Oracle’s $115 million privacy settlement could change industry data collection methods

Oracle on July 18 agreed to pay some of its customers a total of $115 million to settle accusations of violating users’ privacy contrary to federal statutes as well as the law in California and Florida. Plaintiffs had argued that Oracle was facing far greater financial penalties (“likely more than a billion dollars”) had the case gone to trial.

The agreement, which has to be approved by Judge Richard Seeborg on August 8, also requires Oracle to “not capture certain complained-of electronic communications and (Oracle) will implement an audit program to review its customers’ compliance with contractual consumer privacy obligations.” Oracle also shut down its ad tech business, which plaintiffs say was related to the settlement.

Oracle also agreed that it “will not capture user-generated electronic information within referrer URLs (that is, the URL of the previously-visited page) associated with a website user or any text entered by a user in an online web form other than through Oracle’s own websites,” the settlement said. Oracle also “ceased operation of its AddThis tracking mechanism only after Plaintiffs’ initial pleadings alleged that Oracle’s collection of data through AddThis violated Plaintiffs’ privacy rights.”

The settlement filing noted that Oracle had delivered extensive material via discovery. “Oracle ultimately produced over 160,000 pages of responsive documents to Plaintiffs, as well as over 283 videos consisting largely of internal discussions of the technical operation of Oracle’s data collection and use practices, spanning approximately 173 hours,” the filing said. 

The money is slated to go to United States residents “whose personal information, or data derived from their personal information, was acquired, captured, or otherwise collected by Oracle Advertising technologies or made available for use or sale by or through Oracle’s ID Graph, Data Marketplace, or any other Oracle Advertising product or service from August 19, 2018 to the date of final judgment in the Action.”

The settlement was more specific about Oracle’s actions: “Oracle has confirmed that its ad tech products— including Oracle Cloud Data Management Platform (comprising the BlueKai business, including the BlueKai ‘Core Tag’ tracking mechanism and associated cookies and pixels, Datalogix, and the Data Marketplace); Digital Audiences (including OnRamp, the primary Oracle service utilizing Oracle’s ID Graph); and Cross-Device tracking—will no longer exist as of September 30, 2024. Oracle has also announced that it will automatically delete its customers’ data ‘once [its] obligations are met’ and will ‘end relationships with data providers’.”

Jason Barnes, a partner at the Simmons Hanky Conroy law firm, said the Oracle settlement, if approved, could have substantial industry impact.

“This case is groundbreaking. The allegations in the complaint were that Oracle was building detailed dossiers about consumers with whom it had no first-party relationship. Rather than face a jury, Oracle agreed to a significant monetary settlement and also announced it was getting out of the business,” Barnes said. “The big takeaway is that surveillance tech companies that lack a first-party relationship with consumers have a significant problem: no American has actually consented to having their personal information surveilled everywhere they go by a company they’ve never heard of, packaged into a commoditized dossier, and then monetized and sold without their knowledge.”

Other industry reactions echoed these sentiments.

“Oracle’s $115 million privacy payout is one example in a long line of industry-wide data issues. It’s time we got serious about putting consumers first when it comes to data privacy,” said Michael Yeager, VP engineering at MetaRouter. “As regulations tighten around the world, we can’t keep treating privacy as an afterthought. Companies need to step up and evolve their practices, especially when it comes to data collection, by focusing on transparency and genuine consent at the moment of collection.”

Longtime privacy advocate and data privacy consultant Debbie Reynolds also applauded the settlement. 

“Oracle’s privacy case settlement is a significant precedent and highlights that privacy risks are now recognized as business risks, with reduced profits, increased regulatory pressure, and higher consumer expectations impacting organizations’ bottom lines,” Reynolds said. “One of the most important features of this settlement is Oracle’s agreement to stop collecting user-generated information from external URLs and online forms, which is a significant concession in how they do business. Other businesses should take note.”