Tech must radically rethink how it treats independent contractors

Despite a surging stock market and many major tech players having record quarters, we’re still seeing layoffs throughout tech and the rest of corporate America. Salesforce recorded a huge quarter, passing $5 billion in revenue, only to lay off around 1000 people. LinkedIn is laying off 960 people one day after reporting a 10% increase in revenue.

These layoffs may seem like a contraction in size for these huge enterprises, but it’s actually the beginning of something I call The Great Unbundling of Corporate America. They still need to grow, they still need to innovate, they still need to get work done and they’re not simply canceling projects and giving up on contracts.

Just as COVID-19 has accelerated the move to remote work, our current crisis has accelerated the trend toward hiring independent contractors. Back in 2019 a New York Times report found that Google had a shadow workforce of 121,000 temporary workers and contractors, overshadowing their 102,000 full-timers. ZipRecruiter reported in 2018 that tech, along with its record employment growth, was showing an increasing share of listings for independent contractors.

A study from the Bureau of Labor Statistics found that between 6.9% and 9.6% of all workers are now independent contractors, and according to Upwork, that may be as high as 35%. Mark my words — companies are using this time as an opportunity to swing the pendulum toward independent contractors and trimming the fat, justifying it with a vague gesture toward “an unprecedented time.”

That’s why, in my opinion, you’re seeing the NASDAQ hitting record highs despite everyone’s turmoil — depressingly, investors can see that large companies are tightening up and cleaning up waste, while finding an affordable workforce at will. As they have unbundled themselves from our physical offices, large enterprises are going to unbundle themselves from having to have a set number of employees.

When Square allowed its entire workforce to work remotely permanently. It wasn’t just because they wanted them to feel more creative and productive, but was likely a move away from having quite as much expensive, needless office space.

Similarly, if there is work that a full-time employee does that could be done by a flexible, independent contractor, why not make that change too? And it’ll be a lot easier to make without as many people at the office.

The argument I’m making is not anti-contractor, though.

I can’t think of any point in history where it’s been better to create a freelance business — the startup costs are significantly lower, and as companies move toward remote work, you can theoretically take business nationally (or internationally) like never before. Companies’ moves toward replacing W-2 workers with contractors is an opportunity for people to create their own miniature freelance empires, unbundling themselves from corporate America’s required hours, and potentially creating a way to weather future storms by taking away any single company’s leverage on their income.

The rush to remote work is also likely to push more workers into the freelance economy too. By having to create a remote office, with a remote presence in meetings and having to manage and organize our days, the average worker has all but adjusted to the life of a freelancer.

Where some might have gone to an office and had things simply happen to them, the remote world requires an attention to your calendar and active outreach to colleagues that, well, models how one might run a freelance business. Those with core skillsets that can be marketed and sold to multiple clients should be thinking about whether being a wage slave is necessary anymore, and with good reason.

That said — corporate America, and especially tech, has to treat this essential workforce with a great deal more empathy and respect than they have thus far.

Uber and Lyft were ordered to treat drivers as employees in part due to the fact that they never treated their contractors like parts of the company. Other than the obvious lack of benefits (paid time off, health insurance, etc.), Uber, like many large enterprises, treats contractors as disposable rather than flexible, despite them being the literal driving force of the company. When Uber went public, they gave a nominal bonus for drivers that had completed 2500 to 40,000 trips, with a chance to buy up to $10,000 of stock — at the IPO price. These drivers, that had been the very reason that many people became millionaires and billionaires when Uber went public, were given the chance to maybe make money, if they sold the stock quickly enough.

It’s an abject lesson on how to not build loyalty with independent contractors. It’s also a lesson on what the next big company that wants to build themselves off the back of the 1099’er should do.

What I’m suggesting is a radical rethinking of freelance contracting. I want you to see independent contractors as a different kind of worker, not as a way of skirting getting a full-time employee. A freelancer, by definition, is someone that you don’t monopolize, and someone that you should actively give agency and, indeed, part of the network you’re building. One of the issues of corporate America’s approach to freelance work is an us-versus-them approach to employment — you’re either part of us or you’re simply a thing we pick up and put down. What I’m suggesting is treating your freelancers as an essential part of your strategy, and compensating them as such. Freelancers should own equity and should have skin in the game — they may be working with you on a number of projects and take literal ownership of vast successes throughout your history.

Contracted work has only become mercenary through the treatment of the freelance worker. Where tech has succeeded in creating hundreds of thousands of independent contractor positions, it also has to lead the way in reimagining how we may treat them and reward them for their work. And corporate America needs to take a step beyond simply seeing them as a cheaper, easier way to do business. They’re so much more.

