News
The Gist
- Oracle settles privacy lawsuit for $115 million. Oracle agrees to a $115 million settlement for a lawsuit alleging illegal data collection and third-party sales of personal information.
- Plaintiffs accused Oracle of invasive surveillance. Plaintiffs claimed Oracle violated privacy laws by using invasive tracking technologies and selling detailed user profiles without consent.
- Oracle exits adtech business amid legal pressure. Following the lawsuit, Oracle shut down its AddThis tool and announced plans to exit the ad tech business due to falling revenues and privacy regulations.
Oracle agreed yesterday to pay $115 million to settle a lawsuit claiming the customer and employee cloud software giant collected personal information and sold it to third-party companies, according to a report from Reuters.
Oracle admitted no wrongdoing in settling the 2022 class-action lawsuit filed in Northern District of California court.
Lawsuit Claimed Oracle Violated Consumer Privacy Rights
In a landmark class-action lawsuit filed in the Northern District of California, plaintiffs Michael Katz-Lacabe, Dr. Jennifer Golbeck and Dr. Johnny Ryan accused Oracle America, Inc. of conducting extensive and invasive surveillance on internet users. The complaint alleged that Oracle's practices violated privacy rights and benefitted financially from data aggregation and sale without user consent.
Key Allegations Against Oracle in the Original Lawsuit:
- Data Collection Practices: Oracle employs multiple methods to gather personal data, including cookies, JavaScript code and tracking pixels. These technologies intercept user communications and track behaviors without notice or consent.
- Oracle ID Graph: The company compiles detailed profiles by aggregating data from various sources. This includes not only online activities but also offline data like purchase histories from retailers' loyalty programs. The Oracle ID Graph helps identify users across different devices and channels, enabling targeted advertising.
- Lack of Consent: The lawsuit emphasizes that the plaintiffs and class members have no direct relationship with Oracle and cannot legally consent to the data collection practices.
- Privacy Violations: The plaintiffs argue that Oracle’s surveillance practices infringe on individual privacy rights as recognized under California law, including the California Invasion of Privacy Act and the Federal Wiretap Act.
- Commercial Benefit, Selling to Marketers: Oracle's data brokerage operations generate substantial revenue by selling detailed personal information to third parties, including marketers and governmental entities.
- Impact of Surveillance: The lawsuit highlights the pervasive nature of Oracle's tracking, which includes sensitive information like health data, shopping habits, and even location data. This comprehensive surveillance poses significant privacy risks to individuals.
Related Article: Why Did Oracle End Its Advertising Business?
How Oracle Responded After the Consumer Privacy Lawsuit
Oracle following the lawsuit shut down AddThis, a data collection tool, and announced plans to exit the ad tech business altogether by September 30, 2024. It did just that, shutting down its entire advertising business. CMSWire explained why and the greater impact on the adtech and martech industries.
Oracle's CEO cited falling revenues and strengthening global privacy regulations as reasons for this decision. According to the Oracle lawsuit settlement filed this week, plaintiffs claimed AddThis was a highly privacy-invasive data collection mechanism in their initial and amended complaints.
Oracle shut down AddThis on May 31, 2023 — a week after Plaintiffs filed their first amended complaint on May 22, 2023. On June 11, 2024, just over 30 days after committing to the business practice changes in the parties’ May 8, 2024 binding term sheet, Oracle’s CEO announced that it would be exiting the ad tech business altogether.
Specifically, Oracle has confirmed that its ad tech products — including Oracle Cloud Data Management Platform (comprising the BlueKai business, including the BlueKai “Core Tag” tracking mechanism and associated cookies and pixels, Datalogix, and the Data Marketplace); Digital Audiences (including OnRamp, the primary Oracle service utilizing Oracle’s ID Graph); and Cross-Device tracking — will no longer exist as of September 30, 2024.
Oracle has also announced that it will automatically delete its customers’ data “once [its] obligations are met,” and will “end relationships with data providers.”
According to the lawsuit, while Oracle’s CEO cited falling revenues for its decision, media reports stated that “there is a near-universal view" that this decision also reflects the impact of “strengthening privacy rules around the world.”
The case sought to enforce privacy rights, demanded compensation for affected individuals and obtained injunctive relief to halt Oracle’s alleged unlawful practices. The plaintiffs asserted that Oracle’s conduct, deeply rooted in surveillance since its inception, must be regulated to protect individual privacy in the digital age.
This case underscores the ongoing tension between data-driven business models and privacy rights, setting a significant precedent in the evolving landscape of digital privacy law.
Have a tip to share with our editorial team? Drop us a line:
