U.S. District Court:
Some Claims Against Oracle’s ‘Data Brokering’ Survive
Claims on Behalf of Californians Found Validly Stated in Action Based on Alleged Harvesting of Personal Information on Internet Users, and Selling It, Assertedly in Violation of Privacy Rights
By a MetNews Staff Writer
Oracle America Corporation, a computer technology company, has partially succeeded, and partially lost in its bid in the U.S. District Court for the Northern District of California for a dismissal of claims in a putative class action against it founded on the contention that it invades the privacy of individuals by culling information on their Internet activity and selling it.
Although the company is multinational and multi-faceted, the lawsuit focuses of what the district’s chief judge, Richard Seeborg, in his order on Tuesday termed Oracle’s “extensive data brokering business.” This is comprised of the Oracle Data Marketplace, which claims to be “the world’s largest third-party data marketplace,” and the Oracle ID Graph which pulls together personal information about an Internet user from numerous sources, creating a profile.
Seeborg found some of the claims viable, others not, and ordered that a second amended complaint be filed by the named plaintiffs, Michael Katz-Lacabe of San Leandro, California, and Jennifer Golbeck, of Sugarloaf Key, Florida. They seek to represent Internet users nationally who are “natural persons located in the United States whose personal information, or data derived from their personal information, was used to create a profile and made available for sale or use through Oracle’s ID Graph or Data Marketplace.”
The plaintiffs have identified five sub-classes, two of which are comprised of Californians. All three claims solely benefitting Californians survived the motion to dismiss for failure to state a claim.
The claim under the California Invasion of Privacy Act (“CIPA”) was adequately pled, the jurist ruled, rejecting Oracle’s contention that the plaintiffs had not alleged scienter. Seeborg pointed to the allegation that Oracle has developed “bk-coretag.js”—a java script virus that acquires and transmits to the Oracle Data Cloud platform such information as what website a user has visited, including the date and time and information sought.
“Plaintiffs…have sufficiently alleged Oracle had ‘knowledge to a substantial certainty’ that deployment of the bk-coretag.js would record confidential communications….Plaintiffs aver Oracle’s products—such as the bk-coretag.js—are implemented by websites and collect vast quantities of personal information that eventually makes its way back to Oracle….Plaintiffs further claim this data collection occurs despite Oracle’s knowledge that many users do not consent to it….Such averments…are sufficient at this stage to satisfy the intent requirement.”
The claim relates to a sub-class comprised of Californians “whose contents of their electronic communications were intercepted by the use of Oracle’s bk-coretag.js functionality.”
A claim based on Oracle’s use of bk-coretag.js on the alleged violation of a Florida statute was likewise approved. However, one set forth on behalf of the putative nationwide class, under the Electronic Communications Privacy Act failed because, Seeborg said, “Plaintiffs have not alleged sufficient facts that Oracle intercepted data with the primary motive or purpose of committing torts on internet users.”
A claim was made under California law based on unjust enrichment. Seeborg dismissed such a claim (the federal analogue of sustaining a demurrer), in ruling on the initial pleading, but this time allowed the claim, saying:
“Plaintiffs now aver they ‘were not aware of Oracle’s conduct while browsing websites’ (ostensibly websites incorporating the bk-coretag.js or other Oracle technology), and ‘would not have visited those websites’ or, in the alternative, would have taken steps while visiting the websites ‘to avoid being tracked and profiled by Oracle.’….Oracle’s collection of data from third-party websites. Plaintiffs argue, conferred a benefit upon Oracle at the expense of the privacy of their data….Plaintiffs also allege Defendant has collected their real- world location information, and then compiled and sold that information, without their consent….With their added averments. Plaintiffs have done just enough for their unjust enrichment cause of action under California law to survive.”
California law on unjust enrichment cannot be applied to non-Californians, the judge held, because the various states have differing standards and an interest in having their policies carried out. However, he said, the claim under Florida law survives.
‘Intrusion Upon Seclusion’
The plaintiffs contended that their “intrusion upon seclusion” should be applied nationwide because the “last acts” necessary to render Oracle liable occurred in California where Oracle amassed, analyzed, and marketed Internet users’ data. Though now headquartered in Austin, Texas, its operations were previously centered in Redwood City, California.
Seeborg wrote: “Defendant persuasively points out, however, that Plaintiffs’ own allegations identify the last act necessary for liability to attach to be Oracle’s interception of Plaintiffs’ data….Plaintiffs’ theory of liability for intrusion upon seclusion would make Oracle liable when it intercepted Plaintiffs’ data, and Plaintiffs do not offer any reason to doubt that this interception of data, for non-California residents, occurs in those residents’ home States….Since the last act at which liability attaches—here, interception of Plaintiff Golbeck’s data—occurred in Florida, this factor weighs against applying California law nationwide.”
He dismissed without leave to amend the claim “to the extent it is brought on behalf of the United States Class under California law. as opposed to solely on behalf of the California Sub-Class.”
The other claims that were dismissed were with leave to amend. These included a claim under Florida’s intrusion upon seclusion law because it requires entry into a “private quarter.”
The chief judge commented: “Accepting that an electronic space may constitute a ‘private quarter’…, Plaintiffs do not plausibly point to any particular ‘electronic space’ where Plaintiff Golbeck had a reasonable expectation of privacy into which Oracle intruded. Nor do Plaintiffs plausibly aver Oracle intruded into Plaintiff Golbeck’s home.”
The claim for declaratory judgment and injunctive relief, he said, “rises and falls with Plaintiffs’ other claims” and “[s]ince not all of Plaintiffs’ claims have been dismissed, this cause of action moves forward at this stage.”
The case is Katz-Lacabe v. Oracle America. Inc., 22-cv-04792.
Copyright 2023, Metropolitan News Company