Oracle's $115 Million Privacy Settlement: What consumers need to know
A class action katz-lacabe et al v. oracle america, inc. lawsuit against Oracle over data collection practices has resulted in a $115 million settlement. Here are the key details.
On July 2024, Oracle America, Inc. agreed to pay $115 million to settle a class action lawsuit alleging improper collection and sale of personal data. The case, Katz-Lacabe et al v. Oracle America, Inc., was filed in the United States District Court for the Northern District of California in August 2022. This settlement comes after nearly two years of litigation and impacts an estimated 220 million U.S. residents whose personal information may have been collected by Oracle's advertising technologies.
The lawsuit, brought by plaintiffs Michael Katz-Lacabe and Dr. Jennifer Golbeck, accused Oracle of capturing, compiling, and selling individuals' online and offline data to third parties without obtaining proper consent. The complaint alleged that Oracle's practices violated various privacy laws and infringed on consumers' rights. Oracle has denied any wrongdoing but chose to settle the case to avoid further litigation costs and risks.
According to court documents, the settlement class includes all natural persons residing in the United States whose personal information, or data derived from their personal information, was acquired, captured, or otherwise collected by Oracle Advertising technologies or made available for use or sale through Oracle's ID Graph, Data Marketplace, or any other Oracle Advertising product or service from August 19, 2018, to the date of final judgment in the action.
The settlement provides both monetary compensation and changes to Oracle's business practices. The $115 million settlement fund will be used to pay valid claims submitted by class members, as well as attorneys' fees, administrative costs, and other expenses related to the lawsuit. Additionally, Oracle has agreed to implement certain changes to its data collection and handling practices.
Settlement Fund and Distribution
The $115 million settlement fund is non-reversionary, meaning that no portion of it will revert to Oracle. After deducting court-approved attorneys' fees, expenses, settlement administration costs, and any service awards for the class representatives, the remaining amount (referred to as the Net Settlement Fund) will be distributed to class members who submit valid claims.
According to the settlement agreement, each class member who submits a valid claim will receive an equal pro rata share of the Net Settlement Fund. The exact amount each claimant will receive depends on the total number of valid claims submitted. The settlement administrator, Angeion Group, LLC, estimates that the claims rate will likely be between 1.5% and 2.5% of the total class size.
Class members have until October 17, 2024, to submit their claims. Claims can be filed online through the settlement website (www.KatzPrivacySettlement.com) or by mail. To file a claim, class members must provide their full legal name, current mailing address, email address, phone number, and attest under penalty of perjury that they resided in the United States during the relevant time period and that any acquisition, capture, or collection of their personal information by Oracle was without their consent.
Payment options for valid claims include Zelle, Venmo, ACH transfer, virtual prepaid card, or paper check. If any electronic transfers fail or paper checks remain uncashed, the settlement administrator may make a second pro rata payment to class members who previously received payments, provided the remaining amount is sufficient to make such distributions economically viable.
Non-Monetary Relief
In addition to the monetary compensation, Oracle has agreed to implement certain changes to its business practices. Specifically, Oracle will certify that, for as long as it continues to offer the products and services described in the complaint, it will:
- Not capture user-generated information within referrer URLs (i.e., the URL of the previously-visited page) associated with a website user.
- Not capture any text entered by a user in an online web form, except for Oracle's own websites.
- Implement an audit program to reasonably review customer compliance with contractual consumer privacy obligations.
These changes address some of the key privacy concerns raised in the lawsuit and aim to provide greater protection for consumers' personal information going forward.
Notably, shortly after agreeing to these terms, Oracle announced on June 11, 2024, that it would be exiting the ad tech business entirely. While Oracle cited falling revenues as the primary reason for this decision, industry observers have suggested that increased privacy regulations and legal challenges, including this lawsuit, may have contributed to the decision.
Class Counsel and Attorneys' Fees
The law firm of Lieff Cabraser Heimann & Bernstein, LLP has been appointed as Class Counsel to represent the interests of the settlement class. As is common in class action lawsuits, the attorneys will be compensated from the settlement fund, subject to court approval.
Class Counsel plans to ask the court for attorneys' fees of up to 25% of the settlement fund, which would amount to $28.75 million. They will also seek reimbursement of litigation expenses up to $225,000. Additionally, Class Counsel will request service awards of up to $10,000 each for the two class representatives, Michael Katz-Lacabe and Dr. Jennifer Golbeck, in recognition of their efforts in pursuing the case on behalf of the class.
