Data Harvesting through Online Tracking Tools
The plaintiffs contend that Oracle embedded a range of online tracking tools on third party websites and apps to capture data about an internet user’s interaction with the digital platform. According to the claim, Oracle’s third-party cookie BlueKai, tracking pixels, a particular java script (and previously AddThis) has enabled Oracle to amass vast amounts of data about millions of internet users.
Whenever an internet user interacted with a digital platform that has these tracking codes embedded, Oracle will assign a unique user ID and record that user’s online activities continuously and indefinitely. Data so captured includes IP address, information entered in online submission forms such as email address, name, phone number, financial transactions, search terms, demographic attributes, what an internet users clicks on, what they shared on social media, what documents they download, including previously viewed website and the onwards journey of the internet user to other apps or websites.
Also recorded are device type, the presence or use of “apps” on a device, how much time is spent on these apps, operating system, screen resolution, browser, preferred language. Another tracking tool that Oracle used was AddThis. The plaintiffs claimed in their revised statement of claim in May 2023, that this was a ‘highly privacy-invasive data collection mechanism’ that facilitated data collection through social media sharing tools. This tool tracked what website a person shared on their social media account.
“Over the past decade, over 15 million sites — from Fortune 100 companies to individual bloggers — have adopted AddThis’ expanding suite of customizable website marketing tools to increase social sharing, improve engagement and drive conversions” (We’re on a mission to make the web personal https://perma.cc/JK9N-3W3Z). The company proudly announces:
According to the Plaintiffs, AddThis trackers have been found on websites with resources for undocumented immigrants, domestic violence survivors, and the LGBTQ community. Human Rights Watch, concerned about Oracle’s collection of data from children, has noted that:
. . . AddThis does much more than encourage social media traffic. Whether or not a person clicks on the “share” button, AddThis instantly loads dozens of cookies and tracking pixels on website visitors’ browsers, like nesting dolls, each collecting and sending user data to Oracle and to dozens of other AdTech companies to profile and target a person or a child with behavioral advertising that follows them across the internet.
Oracle has since disabled the AddThis widget.
Overtime, a clearer picture of a person’s interest, preferences, personality, and life circumstances emerges, making this information more and more valuable to private companies, government agencies, and nation states alike. Audience Targeting with Oracle: Q&A with Oracle Data Cloud’s Dan Loewenberg, Spot X (Mar. 21, 2019),
These data harvesting practices are largely invisible to most internet users. Tracking pixels are intentionally unobtrusive. They are embedded in digital platforms as almost invisible transparent 1×1 pixel png file thereby inextricably subjecting users to having their online activities monitored.
Some of the tracking tools, such as pixel trackers, are unavoidable because unlike cookies, they cannot be disabled. Oracle’s cookies and tracking pixels are pervasive throughout the Internet. Oracle has agreements with numerous high-traffic websites like the New York Times, ESPN, and Amazon to place cookies and/or pixels on their websites. By blanketing popular websites with these tracking tools, Oracle reaches a substantial percentage of Internet users—Oracle cookies are found on over 20 percent of the top 10,000 websites and more than 48 thousand websites.
Data Matching and Aggregation
Oracle does not just collect raw data. The digital panopticon springs to live with a combination of cross-device tracking, device identification as well as data matching and enrichment methodologies. https://perma.cc/LCW9-9PCH. The cross-device tracking capability enables Oracle to monitor users across different internet connected devices such as mobile phone, tablet, laptop, computer, smartTV, or gaming consoles (Industry first: In-game measurement for 3D advertisements, Oracle https://perma.cc/9DEK-9FJV).
In the US, The AdTech business apparently also combine a person’s internet activities with offline credit card purchases and data from loyalty programs to generate even more granular insights about a person’s life. The ensuing profiles are exceedingly detailed (Rob Tarkoff, EVP, Oracle Advertising and Customer Experience (CX)—June 2, 2021 https://perma.cc/L864-A2EA). Oracle buys Datalogix https://www.oracle.com/corporate/pressrelease/oracle-buys-datalogix-122214.html
The digital profiles are sold to Oracle’s paying customers. Oracle’s Advertising Privacy Policy does not hide this:
Offline information (for individuals located in the United States only) about you is obtained by Oracle from its offline partners such as brick-and-mortar retail stores, grocery stores and their associated loyalty card programs, payment card brands, catalog orders and consumer survey programs, and third parties who may not have a relationship with you and collect offline information from their offline partners.
However, a person that visits the New York Times or ESPN website may not be aware that the tracking technologies are installed or may not read Oracle’s Advertisement Privacy Policy. It would then be left to the New York Times or ESPN to declare the data sharing arrangement in their Privacy Policy.
A massive data breach in 2020 revealed that Oracle’s subsidiary BlueKai had compiled these digital profiles and ultimately gave rise to this class action lawsuit. Oracle’s has developed ID Graph which it advertises as a re-identification tool to identify and establish “a single, universal view of identity” for each user. Oracle ID Graph has the capability of identifying Internet users and compiling personal data associated with them, including so-called “anonymous” data which Oracle re-identifies to specific individuals. Oracle makes the Oracle ID Graph available for sale to private and governmental purchasers on its Data Marketplace. https://perma.cc/SG2R-VQKS
Oracle Data Cloud Health and Wellness Segments (US only) https://perma.cc/37T2-FG4Q.
