• by Wendy Davis  @wendyndavis, April 11, 2023

Three privacy advocates who brought a class-action complaint against Oracle can proceed with some claims over the company's alleged collection and sale of data, a federal judge has ruled.

In a mixed decision handed down last week, U.S. District Court Judge Richard Seeborg in the Northern District of California said the allegations -- including that Oracle compiled data from users' online browsing, communications and offline activity -- could support some privacy-related claims. At the same time, Seeborg dismissed some claims -- including that Oracle violated wiretap laws -- but said the advocates could reformulate those claims and bring them again within 30 days.

The ruling stems from a lawsuit filed last year by Johnny Ryan, with the Irish Council for Civil Liberties, Michael Katz-Lacabe of The Center for Human Rights and Privacy, and University of Maryland professor Jennifer Golbeck.

They alleged that Oracle tracks people with a variety of online technologies -- including cookies, device identifiers and widgets -- and combines that information with other data purchased from outside brokers. Katz-Lacabe and Golbeck both said in the complaint that they received documents from Oracle indicating the company had created “electronic profiles” of them by tracking, compiling and analyzing their web browsing and other activity.

The complaint alleged that when consumers visit sites with Oracle trackers, the company can “track and store behavioral activity and personal information, including, but not limited to, home location, age, income, education, family status, hobbies, weight, and what the user bought at a brick and mortar business yesterday afternoon.”

“Internet users are not made aware of, and therefore cannot consent to, use of their information to facilitate Oracle’s personal identification enterprise, the 'Oracle ID Graph,'” the advocates added.

Oracle urged Seeborg to throw out the lawsuit at an early stage, arguing that Ryan and the others were asking the court “to legislate privacy rights from the bench.”

The advocates “ask the court to manufacture a new legal privacy framework and apply it on a global scale,” Oracle wrote in papers filed in February.

Among other arguments, Oracle said none of the advocates could show they were injured by alleged data practices.

“Plaintiffs ... do not adequately allege they suffered any harm as a result of Oracle’s conduct,” the company wrote.

“And even if they had, any harm allegedly suffered is greatly outweighed by the utility of Oracle’s conduct,” the company added, elaborating that its digital platform “provides tools that ensure consumers receive advertisements tailored to their preferences and interests.”

Seeborg rejected that argument, noting that a federal appellate court in California previously ruled that “invasion of privacy can be a harm in and of itself.”