The court will review these requests and make a final determination on the appropriate amounts for attorneys' fees, expenses, and service awards. Any amounts approved by the court will be paid from the $115 million settlement fund before the remaining balance is distributed to class members.
Timeline and Important Dates
The settlement process involves several key dates and deadlines:
- July 19, 2024: Oracle agreed to the $115 million settlement.
- August 9, 2024: The court granted preliminary approval of the settlement.
- August 29, 2024: The Notice Date, when the settlement administrator began notifying potential class members about the settlement.
- October 17, 2024: Deadline for class members to submit claims, request exclusion from the settlement (opt-out), or object to the settlement terms.
- November 14, 2024: The scheduled date for the Final Approval Hearing, where the court will consider whether to grant final approval to the settlement.
It's important to note that the final approval process may take several months, and payments to class members will not be distributed until after the settlement receives final approval and any appeals are resolved.
Background on Oracle's Data Collection Practices
To understand the significance of this settlement, it's helpful to examine the nature of Oracle's data collection practices that were at the center of the lawsuit. Oracle, primarily known for its database and cloud computing services, had also developed a substantial advertising technology business over the years.
The lawsuit alleged that Oracle's advertising technologies collected vast amounts of personal data about individuals, including their online activities (such as web browsing history) and offline behaviors (such as in-store purchases and geolocation data). This information was then allegedly combined with other data sources to create detailed profiles of individuals, which Oracle made available to third parties for advertising and other purposes.
Some of the key Oracle products and services mentioned in the lawsuit include:
- ID Graph: A technology that aimed to connect various data points about an individual across different devices and online/offline interactions to create a comprehensive user profile.
- Data Marketplace: A platform where Oracle offered access to its aggregated consumer data to other businesses for marketing and analytics purposes.
- AddThis: A web tracking technology that Oracle acquired in 2016. AddThis was integrated into millions of websites and allowed Oracle to collect data on users' web browsing activities.
- BlueKai: Another data management platform acquired by Oracle in 2014, which specialized in collecting and analyzing consumer data for targeted advertising.
The plaintiffs argued that Oracle's data collection and use practices were overly invasive and lacked proper consent mechanisms, potentially violating various privacy laws and individuals' rights to privacy.
Legal Claims and Court Proceedings
The lawsuit against Oracle included several legal claims based on both federal and state laws. Some of the key claims included:
- Invasion of privacy under the California Constitution
- Intrusion upon seclusion under California common law
- Violation of the California Invasion of Privacy Act (CIPA)
- Violation of the Florida Security of Communications Act (FSCA)
- Unjust enrichment under California and Florida common law
- Violation of the federal Electronic Communications Privacy Act (ECPA)
Throughout the litigation process, Oracle filed multiple motions to dismiss various claims. The court issued several rulings on these motions, dismissing some claims while allowing others to proceed. For example, the court dismissed the ECPA claim with prejudice in April 2024, but allowed claims related to invasion of privacy, intrusion upon seclusion, CIPA, and FSCA to continue.
The case involved complex legal issues surrounding privacy rights in the digital age, including questions about what constitutes a reasonable expectation of privacy, the extent to which companies can collect and use personal data for commercial purposes, and the applicability of various state and federal laws to modern data collection practices.
One of the challenges faced by the plaintiffs was establishing standing to sue, given that Oracle's data collection often occurred indirectly through third-party websites and services. The court ultimately found that the plaintiffs had adequately alleged harm, causation, and redressability to establish standing.
The litigation also involved extensive discovery, with Oracle producing over 160,000 pages of documents and ESI (electronically stored information), as well as approximately 173 hours of video recordings related to its data collection and use practices. The plaintiffs' legal team worked with technical experts to analyze this complex information and build their case.
Impact on the Ad Tech Industry
The Oracle settlement is part of a broader trend of increased scrutiny and legal challenges to data collection practices in the advertising technology (ad tech) industry. This case and others like it have significant implications for how companies collect, use, and monetize consumer data.
Some of the potential impacts on the ad tech industry include:
- Increased transparency: Companies may be compelled to provide clearer disclosures about their data collection practices and obtain more explicit consent from consumers.
