wordpress blog stats
Connect with us

Hi, what are you looking for?

Privacy Experts Sue Oracle in Class Action Suit for Non-Consensual, Unlawful Data Collection: Summary

Software giant Oracle, owner of Java, ad tech, and data aggregation platforms, is being sued in California for large-scale privacy violations

Three privacy experts are taking on Oracle for unlawful, non-consensual data collection and processing of ‘hundred of millions’ of people surfing the web. The petitioners seek compensation for the ‘financial, dignitary, reputational, and relational harms’ caused by Oracle, and a judicial verdict that Oracle’s ‘unlawful’ behaviour must come to a halt. 

Filed in a North California District Court on August 19th, the class-action suit alleges that the data-broker-giant’s business practices ‘amount to a deliberate and purposeful surveillance of the general population via their digital and online existence’.

The petition notes that ‘Oracle and other data brokers act as central nodes in the “adtech” network, where massive volumes of personal information on the world’s population is aggregated and used to identify and profile individuals for “targeted advertising” or other commercial and political purposes.’ 

However, users are unaware that their online activities and personal information and data are being intercepted, profiled, and sold through Oracle’s in-built surreptitious software. For users, non-consensual data processing and collection amount to substantive privacy violations and a loss of autonomy over how their personal information is disseminated—although this business model currently earns Oracle billions.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

Why it matters: Ad-tech is largely considered to be overwhelmingly invasive—it profiles users, benefits monopolist advertisers, and egregiously violates an individual’s privacy. This has led to multiple attempts across the world to shift to a privacy-by-design ad-tech model. Or, at the very least, to take non-consensual ad-tech profiling to task, as this lawsuit does.

This isn’t the first time that data brokering has invited criticism in the United States. Democrat Senator Ron Wyden from Oregon has previously argued that ‘[d]ata brokers are serving as shady middlemen to sell [consumers’] personal information without any legal protections’, while urging the Consumer Financial Protection Bureau to act on the issue. The Federal Trade Commission has also raised its eyebrows at data brokers, and their ‘staggering’ collection of ‘highly personal information that people choose not to disclose even to family, friends, or colleagues’.

How is Oracle Allegedly Profiling People Online?

A market leader in database storage and management software, Oracle also earns substantially from its data brokerage. According to the petition:

As a data broker, Oracle facilitates the buying and selling of digital data, including personal information, among private commercial and governmental entities. Oracle operates a data management platform called the BlueKai Data Management Platform, which includes two key features: the Oracle Data Marketplace and the Oracle ID Graph. The Oracle Data Marketplace is one of the world’s largest, if not the largest, commercial data exchange, with a broad impact upon the lives of most Americans and many millions of people worldwide. 

For example, Oracle ID Graph helps advertisers match ‘individual customer identities’ into a single, comprehensive profile, improving their ability to target consumers. This ‘identity resolution’ entails synchronising reams of personal data collected on an individual while they use the Internet. On the flip side, this means that Oracle purportedly has access to ‘virtually everything ascertainable in electronic form about [an individual].. from where they live, to the media they consume, to the things they buy, to the views they hold.’

A snapshot of Oracle’s vast data collection processes included in the class-action suit.

Introducing the Petitioners

Michael Katz-Lacabe: A California-based privacy rights activist, and the founder of the Center for Human Rights and Privacy which promotes human and privacy rights in the US. On May 4th, 2022, Oracle sent Katz-Lacabe a document indicating that it had created an ‘electronic profile’ on him by non-consensually tracking, compiling, and analysing his browsing online.

Dr. Jennifer Golbeck: Florida resident and an Associate Professor at the University of Maryland in College Park. Dr. Golbeck is the Director of the Social Intelligence Lab. On March 10th, 2022, she received a similar notice from Oracle that an electronic profile had been non-consensually compiled on her based on her browsing behaviour.

Dr. Johnny Ryan: Dublin-based Senior Fellow at the Irish Council for Civil Liberties and the Open Markets Institute. Oracle compiled information on netizens in the EU and UK until at least September 2020. It announced that it would disable this operation in the region after it was named in a class-action suit (along with Salesforce) in the UK and Netherlands in August 2020 for GDPR violations (potentially amounting to penalties of up to $11.7 billion). As the petition notes, however, ‘on information and belief, at least until September 2020, Oracle tracked Dr. Ryan’s internet activity, created profiles of him as described below, and made his personal information available to third parties without his consent, all during the class period.’

