Internet users in line for £500 per person damages from Oracle and Salesforce after class action filed at High Court of England and Wales
- Privacy campaigner Dr Rebecca Rumbul files legal action against US corporations Oracle and Salesforce; claim worth in excess of £10 billion for benefit of internet users in England & Wales
- Largest digital privacy class action ever filed at the High Court in London could lead to awards of £500 compensation for every UK internet user
- Oracle and Salesforce tracking internet users across some of the UK’s most popular websites including Spotify, Autotrader, Barclaycard, eBay and TripAdvisor
Digital rights campaigner Dr Rebecca Rumbul has filed a claim at the High Court in London for damages estimated in excess of £10 billion for consumers in England and Wales for a breach of their data privacy by US corporations Salesforce and Oracle. The claim, filed by Rumbul, is based on breaches of GDPR through the Data Protection Act by the two US companies in their processing of personal information used by their Ad Tech platforms. A parallel legal case is being run by The Privacy Collective Foundation in the Netherlands which could take the total damages awarded to in excess of €15 billion.
The case will be one of the biggest class actions that the High Court in England and Wales has heard to date and aims to fundamentally change the approach of multinational corporations in their development of intrusive profiles of internet users for advertising purposes.
The claim could lead to compensation awards available to every internet user in England and Wales of £500 per person per company – paid by Oracle and Salesforce. Oracle and Salesforce have a combined valuation of $350 billion.
Dr Rebecca Rumbul said:
Oracle and Salesforce have assembled intrusive databases on internet users with Salesforce owning Salesforce Audience Studio (formerly known as Krux), and Oracle owning Oracle DMP (formerly known as Bluekai). Some of the most visited websites in the UK, including Amazon, Ikea, eBay, Autotrader, Skyscanner, Booking.com, Tripadvisor, Comparethemarket.com, Paypal, Barclaycard, Spotify, Dropbox, IMDb, and Weather.com, pass on cookies from Bluekai (Oracle) or Krux (Salesforce) to capture information about users as they surf the internet. The incidence of this tracking has affected (and continues to affect) almost every internet user, suggesting that for years users have had their privacy rights breached.
By leveraging cookies in conjunction with powerful databases, companies like Salesforce and Oracle can create a profile of users based on their online behaviours for instance what they read, watch, listen to, comment on and engage with online. This data can be merged with other information including users’ location, and credit references. Together this data can include, or be used to infer, information about users’ interests, physical and mental health, financial situation, levels of education, religious affiliations, and even political leanings.
Since the GDPR came into effect, Oracle and Salesforce have been required to get informed consent from internet users in order to collect and share their personal data through cookies and other technologies. The case alleges that the companies tracking across multiple websites across the internet and the way the data they collect is used for both advertising real-time bidding and resale to third parties means they can’t provide adequate information or obtain the requisite consent from users.
The case is being led by law firm Cadwalader for the claimant, Dr Rebecca Rumbul, who represents the interests of all citizens in England and Wales whose personal data has been used without their consent and knowledge by Oracle and Salesforce.
A parallel case has been filed by The Privacy Collective Foundation, represented by the law firm bureau Brandeis, earlier this year in the Netherlands at the District Court of Amsterdam. It is estimated that together, both the England & Wales and Dutch claims could exceed €15 billion. The claims are being fully funded by Innsworth, a leading litigation funder. Innsworth is also funding Sir Walter Merricks’ (former Chief Ombudsman at the Financial Ombudsman Service) class action for 46 million consumers against Mastercard in the London courts.
In 2021, the Supreme Court will decide upon the landmark Lloyd v Google case, which if favourable will pave the way for opt-out representative actions for privacy breaches. All parties to Dr Rumbul’s case have agreed the proceedings will be stayed until after the outcome of the landmark Supreme Court ruling.
Anyone who uses the internet and is targeted by advertising in England and Wales is encouraged to register their support for the legal action online at www.theprivacycollective.eu.
Notes for Editors
For interviews with Dr Rebecca Rumbul, please contact:
- Valerie Oladeinde at 89up on firstname.lastname@example.org
- Saskia Kerkvliet at 89up on email@example.com / 07708977145
About Rebecca Rumbul
Dr Rebecca Rumbul, is the designated class representative of the case filed by The Privacy Collective at the High Court of England and Wales. Rebecca is Head of Research at MySociety, a non-profit pioneering the use of online technologies to empower citizens to engage in greater civic participation, as well as a Council Member and Non-Executive Director of the Advertising Standards Authority. Rebecca is a leading global expert in digital democracy, and previously worked as a Data Protection Development Manager at the Information Commissioner’s Office in Wales. She has a PhD from the Open University in Politics and Governance.
About The Privacy Collective
The Privacy Collective is a Netherlands based foundation that has joined forces with Rumbul, to run a broader privacy campaign in support of their respective claims. In the campaign leading legal and academic experts, and civil society activists speak out against the data misuse of Oracle and Salesforce and support the claims in both the Dutch and the UK action. These initiatives aim to fill the gap where regulators, that do not have the manpower and resources to properly implement the law, allow companies to unlawfully collect and sell the data of millions of internet users in the UK and across Europe without ramifications.