Oracle's massive advertising database operates without user consent, lawsuit claims

Oracle is facing a class-action lawsuit over its alleged use of extensive data aggregation to match the sensitive information of hundreds of millions of customers without informed consent.

In addition to its role as a data management, cloud, and enterprise solutions firm, Oracle also acts as a data broker, and runs Oracle Data Marketplace - the largest third-party data marketplace in the world.

The complaint alleges that Oracle’s current notice of consent for data collection does not justify the use of the Oracle’s BlueKai Data Management Platform cookies and tracking pixels to collect and store sensitive data of individuals including address, life events such as marriage or childbirth, education, and purchase history.

This, it states, builds up an excessively-detailed picture of each of the many millions of customers within its database. The major grievance outlined in the complaint is with the aggregation of this data within Oracle’s 'ID graphing', which matches sensitive data drawn from disaggregated sources to existing data profiles on US citizens and individuals around the world, in order to inform targeted advertising.

Oracle chairman Larry Ellison is credited as having claimed that there were five billion people in Oracle’s ID graph by 2016.

Internal documentation published by Oracle credits its BlueKai cookies and ID graphing with the successful collection of data of more than 155 million US households. Other tools such as AddThis, a widget service that Oracle acquired in 2016, tracks user activity on over 15 million websites, enabling the identification of 1.9 billion unique users.

The complaint notes that the cookies and pixels bundled with AddThis are utilised without prior notice or user consent.

Much of the complaint focuses on this issue of consent. The plaintiffs allege that Oracle is guilty of an invasion of privacy under the California constitution, which lists “privacy” as an inalienable right of the citizens of California, and of violating the California Invasion of Privacy Act.

“Oracle knows, or reasonably should know, that Internet users such as Plaintiffs and Class members have insufficient knowledge or basis to reasonably comprehend the extent to which Oracle is obtaining their data, tracking their activity, and compiling it into digital dossiers, nor the deeply invasive and detailed nature of those dossiers,” the complaint reads.

Unlike the UK and EU GDPR, the US has no federal digital privacy legislation, so state privacy laws are one of the few avenues by which individuals can assert rights to privacy in court.

In 2020, a lawsuit filed in the the Netherlands accused Oracle of GDPR violations in its handling of personal data through third-party cookies. BlueKai was specifically named in this lawsuit, with one expert noting that "Everyone who has ever used the internet is at risk from this technology".

“It may be largely hidden but it is far from harmless," said Dr Rebecca Rumbul, class representative and a claimant on the suit in England.

At the time, Oracle dubbed the lawsuit a "meritless action based on deliberate misrepresentations of the facts". Earlier in 2022, the suit was dismissed, although the new complaint claims that in response to the UK/NL suit, Oracle did “cease certain of the practices complained of in that lawsuit only weeks after it was filed”.

Oracle declined to provide comment to IT Pro.