- Limitations on data collection: The settlement's non-monetary relief, which restricts certain types of data collection, may set a precedent for other companies in the industry.
- Reassessment of business models: Some companies may need to reevaluate their data-driven business models to ensure compliance with evolving privacy standards and regulations.
- Investment in privacy-preserving technologies: There may be increased focus on developing and implementing technologies that allow for targeted advertising while better protecting individual privacy.
- Consolidation and market shifts: Smaller ad tech companies may struggle to adapt to new privacy requirements, potentially leading to industry consolidation or the emergence of new players with privacy-centric approaches.
Oracle's decision to exit the ad tech business entirely, announced shortly after agreeing to this settlement, is a striking example of how legal and regulatory pressures can reshape the industry landscape. While Oracle cited declining revenues as the primary reason for this decision, industry analysts have suggested that the increasing complexity of privacy regulations and the potential for further legal challenges likely played a role in the company's strategic shift.
Comparison to Other Privacy Settlements
The $115 million Oracle settlement is one of the largest privacy-related settlements not involving a data breach. To put this settlement in context, it's useful to compare it to other recent privacy cases:
- Facebook (Meta) User Profile Litigation: In 2023, Facebook (now Meta) agreed to a $725 million settlement in a case related to the Cambridge Analytica scandal and other data-sharing practices. This case involved allegations that Facebook had improperly shared user data with third parties.
- Facebook Biometric Information Privacy Litigation: In 2021, Facebook agreed to pay $650 million to settle a lawsuit alleging violations of Illinois' Biometric Information Privacy Act related to its facial recognition technology.
- Google Location History Litigation: In May 2024, Google settled a case for $62 million over allegations that it tracked users' locations even when they had turned off location history settings.
- TikTok Privacy Litigation: In 2022, TikTok agreed to pay $92 million to settle allegations that it collected and shared users' personal data without proper consent.
- Yahoo Data Breach Litigation: In 2019, Yahoo (now part of Verizon Media) agreed to pay $117.5 million to settle claims related to multiple data breaches affecting user accounts.
While the Oracle settlement is substantial, it's worth noting that the per-person payout is likely to be relatively small due to the large size of the settlement class (estimated at 220 million individuals). The actual amount each claimant receives will depend on the number of valid claims submitted.
Privacy Implications and Consumer Rights
The Oracle settlement highlights several important issues related to consumer privacy in the digital age:
- Data aggregation and profiling: The case brings attention to the extensive data collection and profiling practices of many technology companies, which can create detailed dossiers on individuals by combining various data sources.
- Consent and transparency: The lawsuit raised questions about what constitutes adequate consent for data collection and use, and how companies should disclose their practices to consumers.
- Third-party data sharing: The case underscores concerns about how personal data is shared with and used by third parties, often without consumers' direct knowledge or consent.
- Online tracking: The settlement's non-monetary relief, which restricts certain types of data collection like capturing referrer URLs, addresses concerns about pervasive online tracking.
- Offline data collection: The case also highlights the collection and use of offline data (such as in-store purchases and location data), demonstrating the expansive reach of modern data collection practices.
- Data brokers and marketplaces: The lawsuit sheds light on the role of data brokers and marketplaces in aggregating and selling consumer information, a practice that often occurs behind the scenes.
- Right to privacy: The case touches on fundamental questions about individuals' right to privacy in an increasingly data-driven world, including what constitutes a reasonable expectation of privacy in various contexts.
- Legal protections: The litigation involved multiple state and federal laws, highlighting the complex and sometimes fragmented nature of privacy protections in the United States.
For consumers, this settlement serves as a reminder of the importance of being aware of data collection practices and understanding their rights regarding personal information. It also demonstrates the potential for class action lawsuits to address privacy concerns and hold companies accountable for their data practices.
Technical Aspects of Data Collection
To fully appreciate the implications of this case, it's important to understand some of the technical aspects of the data collection practices at issue. Oracle's advertising technologies employed various methods to gather and analyze consumer data:
- Cookies and tracking pixels: These small pieces of code placed on websites allow companies to track users' browsing behavior across multiple sites.
- Device fingerprinting: This technique involves collecting various attributes of a user's device (such as browser version, installed fonts, screen resolution, etc.) to create a unique identifier for tracking purposes.
