Gavel lying on dollar banknotes showing settlement for consumer privacy lawsuit

Oracle Agrees to $115 Million Settlement in Consumer Privacy Lawsuit

Oracle has agreed to a settlement in a consumer privacy lawsuit that dates back to 2018, offering to pay out $115 million in total for the sale of user data to third parties.

The lawsuit alleged that Oracle made $42.5 billion annually by surreptitiously creating “dossiers” on millions of people that it sold off to both private and government parties. These dossiers were created by both embedding its own trackers on websites and purchasing data from other sources. In some cases, users were not Oracle customers or even users of its various free software offerings.

Oracle consumer privacy suit settled after surviving prior dismissals

First filed in the Northern District of California in 2022, the consumer privacy suit survived a prior 2023 dismissal of three claims and the reduction of a fourth to “without prejudice” status. A San Francisco federal court judge determined that the plaintiffs had suffered harm from Oracle’s actions despite the substantial dismissals.

Oracle employed a variety of direct tracking techniques to gather data on internet users: cookies, fingerprinting, JavaScript and tracking pixels among them, all opaque to those simply visiting websites and filling out forms that make use of Oracle products. Additionally, the company made use of its “AddThis” social bookmarking service (acquired in 2016 and shuttered in mid-2023) to collect data on visitors to sites that installed it, even if they did not interact with it directly in any way.

The consumer privacy suit asserts that Oracle purchased consumer data from at least one third party to bolster these dossiers, an information broker called Datalogic that aggregates information collected from various customer loyalty programs.

Oracle’s consumer dossiers allegedly contained full names paired with home addresses, race and political views along with records of assorted retail purchases and location data. Oracle developed a tool called the “Oracle ID Graph” based on these profiles that is meant to identify individual internet users that are otherwise anonymous and that was offered to  both private and government buyers, according to the consumer privacy lawsuit filings. Oracle advertised this service as an ability to essentially peer into the lives of individual data subjects and see an extensive record of their purchase history and tastes.

The key to the consumer privacy lawsuit was the secrecy with which all of this was done. While Oracle does have privacy policies that address this sort of data collection, they do not make clear the extent to which this data is being gathered or with whom it is being shared.

Oracle required to limit data collection

The consumer privacy settlement applies to those that had data collected by Oracle from August 19, 2018. The law firm involved is reportedly seeking up to $28 million in fees. The remaining fund will be distributed evenly among class action members, with about 220 million people believed to be impacted and potentially eligible. Under the terms of the settlement Oracle will also be required to stop collecting text that users enter into forms on websites that are not their own, and can no longer gather user-generated information from URLs of previously visited websites.

The settlement is unlikely to satisfy anyone involved, except perhaps for the law firm collecting some $20 million from it. It does not represent a substantial portion of Oracle’s $53 billion annual revenue, class action members could wind up eligible for less than $1 in compensation, and the terms do not seem to address the company’s use of third party data or prohibit it from continuing to use its web-spanning tracking methods. But Oracle has also announced that it plans to exit the ad tracking business entirely later this year, having already shuttered some components of the operation. It has also said that it will delete all stored customer data after this once its obligations to data providers are met. Revenue from its ad branch had sunk to $300 million per year after bringing in $2 billion in 2022.

This is not the only major consumer privacy lawsuit of 2024 slated to result in data deletion. In April, Google also agreed to delete billions of records as part of a settlement involving its Chrome “private browsing” mode. That suit includes records dating back to June 2016, and while the move avoids a financial judgment against the company it does not preclude individual users from bringing their own lawsuits.

All of this takes place in a legal environment in which a federal data privacy law still seems to be an unlikely and remote possibility. The plaintiffs in the Oracle case made use of California’s regulations for its state residents, a possibility that is set to expand with Florida, Montana, Oregon and Texas all having new consumer privacy laws that either went into effect this month or are slated to as of October 1 (Montana). Delaware, Iowa, New Jersey and Tennessee are set to have similar laws go active in 2025, as will Indiana in 2026.