Salesforce announces 12,000 new jobs in the next year just weeks after laying off 1,000

In a case of bizarre timing, Salesforce announced it was laying off 1,000 employees at the end of last month just a day after announcing a monster quarter with over $5 billion in revenue, putting the company on a $20 billion revenue run rate for the first time. The juxtaposition was hard to miss.

Earlier today, Salesforce CEO and co-founder Marc Benioff announced in a tweet that the company would be hiring 4,000 new employees in the next six months, and 12,000 in the next year. While it seems like a mixed message, it’s probably more about reallocating resources to areas where they are needed more.

While Salesforce wouldn’t comment further on the hirings, the company has obviously been doing well in spite of the pandemic, which has had an impact on customers. In the prior quarter, the company forecasted that it would have slower revenue growth due to giving some customers facing hard times with economic downturn time to pay their bills.

That’s why it was surprising when the CRM giant announced its earnings in August and that it had done so well in spite of all that. While the company was laying off those 1,000 people, it did indicate it would give those employees 60 days to find other positions in the company. With these new jobs, assuming they are positions the laid-off employees are qualified for, they could have a variety of positions from which to choose.

The company had 54,000 employees when it announced the layoffs, which accounted for 1.9% of the workforce. If it ends up adding the 12,000 news jobs in the next year, that would put the company at approximately 65,000 employees by this time next year.

Snowflake’s IPO could value it as high as $24B, Salesforce and Berkshire to invest

On the heels of new filings from both Sumo Logic and JFrog, Snowflake, a venture-backed unicorn looking to go public on the strength of its data-focused cloud service, set an initial price range for its IPO.

The $75 to $85 per-share IPO price target values the firm at between $20.9 billion and $23.7 billion, huge sums for the private company. Its IPO could raise more than $2.7 billion for the startup.

Snowflake was last valued at around $12.5 billion when it raised a Series G worth $479 million earlier this year.

Built into those valuation projections are two private placements of stock in Snowflake, $250 million apiece from both Salesforce, the well-known CRM player, and Berkshire Hathaway, better known for its investment returns in the 80s and 90s, Cherry Coke and Charlie Munger’s humor.

Jokes aside, the inclusion of Salesforce in the IPO is notable, but not a shock, but Berkshire taking part in the public market debut of Snowflake, a company with historic losses that are nigh-tyrannical, is.

Here’s the S-1/A text on the setup:

Immediately subsequent to the closing of this offering, and subject to certain conditions of closing as described in the section titled “Concurrent Private Placements,” each of Salesforce Ventures LLC and Berkshire Hathaway Inc. will purchase $250 million of our Class A common stock from us in a private placement at a price per share equal to the initial public offering price. Based on an assumed initial public offering price of $80.00 per share, which is the midpoint of the price range set forth on the cover page of this prospectus, each of Salesforce Ventures LLC and Berkshire Hathaway Inc. would purchase 3,125,000 shares of our Class A common stock. […]

In addition, Berkshire Hathaway Inc. has agreed to purchase 4,042,043 shares of our Class A common stock from one of our stockholders in a secondary transaction at a price per share equal to the initial public offering price that will close immediately subsequent to the closing of this offering.

That second paragraph makes it clear that Berkshire is actually looking to snooker even more shares into its corner, for a total purchase price that might scale to more than $500 million.

What is so attractive about Snowflake? TechCrunch wrote a bit about that when the company filed, but the short gist is that it has epic growth, improving gross margins and dramatically curtailed losses. The package adds up to one valuable IPO, and something durable enough to tempt Buffett.

Regardless, what could be the most highly valued IPO of the year — Airbnb depending — here in America just got a lot more exciting.

Jeff Lawson on API startups, picking a market and getting dissed by VCs

Last week TechCrunch sat down virtually with Jeff Lawson, the CEO and co-founder of Twilio as part of our long-running Extra Crunch Live series. As I expected, the chat was a good use of time.

Why? Lawson was early on the idea that software companies could deliver their features not through a web app, but through an API . Back when Twilio was getting started, the world was still uncertain on the future of cloud. But Twilio was already skating past that puck toward a more distant target.

And his company has been largely proven right in its view of the future. While cloud software is now the de facto position for startups and legacy providers alike, API-powered startups are having one hell of a year according to founders and investors.

The growing wave of API -delivered software is not looking set to slow down, with Lawson telling TechCrunch during our chat that “the world is getting broken down into APIs,” as “every part of the stack of business that a developer might need to build is eventually turning into APIs that developers can use.”