- Cross-device tracking: Technologies like Oracle's ID Graph aim to link user activities across different devices (e.g., smartphone, laptop, tablet) to create a comprehensive user profile.
- Location tracking: This can involve using GPS data from mobile devices, IP addresses, and other signals to determine a user's physical location.
- Purchase data integration: Companies may combine online tracking data with offline purchase information from credit card companies, loyalty programs, and other sources.
- Data marketplace platforms: These allow various entities to buy, sell, and exchange consumer data, creating a complex ecosystem of data sharing and aggregation.
- Machine learning and AI: Advanced algorithms are often used to analyze vast amounts of data and make inferences about user behavior, preferences, and characteristics.
- Web beacons and pixel tags: These invisible elements embedded in web pages and emails can track when a user views content or opens a message.
- Server-side tracking: This method involves collecting data directly on web servers, which can be more difficult for users to detect or block compared to client-side tracking.
- Mobile app tracking: Many mobile applications collect user data and behavior information, which can be combined with other data sources.
The settlement's non-monetary relief specifically addresses some of these techniques, such as restricting the capture of referrer URLs and form input data. However, the broader implications of the case may lead to more comprehensive changes in how these technologies are deployed and regulated in the future.
Claiming Process and Settlement Administration
For individuals who believe they may be part of the settlement class, the process of submitting a claim is designed to be straightforward:
- Eligibility verification: Potential class members can check their eligibility by visiting the official settlement website (www.KatzPrivacySettlement.com) and entering their information.
- Claim form submission: Eligible individuals can submit a claim form online or by mail. The form requires basic personal information and an attestation of eligibility.
- Deadline: All claims must be submitted or postmarked by October 17, 2024.
- Payment selection: Claimants can choose their preferred method of payment (Zelle, Venmo, ACH transfer, virtual prepaid card, or paper check).
- Claim review: The settlement administrator will review all submitted claims to ensure validity and eligibility.
- Payment distribution: Valid claimants will receive their pro rata share of the Net Settlement Fund after the settlement receives final approval and any appeals are resolved.
The settlement administration is being handled by Angeion Group, LLC, an experienced third-party administrator. Their responsibilities include:
- Maintaining the settlement website and toll-free information line
- Sending out settlement notices to potential class members
- Processing claim forms and exclusion requests
- Distributing payments to valid claimants
- Handling inquiries from class members
- Providing regular reports to the court and parties on the status of the settlement administration
The settlement administrator must comply with strict data security and confidentiality requirements to protect class members' personal information throughout the process.
Opt-Out and Objection Procedures
While many eligible individuals may choose to participate in the settlement, the agreement also provides options for those who wish to exclude themselves or object to the terms:
Class members who wish to exclude themselves from the settlement (also known as "opting out") must follow a specific procedure:
- Submit a written request for exclusion to the settlement administrator.
- Include the case name and number, full name, mailing address, email address, and phone number.
- Clearly state the intention to be excluded from the settlement.
- Provide a handwritten or electronically imaged written signature.
- Mail the request, postmarked no later than October 17, 2024, to the designated address.
Individuals who opt out of the settlement retain their right to sue Oracle separately for the claims covered by this case. However, they will not receive any payment from the settlement fund.
Objection Procedure:
For class members who wish to remain in the settlement but disagree with some aspect of its terms, there is a process to file an objection:
- Submit a written objection to the Court.
- Include the case name and number, basis for being a class member, full name, mailing address, email address, and phone number.
- Provide a clear and concise statement of the reasons for objecting.
- State whether the objector intends to appear at the Final Approval Hearing.
- Include a statement identifying counsel, if represented.
- Sign the objection personally (an attorney's signature is not sufficient).
- File or mail the objection to the Court, postmarked by October 17, 2024.
Objectors have the right to voice their concerns to the Court, but they cannot ask for a larger settlement amount. The Court will consider all valid objections at the Final Approval Hearing before deciding whether to approve the settlement.
It's important to note that class members cannot both object to and exclude themselves from the settlement. Those who submit both an objection and a request for exclusion will be deemed to have opted out, and their objection will be considered invalid.
Role of the Court and Final Approval Process
The settlement agreement is subject to the Court's approval, ensuring that it is fair, reasonable, and adequate for the class members. The approval process involves several steps:
- Preliminary Approval: On August 9, 2024, the Court granted preliminary approval of the settlement. This allowed the notice process to begin and set the stage for the final approval consideration.
