Recently, members of the Oracle settlement class began receiving the settlement proposal offered by Oracle in July. The federal court has informed settlement class members that they must submit claim forms by October 17, 2024, to receive monetary compensation, opt out of the settlement, or submit letters opposing or commenting on the proposal. Oracle’s settlement proposal includes $115 million in monetary relief and non-monetary measures, which will be detailed below.
Case Background
Oracle, a leading global technology company, operates in cloud computing, database management, and enterprise resource planning, with users across various industries worldwide. In 2022, plaintiffs Katz-Lacabe and others filed a class action lawsuit against Oracle America, Inc., accusing Oracle of improperly collecting, compiling, and selling users’ online and offline data without consent and using the data in its ID Graph and Data Marketplace advertising platforms. This, the plaintiffs argued, violated privacy rights under the California Constitution, as well as California, Florida, and federal privacy laws. While Oracle denied any wrongdoing, claiming its practices were lawful and disclosed to users, the company opted to settle to avoid the high costs and time of litigation and potential reputational harm.
Monetary Relief
The centerpiece of the settlement agreement is the establishment of a $115 million settlement fund to compensate affected users. The settlement class is broadly defined to include all U.S. residents whose personal information was collected, accessed, or sold by Oracle’s advertising platform from August 19, 2018, through the final judgment date. Eligible class members must submit claim forms to prove their personal information was used by Oracle’s ad technology without permission.
Non-Monetary Relief
In addition to monetary compensation, section 3.5 of the settlement outlines non-monetary relief measures to improve Oracle’s data handling practices, ensuring stricter compliance with privacy regulations. The key measures include:
- Ceasing the collection of certain types of data: Oracle will no longer collect user-generated information from URL references (the URLs of previously visited pages) related to website users. Oracle also commits to no longer collecting any text entered by users in online forms on third-party websites, except for Oracle’s own websites. These measures aim to reduce the risk of privacy violations by limiting the collection of personal data without explicit user consent.
- Implementing an audit program: Oracle will implement an audit program to reasonably review its customers’ compliance with consumer privacy obligations outlined in contracts. This demonstrates Oracle’s efforts to not only adjust its own practices but also ensure external adherence to privacy protection standards, increasing transparency in its data collection and processing.
Throughout the litigation, Oracle maintained that its data collection and processing activities were lawful. In section 9 of the settlement proposal, Oracle emphasizes that agreeing to the settlement does not constitute an admission of wrongdoing, liability, or misconduct. Oracle states that the settlement is primarily to avoid the high costs of defending the lawsuit and to bring an end to the lengthy litigation. This "no admission of liability" settlement is common in data protection cases, especially those involving large corporations and complex technologies.
In this case, although Oracle did not admit to any legal violations, it will pay a substantial settlement and adopt stricter data protection measures moving forward. The federal court will decide whether to approve Oracle’s settlement proposal in a hearing on November 14, 2024. We will continue to follow developments. This case serves as a reminder for other companies to handle user data with care and ensure compliance with applicable laws to avoid similar legal challenges.
