Enterprise technology giant Oracle created dossiers on people that included information about their political views and online purchases, and sold them to third parties without their consent for targeted advertising and other purposes, a class action lawsuit has claimed.
The company also allows third party “data brokers” to “traffic in” personal information on its Oracle Data Marketplace obtained without the consent of data subjects, three privacy activists allege in the legal action filed in a California court last Friday.
They said they are bringing the action against Oracle “to enforce their fundamental right to privacy, seek redress and compensation for the financial, dignitary, reputational and relational harms Oracle has caused, and obtain a ruling that Oracle’s conduct is unlawful and therefore must stop”.
The complaint against Oracle alleges violations of the US Federal Electronic Communications Privacy Act, the constitution of the state of California and the California Invasion of Privacy Act among others.
Johnny Ryan, senior fellow at the Irish Council for Civil Liberties, is one of three lead plaintiffs in the lawsuit.
Having, by Oracle co-founder and executive chairman Larry Ellison’s own estimates, compiled dossiers of personal information on five billion people across the world, Dr Ryan and his co-plaintiffs — US privacy activists Mike Katz-Lacabe and Dr Jen Golbeck — said the S&P 500 company also “co-ordinates a global trade in dossiers about people through the Oracle Data Marketplace”.
“Oracle and other data brokers act as central nodes in the ‘adtech’ network, where massive volumes of personal information on the world’s population is aggregated and used to identify and profile individuals for ‘targeted advertising’ or other commercial and political purposes,” the plaintiffs noted in their complaint, filed in the United States district court for the northern district of California.
In September 2020, US trade publication AdWeek reported that Oracle would no longer offer third-party data targeting services in Europe. This came shortly after the company and its fellow data giant Salesforce were hit with two lawsuits, one in the UK and one in the Netherlands, alleging that they had engaged in mass surveillance in breach of the European General Data Protection Regulation (GDPR).
Specifically, Dr Ryan alleges that Oracle tracked his “internet activity, created profiles of him ... and made his personal information available to third parties without his consent” until at least September 2020 when it ceased these activities in Europe.
Dr Ryan and his co-plaintiffs said Oracle also partners with 65 brokers of third-party information, allowing them to sell data on its Oracle Data Marketplace.
Examples of the kind of information sold on the marketplace include location-tracking and “real-time GPS signal,” the plaintiffs said, as well as segments based on detailed political information.
“Some are avowedly partisan in doing so,” the plaintiffs said, with one company billing itself as “the leading data and technology resource for the pro-free market political and advocacy community” with a database of “199 million voters” in the United States.
Oracle “provides, and profits from, this data marketplace” that allows third-party data brokers to “traffic in” personal information, the plaintiffs allege.
“Oracle tracks the lives of the general public in a manner that is opaque, if not invisible, to the people it follows, as they have no direct relationship with Oracle,” the plaintiffs claim.
In a statement, Dr Ryan said: “Oracle has violated the privacy of billions of people across the globe. This is a Fortune 500 company on a dangerous mission to track where every person in the world goes, and what they do. We are taking this action to stop Oracle’s surveillance machine.”
A spokesman for Oracle declined to comment.