Oracle’s Data Marketplace is an online store owned and operated by Oracle where Oracle facilitates the buying and selling of data and data-derived services by Oracle and its data sharing partners, to private commercial and governmental entities. According to the Plaintiff’s, Oracle’s Data Marketplace trades in personal information that:
- Oracle collects itself such as that collected via BlueKai tracking pixels (first-party data);
- private companies collect from their own users and sell directly to Oracle clients (second-party data); and
- other data brokers collect and sell to Oracle clients on the Data Marketplace (third-party data).
Using the Second-party Data Discovery Marketplace, Oracle, https://perma.cc/464C-R426.
A 2019 investigation into Oracle’s profiling activities indicates the all-encompassing nature of the online and offline data Oracle collects:
Lack of lawful basis to justify data handling practices
It is further alleged that some digital profiles also included sensitive including race, location, politics, and medical information to allow Oracle client’s to “analyze, segment, and target” users based on the information, including the categories of sensitive information.
Examples include:
- Alcohol and Beverage Digital Audiences and Contextual Segments.
- Health & Wellness: Oracle segments people based on intimate information, including a person’s views on their weight, hair type, sleep habits.
- Emergency Medicine, Imaging & Radiology, Nuclear Medicine, Respiratory Therapy, Aging & Geriatrics, Allergy & Immunology, Pain Relief appear to be proxies for medical information (Health and Wellness Preference Data Segments, Oracle https://perma.cc/9FWJ-AUJM).
However, Oracle’s Advertising Privacy Policy purports not to capture or share sensitive audience segments:
Oracle does not create any online interest segments that reflect personal information that is sensitive,” and includes in the category of sensitive information “certain aspects linked to personal life, such as racial or ethnic, religious, political, citizenship, immigration status, or sexual orientation.”
The data broker appears to purposefully work on stitching together its own data points with external data sources acquired through its vast network of data sharing partners to close in on a user’s identity. Oracle specifically markets its ID Graph product as a re-identification tool allowing private companies and government entities to target a particular person. ID graph enables identity resolution, which is the process of connecting identifiers from multiple platforms, channels, and devices and matching them to a single known customer profile. In any case, the plaintiffs say that internet users did not consent to the creation of these digital profiles which contained personal details about their private lives, preferences, and interests.
Plaintiffs further allege that neither Oracle’s privacy policies nor the policies of internet publishers on whose’ website the tracking technologies were installed, could provide any basis for consent to the extensive profiling schemes and data trade. Oracle’s website leads to seven different privacy policies which Plaintiffs describe as “convoluted, opaque, and not reasonably comprehensible to the average Internet user”.
Settlement Agreement
The plaintiffs are seeking a declaratory judgment that Oracle wrongfully accessed, collected, stored, disclosed, sold, and otherwise improperly used the Plaintiffs’ Personal Data. Plaintiffs also seek injunctive relief to ensure Oracle will not continue with these practices. The Plaintiffs claim that the Defendant’s data handling practices amount to an invasion of privacy as enshrined in the California Constitution and various state and federal privacy laws. They also make a claim for unjust enrichment alleging Oracle profited from the practices.
The plaintiffs initially claimed a breach of the Electronic Communications Privacy Act (Federal Wiretap Act) which was dismissed because the plaintiffs failed to show Oracle had the requisite tortious motivation to invoke the criminal tort. The Unfair Competition Law cause of action was also thrown out.
Whilst Oracle denies any wrongdoing, it has now agreed to pay $115 million into a settlement fund for the benefit of the members of the class action.
The company also agreed to change its data harvesting practices and implement a privacy auditing program to review its compliance with privacy laws. In addition, Oracle agrees to:
- cease collecting user information from previously visited websites and online forms from third party platforms;
- automatically delete controversial user data collected or sold since August 19, 2018; and
- end data-sharing partnerships with relevant data brokers.
This proposed settlement agreement is yet to be approved by Californian Northern District Court (next hearing on 8 August 2024).
Changes to Oracle’s Advertising Business
Five weeks ago, Oracle announced that it will exit the AdTech business altogether citing falling revenue. The data broker will shut down its Oracle Advertisement arm by the end of September 2024.
As of 1 October 2024, BlueKai, Digital Audiences, OnRamp with ID Graph will no longer be available. https://www.oracle.com/contracts/docs/oracle-advertising-end-of-life-faqs.pdf?download=false.
Broader Concerns and Implications
When consumers go about their lives, they drop data crumbs that incrementally reveal information about their movements, activities, friends, physical attributes, vices, menstrual cycles, finances, and other personal aspects of their lives.
When used by companies for commercial or marketing purpose, Internet user may find this useful or annoying, or both depending on the context. At a time, where national and international political environments are volatile, the unrelenting online surveillance and trade in personal information has the potential to cause significant harm. Established or nascent authoritarian governments may (and in some cases already are using this information) to drive their agenda by having insights into a person’s life whose views they do not agree with. Surveillance and propaganda have always been central to the autocratic playbook. Digital tracking technologies have made repression and control more pervasive, efficient and subtle.