The petitioners are appearing on behalf of themselves and ‘all others similarly situated’.

Cause of Action 1: Privacy Invasions Under the California Constitution, On Behalf of the California Sub-Class

Oracle ‘lacks a legitimate business interest’ in collecting vast troves of personal data on the petitioners and California Sub-class. Also, the right to privacy as defined in California’s Constitution protects its residents against private actors like Oracle, argue the petitioners. Oracle’s unnecessary stockpiling of data, which creates ‘cradle-to-grave’ profiles of residents, has damaged the petitioner and sub-class members’ reasonable expectations of privacy under California law. Further, it harms their ability to control the dissemination and usage of their personal information, hampering individual autonomy. This translates to a lack of collective autonomy for millions of Americans, which is otherwise needed for the ‘proper functioning of democratic republics’.

Relief entitled to: Compensation and injunctive relief.

What the law says: Article 1, Section 1 of the California Constitution enshrines the right to privacy, stating that ‘all people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property and pursuing and obtaining safety, happiness, and privacy’. The privacy provision was added to the Article in 1972, in an attempt to protect residents’ personal freedoms and securities from surveillance and invasive data collection, says the suit.

Arguments: Oracle tracks netizens online using cookies, pixels, and JavaScript (to support its tools like Data Cloud, ID Graph, and Data Marketplace.) to build 360-degree profiles on them. These profiles include information on an individual’s electronic purchases, communications, and browsing activity, as well as sensitive information pertaining to race, religion, health, and sexual orientation. What’s more, using specific tracking tools like Datalogix, Oracle tracks individuals’ offline activity—such as purchases at brick-and-mortar stores, or their location. The petitioners have no way of knowing which online or offline activities Oracle is monitoring and collecting data on—as this ‘dragnet-style’ tracking is both non-consensual and surreptitious. The petitioners argue that the right to privacy under the California Constitution was enacted to specifically constrain the creation of such ‘cradle-to-grave’ profiles.

Cause of Action 2: Intrusion Upon Seclusion Under California Common Law (On Behalf of All Classes)

Reiterating the alleged offences committed by Oracle noted above, the petitioners contend that Oracle’s actions are highly offensive, violating their reasonable expectations of privacy. This constitutes an ‘intrusion upon seclusion’ under California Common Law, resulting in damages to the petitioners’ privacy.

Relief entitled to: Compensation and injunctive relief.

What the law says: Under U.S. Common Law, the ‘intrusion upon seclusionprivacy tort refers to an intentional invasion of someone’s privacy (or ‘seclusion’) that is offensive to a reasonable person and causes suffering. To assert such a claim, the petitioners must plead that a highly offensive intrusion into a private place or matter took place.

Third Cause of Action: Violations of the Unfair Competition Law (On Behalf of All Classes)

Oracle’s allegedly unlawful and unfair business model has reaped billions in profits, even if at the cost of the petitioners’ and class members’ privacy. This amounts to a violation of the Unfair Competition Law (UCL) and the ‘property, economic and privacy interests’ of the petitioners. 

Relief entitled to: Oracle should disgorge allegedly illegal profits, restituting them to the petitioners and Class Members as per an amount decided during the trial.

What the law says: The Unfair Competition Law (UCL) outlaws an ‘unlawful, unfair, or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising’.

Arguments: Plaintiffs have suffered from both loss of money and property (their personal information) through Oracle’s monetisation of their footprints online. Oracle’s profits are unjust as this surreptitiously collected personal information directly bolsters its commercial enterprises—’Oracle’s Data Cloud, ID Graph, and Data Marketplace would be worthless without Class members’ personal information,’ argue the petitioners. While Oracle indeed markets its hordes of personal data to prospective clients, petitioners and Class Members remain in the dark as to the full extent of Oracle’s data collection practices. This misleading business model means that they cannot meaningfully consent to data collection, or the security risks inherent to such a large-scale data practice. 

Fourth Cause of Action: Violations of the California Invasion of Privacy Act (on behalf of the CIPA Sub-Class)

These substantive privacy invasions and economic losses are facilitated by Oracle’s interception of the petitioners’ communications, amounting to violations of the California Invasion of Privacy Act (CIPA).

