Dutch appellate court rules against Oracle and Salesforce in a GDPR-related cookie case

A Dutch appellate court has ruled that Oracle and Salesforce must continue defending a class-action lawsuit relating to the use of cookies to gather and track personal information for their Data Management Platforms (DMPs).

The case raises issues about who is responsible when websites use third-party data platforms to track users, and relies on the European Union’s General Data Protection Regulation (GDPR). The lawsuit’s plaintiff is The Privacy Collective (TPC), a Dutch non-profit focused on consumer privacy issues. 

In the decision, the court summarized TPC’s accusations against both Oracle and Salesforce: “Oracle and Salesforce collect personal data from Internet users in the context of the DMP service they offer, process it in detailed profiles and sell this information to third parties to enable them, among other things, to offer personalized advertisements on websites. According to TPC, this data collection starts with Oracle and Salesforce placing a cookie on the internet user’s equipment (and) personal data is collected. Oracle and Salesforce enrich the data and other unique identifiers collected through the cookie with information from alternative sources. According to TPC, Oracle and Salesforce build a profile on a daily basis to provide the most complete overview possible of the character traits and interests of the person in question. The purpose of the data processing is, among other things, to share the Internet user’s profile in a process called Real Time Bidding (hereinafter: RTB). The profile of the internet user is offered to advertisers in a very fast, fully automated process for a fee, in order to show personalized advertisements on websites.”

Whose cookie is it, anyway?

The court also summarized the defendants’ position. Neither Oracle nor Salesforce dispute that the cookies exist and that they are collecting lots of information. Their argument, though, is that do not place the cookies: The site operators do. 

“Oracle and Salesforce already dispute some of TPC’s factual statements about their activities and further argue, among other things, that they are not controllers within the meaning of the GDPR and/or data traders. According to Oracle, cookies are placed by the website that the internet user is visiting and a website can only place cookies for the browser used to visit the website. The decision whether or not to use cookies — and if so, which cookies — is always made solely by the website owner. Oracle disputes that it provides advertising services. All Oracle does is provide customers with a means to create segmented user interest profiles and then make those profiles suitable for filtering,” the court said.

The court summed up Salesforce’s argument by saying that the company agrees with Oracle’s position but adds that “it is a software company that offers its customers a DMP with which customers decide after purchase how they organize their interactions with internet users. It makes its money from licenses, not from data sales. Salesforce has no access or insight into the personal data that its customers process and Salesforce does not collect personal data through this software product for its own commercial purposes.”

TPC is asking for the companies to pay to 10 million Dutch users €500 (about $536) each, for a total of €5 billion ($5.36 billion). “Oracle and Salesforce dispute the damage and argue that it is not plausible that all those persons have suffered non-material damage and certainly not that the damage is always the same,” the court said. 

The lawsuit was initially filed in 2020.

CSOonline sent emails to both Oracle and Salesforce seeking comment but no responses were received by deadline.

In a short statement, TPC said the appeallate court’s ruling was “an absolute milestone for access to justice and the protection of privacy of all Dutch internet users.”