Oracle Hit With Class Action Alleging Purposeful Surveillance and Invasion of Privacy of American Consumers

By Pam Fulmer

Well respected San Francisco Plaintiffs’ firm Lieff Cabraser Heimann & Bertstein LLP (“Lieff Cabraser”) has hit Oracle America, Inc. with a massive class action lawsuit alleging several data privacy-based claims including Invasion of Privacy under the California Constitution, Intrusion Upon Seclusion under the common law, violation of Business & Professions Code Section 17200, violation of the California Invasion of Privacy Act and the Federal Wiretap Act, and Unjust Enrichment.  Plaintiffs seek a declaratory judgment on behalf of the class that Oracle wrongfully accessed, collected, stored, disclosed, sold and otherwise improperly used private data.  Plaintiffs also seek injunctive relief.  Outing Oracle as one of the largest data brokers in the world, Plaintiffs paint a grim picture of how Oracle has used its software across the Internet to collect, track and identify consumers, without giving those consumers notice that the information is being collected and the ability to object.  The lawsuit alleges that Oracle’s improper use of the most private data of American consumers will only get worse now that Oracle has acquired Cerner and will begin collecting health data as well.
 
The 71-page Complaint alleges that “the regularly conducted business practices” of Oracle amount to a “deliberate and purposeful surveillance of the general population via their digital and online existence.”  Claiming that Oracle is “one of the world’s largest data brokers” Plaintiffs allege that “[i]n the course of functioning as a worldwide data broker, Oracle has created a network that tracks in real-time and records indefinitely the personal information of hundreds of millions of people” and that “Oracle sells this detailed personal information to third parties, either directly, or through its “ID Graph” and other related products and services derived from this data.”  Plaintiffs further claim that the proposed Classes “lack a direct relationship with Oracle and have no reasonable or practical basis upon which they could legally consent to Oracle’s surveillance.” Complaint ¶1.
 
Plaintiffs assert that as a data broker Oracle “facilitates the buying and selling of digital data, including personal information, among private commercial and governmental entities” and  “operates a data management platform called the BlueKai Data Management Platform, which includes two key features: the Oracle Data Marketplace and the Oracle ID Graph. The Oracle Data Marketplace is one of the world’s largest, if not the largest, commercial data exchange, with a broad impact upon the lives of most Americans and many millions of people worldwide.”  Citing to Oracle’s own marketing claims, the Complaint recites that “[t]he Oracle ID Graph helps marketers connect identities across disparate marketing channels and devices to one customer. Powered by the Oracle Marketing Cloud and Oracle Data Cloud, the Oracle ID Graph seamlessly pulls together the many IDs across marketing channels and devices that comprise a given person, enabling marketers to tie their interactions to an actionable customer profile. This ID enables the marketer to orchestrate a relevant, personalized experience for each individual across marketing channels and device types.” Plaintiffs accuse Oracle’s business model of having “long roots in the surveillance of ordinary citizens” and claims that “surveillance is central to Oracle’s history and development, and to its current business and marketing plan.”  Complaint ¶21.
 
According to the Complaint:
 
“Oracle collects many types of personal information from Internet users including concrete identifiers such as names, home and work addresses, e-mail addresses, and telephone numbers. Oracle also amasses data about peoples’ behavior, including the sites they visit online, their digital and offline purchases, where they shop, and how they pay for their purchases. Oracle gathers this personal information from a suite of its own Internet technologies, including cookies, tracking pixels, device identification, cross-device tracking, as well as from its acquisition of data from other parties. Oracle then processes, analyzes, and monetizes this data.” Complaint ¶27.
 
Plaintiffs further allege that: 
 
“Oracle, its partners, and its customers work in parallel to compile personal data and associate that data with specific individuals, effectively creating “dossiers” on people across the world. Oracle accomplishes its dossier building through its multifarious business practices, including not only the functionality of the ID Graph that connects, unifies, and then associates data to a person into a “profile,” but also the functioning of the Oracle Data Marketplace. Oracle’s Data Marketplace is an online store owned and operated by Oracle where Oracle facilitates the buying and selling of data and data-derived services by Oracle and its so-called “premier partners” to private commercial and governmental entities. The Data Marketplace allows the confluence of mass amounts of personal data by which its participants, including Oracle, can continually track people’s activities and enrich people’s dossiers.”
 
Oracle clients utilizing the technology include not only private businesses but “also political campaigns and government agencies seeking to surveil, investigate, or target particular individuals with propaganda” and Oracle markets directly to these public agencies and political parties”, referring to them as “Public Sector Customers.”  Complaint at ¶69.
 
According to the Complaint “political campaigns now have “needle-in-the-haystack capabilities” to “microtarget voters on all their devices” using personal information sold by data brokers.”  The Complaint claims that during the 2016 election the Trump campaign, “built a 220 million–person database of voter information named “Project Alamo” using Datalogix, a data collection platform owned by Oracle.”  Plaintiffs allege that Project Alamo facilitated the Trump campaign’s voter suppression initiatives including highly targeted political advertising to African Americans, white women, and young white liberals in 16 swing states, several of which were narrowly won by Trump” and that through “Project Alamo’s voter suppression efforts, it is estimated that 2 million black voters who voted in 2012 did not vote in 2016.” Complaint ¶70.
 
The Complaint likewise alleges that “in the wake of Dobbs v. Jackson Women’s Health Organization, No. 19-1392, 142 S. Ct. 2228 (2022), the threat data brokers like Oracle pose to the privacy of individuals seeking information about abortions is significantly magnified” and that Oracle’s “trackers on the websites of nonprofits providing abortion resources and services, including Planned Parenthood… may have had their personal information tracked and compiled by Oracle, which Oracle may then make available to law enforcement officials.” Complaint ¶ 81. 
 
The Complaint also raises the alarm regarding Oracle’s “$28.3 billion acquisition of electronic health record company Cerner” finding the acquisition “[c]onsistent with Oracle’s plan of engaging in wide-ranging surveillance of the intimate health details of all Americans.”  In that regard, “Oracle’s Larry Ellison has announced Oracle’s plan to build “a unified national health records database,” which it is effectuating through its software. According to Oracle’s Ellison, the company is “building a system where the health records [of] all American citizens[] . . . not only exist at the hospital level but also are in a unified national health records database,” apparently to be maintained and controlled by Oracle.  Complaint ¶ 82.
 
Finally, the Complaint alleges that:
 
“Oracle sits atop a complex data collection and processing apparatus feeding its labyrinthine multinational data marketplace, making it impossible for ordinary persons to reasonably understand the true purpose and extent of Oracle’s data collection, compiling of digital dossiers, and other data exploitation practices, which are opaque, if not invisible, to ordinary data subjects. Given the complexity and disguised nature of Oracle’s collection and use of personal information, and the lack of any direct relationship between Oracle and the Plaintiffs and Class members, there is no reasonable basis for Plaintiffs and the Class members to know the extent to which Oracle is obtaining their data, tracking them, and selling their data or services derived from their data. Complaint ¶ 86.
 
Our prediction is that Big Red is going to be busy fighting this one for a while.  Tactical Law will continue to monitor the case, which is Michael Katz-Lacabe, Dr. Jennifer Golbeck and Dr. Johnny Ryan v. Oracle America, Inc., Northern District of California, Case Number 3:22-cv-04792.  Check back for updates.