Relief entitled to: Injunctive relief, as well as ‘damages for the greater of $5,000 or three times the amount of actual damages’. 

What the law says: In its opening statement of purpose, the CIPA notes that ‘the development of new devices and techniques for the purpose of eavesdropping upon private communications and that the invasion of privacy resulting from the continual and increasing use of such devices and techniques has created a serious threat to the free exercise of personal liberties and cannot be tolerated in a free and civilized society’. It further goes on to punish the wilful, non-consensual interception of any electronic communication by an entity.

Arguments: The petitioners primarily rely on Oracle’s proprietary software ‘bk-coretag.js’ to drive the CIPA violation home. The JavaScript code is placed on a user’s electronic device when they browse a website containing a specific Oracle code. It is used to intercept ‘user attributes’ as they browse the Internet—which includes products they’ve viewed, ‘add-to-cart actions’, and purchasing intent. This information is secretly and contemporaneously sent back to Oracle as it is generated. This tracking is both unauthorised and non-consensual, allege the petitioners, making it ‘unlawful and tortious’.

Fifth Cause of Action: Violations of the Federal Wiretap Act (On behalf of the ECPA Sub-Class)

If users were unaware of Oracle’s interception of their communications—and did not knowingly send communications to Oracle—then it stands that Oracle was not an ‘authorised party to the communication’ in the first place. Or, as the petitioners put it,  their communications with websites ‘were simultaneous to, but separate from, the channel through which Oracle acquired the contents of those communications.’ So, Oracle knowingly and intentionally intercepted communications and used this allegedly unlawful data to further its commercial interests. This amount to violations of the Federal Wire Tap Act.

Relief Entitled to: Statutory damages, as assessed by the Court during trial; injunctive and declaratory relief; jury-determined punitive damages to prevent similar conduct by Oracle in the future and cover litigation costs.

What the law says: Amended by the Electronic Communications Privacy Act, 1986, the Federal Wiretap Act outlaws the intentional interception of wire, oral, or electronic communications using a device. It protects the communication’s sender and recipient, providing a right of action to anyone whose communications are intercepted in violation of the Act.  

Arguments: Oracle intentionally uses tools like ‘bk-coretag.js’, cookies, and cross-device tracking to contemporaneously transmit the petitioners’ and Class Members’ browsing activity and data to itself. This information—which includes the time and date of visiting a website, a user’s IP address, and data entered into forms—is again intentionally used to ‘enrich’ the 360-degree-profiles it builds on users.  What’s more, the petitioners allege that ‘Oracle is aware that it is intercepting communications in these circumstances and has taken no remedial action’.

Sixth Cause of Action: Oracle’s Unjust Enrichment (On Behalf of All Classes)

To sum up, Oracle has allegedly unlawfully ‘trafficked’ the petitioners’ and Class Members’ personal data—for the company to retain profits from these practices would be ‘inequitable and unjust’.

Relief entitled to: The petitioners seek ‘equitable relief including restitution and disgorgement of all revenues, earnings, and profits Oracle obtained as a result of its unlawful and wrongful conduct’.

Seventh Cause of Action: Declaratory Judgment of Unlawful Behaviour (On Behalf of All Classes)

Again, Oracle’s ‘misconduct’ harms the privacy, rights, and economic well-being of the petitioners and Class Members.

Relief entitled to: The petitioners seek injunctive relief, as well as declaratory relief that ‘Oracle wrongfully accessed, collected, stored, disclosed, sold, and otherwise improperly used’ their private data.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Read More

Written By

I'm interested in stories that explore how countries use the law to govern technology—and what this tells us about how they perceive tech and its impacts on society. To chat, for feedback, or to leave a tip: aarathi@medianama.com

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



India's smartphone operating system BharOS has received much buzz in the media lately, but does it really merit this attention?


After using the Mapples app as his default navigation app for a week, Sarvesh draws a comparison between Google Maps and Mapples


In the case of the ‘deemed consent' provision in the draft data protection law, brevity comes at the cost of clarity and user protection


The regulatory ambivalence around an instrument so essential to facilitate data exchange – the CM framework – is disconcerting for several reasons.


The provisions around grievance redressal in the Data Protection Bill "stands to be dangerously sparse and nugatory on various counts."

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