A Dutch appellate court has ruled that Oracle and Salesforce must continue defending themselves in a significant class-action lawsuit concerning the use of cookies for their Data Management Platforms (DMPs). The case, initiated by The Privacy Collective (TPC), a Dutch non-profit focused on consumer privacy, underscores crucial issues surrounding GDPR compliance. TPC alleges that Oracle and Salesforce deploy cookies to gather extensive personal data, which they then process into detailed user profiles sold to third parties for targeted advertising via Real Time Bidding (RTB).
The court outlined TPC’s accusations, highlighting the process by which Oracle and Salesforce allegedly initiate data collection through cookies placed on users’ devices. This data is enriched with additional information from various sources to create comprehensive profiles used in RTB auctions. In response, Oracle and Salesforce contend that they do not place these cookies themselves; rather, they argue that website operators are responsible for this action. They assert their role as providers of tools for data segmentation, emphasizing that they do not engage in direct advertising services or profit from data sales.
Salesforce echoes Oracle’s stance, emphasizing its role as a software provider that enables customers to manage interactions with internet users through its DMP. Salesforce denies involvement in personal data collection for commercial purposes and maintains that its revenue stems solely from software licenses. The lawsuit seeks substantial compensation for an estimated 10 million Dutch users, aiming to hold Oracle and Salesforce accountable for alleged GDPR violations. The litigation underscores ongoing debates about responsibility and liability in data privacy and digital advertising landscapes.
