dropbox,, and Comparethemarket, are used for dynamic ad pricing services.

The privacy campaign group alleges that Oracle and Salesforce held on to personal data that consumers had not proactively consented to share and took an inconsistent approach to securing sensitive information. The suit further accuses the companies of facilitating sales using harmful ads.

According to the Privacy Collective, both companies sell profiles created from the personal data they have gathered from users to other companies via real-time bidding without the knowledge or consent of the users. 

Oracle general counsel Dorian Daley said: “Oracle has no direct role in the real-time bidding process, has a minimal data footprint in the EU, and has a comprehensive GDPR [privacy] compliance program.”

A spokesperson for Salesforce said: “Salesforce disagrees with the allegations and intends to demonstrate they are without merit. Our comprehensive privacy program provides tools to help our customers preserve the privacy rights of their own customers.”

What’s Hot on Infosecurity Magazine?