Oracle’s BlueKai subsidiary allegedly collected detailed personal profiles on approximately 5 billion people worldwide—including names, home addresses, emails, purchase history, physical movements, income, political views, and online browsing activity—without obtaining informed consent from consumers. A class action lawsuit filed in August 2022 in the Northern District of California alleged that Oracle and its ad tech products tracked users through cookies, invisible pixels, and external data sources, creating what plaintiffs called a “global surveillance machine” that generated an estimated $42.4 billion in annual revenue. In November 2024, a federal court approved a $115 million settlement to resolve these privacy violation claims, covering approximately 220 million U.S.
Residents. We’ll also address the disputed claims about how many people were actually profiled, explain how the data collection methods worked, and clarify the status of claims for this settlement.
Table of Contents
- What Data Did Oracle BlueKai Collect on Consumers Without Their Knowledge?
- The Disputed Question—Did Oracle Really Profile 5 Billion People?
- How Did Oracle Justify Data Collection Without Consumer Notice?
- What Is the Settlement and Who Can File a Claim?
- What Happened to BlueKai After the Lawsuit?
- What Protections Do Consumers Have Now?
- What Does This Settlement Mean for Data Privacy Moving Forward?
What Data Did Oracle BlueKai Collect on Consumers Without Their Knowledge?
According to the 66-page complaint filed in August 2022, Oracle’s BlueKai platform collected an extraordinary breadth of personal information on consumers across the globe. The data allegedly included names, home addresses, email addresses, detailed online and offline purchase histories, physical locations and GPS movements, estimated income levels, interests, political affiliations, and comprehensive records of internet browsing behavior. This information was assembled into detailed consumer profiles that data brokers sold to advertisers, marketing firms, and other third parties for targeted advertising purposes. BlueKai became one of the world’s largest sources of personal information sold by data brokers, consolidating data from multiple external sources alongside first-party tracking data.
The lawsuit alleged that Oracle collected this information through a combination of tracking mechanisms that operated largely invisibly to consumers. BlueKai Core Tag—a tracking code embedded across websites—used cookies and invisible pixels to monitor user behavior as they browsed the internet. Oracle also acquired data through purchases of external datasets and consolidated information from multiple sources including Datalogix, an Oracle subsidiary that collected offline purchase data. The tracking occurred across millions of websites where the BlueKai code was deployed, yet most consumers had no way to know they were being tracked or understand that their browsing activity was being compiled into a detailed profile tied to their identity.
The Disputed Question—Did Oracle Really Profile 5 Billion People?
Oracle’s own marketing materials claimed that BlueKai could provide detailed dossiers on 5 billion individuals worldwide, and plaintiffs cited this figure prominently in the lawsuit. However, industry analysts and former Oracle employees subsequently disputed this claim, estimating that BlueKai actually had between 700 million to 800 million targetable identities with varying levels of data completeness. The 5 billion figure appears to have been inflated marketing language rather than an accurate count of fully-profiled individuals. This distinction matters because it affects our understanding of the surveillance scope—whether Oracle’s data collection reached nearly everyone on Earth or was more selective, though still globally extensive.
Regardless of whether the actual number was 5 billion or 700-800 million, the scale of data collection was unprecedented. An estimated 220 million U.S. residents alone were included in the class action settlement, meaning the vast majority of American consumers likely had profiles created without their knowledge. The debate about the exact figure underscores a broader problem: companies made sweeping claims about their data reach in marketing materials, yet the actual scope remained opaque to consumers and regulators. For settlement purposes, what matters most is that Oracle conducted systematic, large-scale tracking and profile creation without obtaining informed consent.
How Did Oracle Justify Data Collection Without Consumer Notice?
The lawsuit alleged that Oracle’s data collection violated consumer privacy expectations because the company failed to provide adequate notice or obtain meaningful consent. While many websites displayed privacy policies and disclosures, the argument was that most consumers never read these policies, and even when they did, the extent of Oracle’s data collection—spanning external purchases, GPS movements, income estimation, and political profiling—exceeded what any reasonable person would expect when simply visiting a website. Oracle never directly contacted consumers to explain that their browsing was being tracked and compiled into a detailed profile that would be sold to advertisers.
The legal theory behind the lawsuit was that this data collection violated state privacy laws, consumer protection statutes, and potentially privacy expectations under common law. California’s consumer protection laws, in particular, provided a foundation for the complaint. Named plaintiffs including Johnny Ryan (Senior Fellow at the Irish Council for Civil Liberties), Michael Katz-Lacabe, and Jennifer Golbeck (a University of Maryland computer science professor) challenged the notion that vague privacy policies posted on websites satisfied the legal requirement to provide notice before engaging in comprehensive surveillance. The absence of explicit opt-in mechanisms—where consumers actively agree to data collection—was a central allegation in the complaint.
What Is the Settlement and Who Can File a Claim?
The settlement approved on November 15, 2024, requires Oracle to pay $115 million to resolve the privacy lawsuit. This amount will be distributed among class members—consumers who were residents of the United States during the relevant time period and had their personal data collected without adequate notice. Approximately 220 million U.S. residents are eligible for the settlement, though the actual number of claims filed will determine individual payment amounts. The settlement also requires Oracle to implement enhanced privacy practices, limit how it collects and uses personal information, and provide greater transparency to consumers.
A critical note: the claims deadline for this settlement was October 17, 2024, which has already passed. If you believe you are eligible but did not file a claim by that date, you may have missed the opportunity to receive compensation from this particular settlement. Class action settlements typically have strict deadlines, and filing late claims are rarely accepted. If you filed a claim before the deadline, you may be waiting for payment, as payouts have been halted pending resolution of an appeal. Any consumer considering their eligibility for past data privacy settlements should act promptly on future deadlines to avoid losing the opportunity to claim compensation.
What Happened to BlueKai After the Lawsuit?
In September 2024—just before the settlement was finalized—Oracle announced that it was shutting down its ad tech products, including BlueKai, the BlueKai Core Tag tracking mechanism, the Data Marketplace where personal data was sold, and other associated services. The shutdown became effective on September 30, 2024. This move eliminated one of the world’s largest data brokers and ended Oracle’s ability to continue collecting and selling detailed consumer profiles through these specific products. However, Oracle’s broader data collection operations continue through other divisions and subsidiaries.
The timing of the shutdown—announced as the $115 million settlement was being finalized—raises questions about whether Oracle made this decision in response to legal pressure or as a business strategy. From a practical standpoint, consumers will no longer have their data compiled through BlueKai’s mechanisms. However, the data already collected remains, and other data brokers and ad tech companies continue to operate using similar tracking methods. The cessation of BlueKai’s operations represents a significant victory for privacy advocates, but it does not address the historical profiles and data already created, nor does it eliminate the broader ecosystem of data collection and targeted advertising that remains prevalent across the internet.
What Protections Do Consumers Have Now?
The Oracle BlueKai settlement itself includes provisions requiring Oracle to modify its data practices going forward. Specifically, Oracle must implement enhanced privacy controls, restrict its collection of sensitive data categories (such as political affiliation, health information, and financial status), and provide clearer disclosure to consumers about data collection methods. Additionally, the settlement gives regulatory oversight to ensure compliance with these requirements. However, these protections apply only to Oracle and its subsidiaries—they do not regulate other data brokers or ad tech companies that continue similar practices.
For consumers concerned about their privacy more broadly, the settlement is one piece of a larger landscape. Data brokers continue to operate across the United States, collecting and selling personal information. Residents of some states, such as California, Virginia, Colorado, and Connecticut, now have legal rights under state privacy laws to request that companies delete their personal data or stop selling it. Federal privacy legislation remains under discussion, but as of early 2026, no comprehensive national privacy law has been enacted. Understanding your state’s privacy rights and taking steps to opt out of data collection where possible remains important.
What Does This Settlement Mean for Data Privacy Moving Forward?
The Oracle BlueKai settlement represents one of the largest privacy-related settlements to date and signals that courts are willing to hold major technology companies accountable for large-scale, non-consensual data collection. The $115 million penalty reflects both the scope of the data collection and the number of affected consumers, establishing a precedent that data brokers and ad tech companies cannot operate with impunity. However, the settlement also reveals a persistent challenge: by the time litigation concludes and settlements are reached, massive amounts of data have already been collected, the business model has already generated billions in revenue, and full compensation to affected individuals remains limited.
Looking forward, this settlement may encourage both regulators and plaintiffs’ attorneys to pursue similar cases against other data brokers and ad tech companies. It also underscores the importance of proposed privacy legislation at both the federal and state levels. The fact that Oracle chose to shut down BlueKai entirely suggests that some business models in digital advertising—those dependent on large-scale, non-consensual surveillance—may become economically unviable or legally untenable. Whether this leads to broader industry reforms or simply shifts data collection to other companies remains to be seen, but the Oracle case demonstrates that the courts are no longer treating large-scale consumer surveillance as an acceptable cost of digital advertising.