A Dutch appellate court has ruled that Oracle and Salesforce must continue defending a class-action lawsuit relating to the use of cookies to gather and track personal information for their Data Management Platforms (DMPs).
The case raises issues about who is responsible when websites use third-party data platforms to track users, and relies on the European Union’s General Data Protection Regulation (GDPR). The lawsuit’s plaintiff is The Privacy Collective (TPC), a Dutch non-profit focused on consumer privacy issues.
In the decision, the court summarized TPC’s accusations against both Oracle and Salesforce: “Oracle and Salesforce collect personal data from Internet users in the context of the DMP service they offer, process it in detailed profiles and sell this information to third parties to enable them, among other things, to offer personalized advertisements on websites. According to TPC, this data collection starts with Oracle and Salesforce placing a cookie on the internet user’s equipment (and) personal data is collected. Oracle and Salesforce enrich the data and other unique identifiers collected through the cookie with information from alternative sources. According to TPC, Oracle and Salesforce build a profile on a daily basis to provide the most complete overview possible of the character traits and interests of the person in question. The purpose of the data processing is, among other things, to share the Internet user’s profile in a process called Real Time Bidding (hereinafter: RTB). The profile of the internet user is offered to advertisers in a very fast, fully automated process for a fee, in order to show personalized advertisements on websites.”
