This week we learnt that two major US technology companies, Oracle and Salesforce, are being sued in the Netherlands for £900 million in a class action relating to the alleged breach by both companies of data protection laws relating to the use of cookies, writes Elizabeth Kilburn Associate, Data Protection, IP & Commercial, Wedlake Bell LLP.
The class action against Oracle and Salesforce, brought by the consumer privacy campaign group The Privacy Collective, claims that the companies’ use of third party tracking cookies and ‘Real-Time-Bidding’ (RTB) processes, result in the unlawful processing of users’ personal data (and special categories of personal data) without proper consent. The campaign group is set to bring a similar claim in London later this month.
Background
Real-Time-Bidding occurs when a web user visits a website which contains advertising space. The publisher of the website auctions the space for advertisers to bid on. The space essentially enabling the advertiser to purchase access to the web user, which it believes is a receptive audience for its products and services. The auction and bidding process can involve tens and even hundreds of companies and happens in milliseconds: ‘real time’ bidding.
Advertisers are ‘sold’ information in the RTB process. This information originates from data gathered via the use of cookies and other tracking technologies which have been placed on a user’s device. The information may be basic, for example the user’s device identification details, but can also be far more complex, including the user’s perceived interests (gathered from previous websites the user has visited), and even special categories of personal data such as whether the user is pregnant, or the user’s political affiliations.
This information enables companies to build a profile of the user, their likes and dislikes, interests and desires. Privacy campaigners claim that this profile building takes place without individuals’ knowledge or understanding, which makes it difficult for such individuals to either avoid the processing or exercise any control over how their personal data is used. In addition, to the extent the individual’s profile includes special categories of personal data, individuals must provide their explicit consent for this information to be processed.
Data Protection
The Privacy and Electronic Communications Regulations (the rules which regulate marketing activities in the UK) require organisations to obtain consent to place cookies on users’ devices. Such consent must meet the requirements of the GDPR. Using individuals’ special categories of personal data to serve adverts requires explicit consent under the GDPR.
The GDPR provides that consent must be freely given, specific, informed and unambiguous (which means implied consent is no longer valid), whilst explicit consent must be affirmed in a clear statement.
Privacy campaigners argue that organisations operating in the AdTech industry do not properly obtain users’ consent to place cookies and other tracking technologies enabling the mass collection of users’ personal data for use in the RTB process.
Regulatory Action
Both the ICO (the UK’s data protection supervisory authority) and European regulators have shown an increasing willingness to take on the big hitters in the AdTech industry. However, with the implementation of the GDPR, companies operating in this industry not only have to contend with regulatory investigations, but also private actions such as those faced by Oracle and Salesforce.
The GDPR provides that any individual who has suffered ‘material’ (i.e. monetary) or ‘non-material’ (i.e. distress) damage can make a claim of compensation. We are seeing an increasing number of representative and class actions brought by privacy campaigners and law firms, often with the backing of litigation funders. Such actions automatically include victims of the unlawful processing in the claim. Just this week it was announced that Marriott International is facing a class action in London in respect of the data breach it suffered between 2014 and 2018.
The Privacy Collective is claiming a 500 Euro payment for each user who did not consent to the use of their special categories of personal data. The Privacy Collective claims that the combined claims in the UK and the Netherlands could exceed €10 billion due to the potentially millions of individuals that have had these cookies placed on their device.
What next?
The significance of the ruling, if and when it comes, cannot be overstated, nor can the impact of these privacy campaign groups. We only have to look to the judgment in the Schrems II case last month, in which Max Schrems, an Austrian privacy campaigner brought down the Privacy Shield (the mechanism by which large companies transfer personal data from the EU to the US).
For companies in the UK the ICO has been clear that tech companies involved in RTB and AdTech must take action now. If your organisation is involved in this industry, you should review processes, systems and documentation now, and in particular assess what special categories of personal data are processed by your organisation in connection with RTB.