Class-action lawsuits alleging GDPR violations have been filed against Oracle and Salesforce, in what could be a harbinger of things to come regarding enforcement of data privacy laws, specifically on the data collected and processed using website cookies.
What’s this lawsuit all about?
The lawsuits, filed by the European nonprofit group The Privacy Collective, claims that Oracle and Salesforce collect data from website visitors on a massive scale, then combine this data with additional information to create a personal profile of each individual website visitor. The information in these profiles is then shared with businesses such as ad-tech companies to offer targeted advertisements to website visitors, even if the visitor doesn’t sign up for an account (as we’ve explained before, this is why if you are looking for a pair of shoes online, for the next few months you’ll likely get advertisements on different websites to buy those or similar shoes).
Under GDPR, website visitors have to provide explicit consent or “opt-in” to the collection and transfer of their personal data; this lawsuit alleges that Salesforce and Oracle have not properly obtained this consent, which would violate the rights granted to individuals under GDPR.
Why is this lawsuit important?
Many companies have flouted GDPR since it was implemented in 2018, and privacy advocates have complained that regulators have not enforced GDPR in the capacity that the law was intended. Given the widespread usage of website cookies by companies of all shapes and sizes, if these cases are successfully prosecuted, they may send a signal to the broader market that regulators intend to increase enforcement of GDPR. The financial implications to Oracle and Salesforce here are large, as The Privacy Collective estimates that these violations could result in fines in excess of €10 billion ($11 billion).
What are the implications for my company?
These lawsuits are important for companies subject to GDPR, because if Oracle or Salesforce are found to be liable, that will set a precedent regarding cookie collection and usage that companies of all sizes will need to adhere to in order to comply. However, because GDPR is the standard on which other data privacy regulations, like California’s CCPA, are modeled, the rulings could have wide-reaching effects. If your company is subject to data privacy regulation in any jurisdiction, it’s important that you get compliant today, as the sheer volume and legal costs of litigation that may result from noncompliance are enormous, and the costs of compliance pale in comparison.
Contact Clym Today!
Our cost-effective, audit-ready platform provides you with an easy way to get your website compliant with GDPR, CCPA and other global data privacy laws. Nuances in the regulations are complicated, and we’re here to help. If you’d like to learn more, please book a demo or contact us to discuss.