A lawsuit has been filed by a consumer privacy campaign group against Oracle and Salesforce over an alleged breach of the EU’s General Data Protection Regulation laws.

It was claimed by the Privacy Collective that the American cloud-based software company Salesforce and the American multinational computer technology corporation Oracle collect personal data of users without proactive user consent and then auction it off to other companies without the knowledge of users. The group claimed the suit could cost the California-based companies up to $10 billion in fines. 

The class-action lawsuit was filed in Amsterdam and became the biggest class action to be lodged over an alleged violation of General Data Protection Regulation in the history of the Netherlands. The suit demanded a €500 payment for each user who has not consented to the use of their sensitive personal data. Later this month, a similar claim will be filed by the Privacy Collective at the High Court in London.

It was alleged by the Privacy Collective that Salesforce and Oracle make use of third-party cookies Bluekai and Krux to misuse personal data of consumers. 

Hosted on multiple websites, the cookies are used for dynamic ad pricing services. It was further alleged that the two technology companies held on to personal data that consumers had not proactively consented to share. It added that Salesforce and Oracle took an inconsistent approach to securing sensitive information and the two giants facilitate sales using harmful ads.

Oracle general counsel Dorian Daley said: “Oracle has no direct role in the real-time bidding process, has a minimal data footprint in the EU, and has a comprehensive GDPR [privacy] compliance program.”

A spokesperson for Salesforce said: “Salesforce disagrees with the allegations and intends to demonstrate they are without merit. Our comprehensive privacy program provides tools to help our customers preserve the privacy rights of their own customers.”