- Notice Period: Following preliminary approval, the settlement administrator began notifying potential class members about the settlement and their rights.
- Claim, Objection, and Opt-Out Period: Class members have until October 17, 2024, to submit claims, file objections, or request exclusion from the settlement.
- Final Approval Hearing: Scheduled for November 14, 2024, this hearing will allow the Court to consider any objections, hear arguments from the parties, and make a final determination on the fairness of the settlement.
- Final Approval Order: If the Court finds the settlement to be fair and adequate, it will issue a final approval order and enter judgment, making the settlement binding on all class members who did not opt out.
- Appeal Period: Following final approval, there may be a period during which appeals can be filed. The settlement will not become effective until any appeals are resolved.
During the Final Approval Hearing, the Court will also consider Class Counsel's request for attorneys' fees and expenses, as well as the proposed service awards for the class representatives. The Court has the authority to approve these requests in full, in part, or to deny them altogether.
It's worth noting that the Court's role is to protect the interests of the class as a whole. The judge will carefully review all aspects of the settlement, including the monetary relief, the proposed changes to Oracle's practices, the plan for distributing funds to class members, and the requested attorneys' fees and expenses.
Potential Challenges and Criticisms
While the settlement represents a significant resolution to the lawsuit, it may face some challenges and criticisms:
- Individual Payout Amounts: Given the large size of the class (estimated at 220 million people), individual payouts may be relatively small. Some critics might argue that this limits the settlement's deterrent effect or fails to adequately compensate individuals for the alleged privacy violations.
- Proof of Harm: Demonstrating concrete harm from data collection practices can be challenging. Some may question whether class members truly suffered quantifiable damages.
- Scope of Practice Changes: While Oracle has agreed to certain changes in its data collection practices, some privacy advocates might argue that these changes don't go far enough in protecting consumer privacy.
- Oracle's Exit from Ad Tech: Oracle's decision to exit the ad tech business shortly after agreeing to the settlement terms might lead some to question the long-term impact of the practice changes agreed to in the settlement.
- Claims Process: Some might criticize the requirement for class members to submit a claim, arguing that payments should be automatic for all affected individuals.
- Attorneys' Fees: The requested 25% of the settlement fund for attorneys' fees (up to $28.75 million) might face scrutiny, as is common in large class action settlements.
- Adequacy of Notice: There may be concerns about whether all potential class members will receive adequate notice of the settlement, given the challenges of reaching such a large and diverse group.
- Settlement Class Definition: Some might question whether the class definition is appropriately tailored to include all individuals whose privacy rights were allegedly violated.
These potential criticisms highlight the complex nature of privacy-related class action settlements and the challenges in balancing various interests and perspectives.
Broader Implications for Data Privacy and Regulation
The Oracle settlement occurs against a backdrop of evolving data privacy regulations and increasing public awareness of data collection practices. Some of the broader implications and trends to consider include:
- Regulatory Landscape: The settlement may influence ongoing discussions about federal privacy legislation in the United States. It could also impact how existing laws, such as the California Consumer Privacy Act (CCPA) and the EU's General Data Protection Regulation (GDPR), are interpreted and enforced.
- Industry Self-Regulation: The ad tech industry may accelerate efforts at self-regulation to preempt further legal challenges and regulatory actions.
- Consumer Awareness: High-profile cases like this can increase public awareness of data collection practices, potentially leading to more informed consumer choices and demands for greater privacy protections.
- Technological Innovation: The settlement may spur innovation in privacy-preserving technologies that allow for effective advertising while better protecting individual privacy.
- Data Minimization: Companies may increasingly adopt data minimization principles, collecting and retaining only the personal information necessary for specific, disclosed purposes.
- Consent Mechanisms: The case could lead to more robust and transparent consent mechanisms for data collection and use.
- Valuation of Personal Data: The settlement raises questions about how to value personal data and privacy rights in legal and economic contexts.
- International Impact: While this case is U.S.-based, its outcome could influence privacy practices and legal strategies globally, given the international nature of many tech companies and data flows.
Subscribe to our free weekly LinkedIn newsletter for a weekend roundup, or upgrade to our real-time updates for just $10/year. Get the latest marketing news and insights delivered straight to your inbox.