So, expect more startups to ask you to snag an API key instead of signing up for a 12-month commitment. That said, don’t get too excited, yet, as Lawson was also clear during our chat that “not everything that can be broken down into an API will end up being a huge business.”

As Salesforce helped set the stage for SaaS startups in year’s past, Twilio’s $40 billion market cap today could prove a similar North Star for API startups.

A big thanks to the Extra Crunch crew for showing up and helping us ask some fun questions. I’ve snagged some favorite quotes below and embedded the YouTube clip of the whole chat. Let’s go!

Salesforce beefing up field service offering with AI

Salesforce has been adding artificial intelligence to all parts of its platform for several years now. It calls the underlying artificial intelligence layer on the Salesforce platform Einstein. Today the company announced some enhancements to its field service offering that take advantage of this capability.

Eric Jacobson, VP of product management at Salesforce says that when COVID hit, it pretty much stopped field service in its tracks during April, but like many other parts of business, it began to pick up again later in the quarter, and people still needed to have their appliances maintained.

“Even though we’re sheltering in place, the physical world still has physical needs. Hospitals still have to maintain their equipment. Employees still need to have equipment replaced or repaired while working at home, and people still need their washing machine [or other appliances] repaired,” Jacobson said.

Today’s announcements are designed in some ways for a COVID world where efficiency is more critical than ever. That means the field service tech needs to be prepared ahead of time on all of the details of the nature of the repair. He or she has to have the right parts and customers need to know when their technician will be there.

While it’s possible to do much of that in a manual fashion, adding a dose of AI helps streamline and scale that process. For starters, the company announced Dynamic Priority. Certainly humans are capable of prioritizing a list of repairs, but by letting the machine set priority based on factors like service agreement type or how critical the repair is, it can organize calls much faster, leaving dispatchers to handle other tasks.

Even before the day starts, technicians receive their schedule and using machine learning, can determine what parts they are most likely to need in the truck for the day’s repairs. Based on the nature of the repair and the particular make and model of machine, the Einstein Recommendation Builder can help predict the parts that will be needed to minimize the number of required trips, something that is important at all times, but especially during a pandemic.

“It’s always been an inconvenience and annoyance to have somebody come back for a follow up appointment. But now it’s not just an annoyance, it’s actually a safety consideration for you and for the technician because it’s increased exposure,” Jacobson explained

Salesforce also wants to give the customer the same capability, they are used to getting in a ride share app, where you can track the progress of the driver to your destination. Appointment Assistant, a new app gives customers this ability, so they know when to expect the repair person to arrive.

Finally, Salesforce has teamed with ServiceMax to offer a new capability to get the big picture view of an asset with the goal of ensuring uptime, particularly important in settings like hospitals or manufacturing. “We’ve partnered with a long-time Salesforce partner ServiceMax to create a brand new offering that takes industry best practice and builds it right in. Asset 360 builds on top of Salesforce field service and delivers those specific capabilities around asset performance insight, viewing and managing up time and managing warranty processes to really ensure availability,” he said.

As with all Salesforce announcements, the availability of these capabilities will vary as each in various forms of development. “Dynamic Priority will be generally available in October 2020. Einstein Recommendation Builder will be in beta in October 2020. Asset 360 will be generally available in November 2020. Appointment Assistant will be in closed pilot in US in October 2020,” according to information provided by the company.

UK class action style claim filed over Marriott data breach

A class action style suit has been filed in the UK against hotel group Marriott International over a massive data breach that exposed the information of some 500 million guests around the world, including around 30 million residents of the European Union, between July 2014 and September 2018.

The representative legal action against Marriott has been filed by UK resident, Martin Bryant, on behalf of millions of hotel guests domiciled in England & Wales who made reservations at hotel brands globally within the Starwood Hotels group, which is now part of Marriott International.

Hackers gained access to the systems of the Starwood Hotels group, starting in 2014, where they were able to help themselves to information such as guests’ names; email and postal addresses; telephone numbers; gender and credit card data. Marriott International acquired the Starwood Hotels group in 2016 — but the breach went undiscovered until 2018.

Bryant is being represented by international law firm, Hausfeld, which specialises in group actions.

Commenting in a statement, Hausfeld partner, Michael Bywell, said: “Over a period of several years, Marriott International failed to take adequate technical or organisational measures to protect millions of their guests’ personal data which was entrusted to them. Marriott International acted in clear breach of data protection laws specifically put in place to protect data subjects.”

“Personal data is increasingly critical as we live more of our lives online, but as consumers we don’t always realise the risks we are exposed to when our data is compromised through no fault of our own. I hope this case will raise awareness of the value of our personal data, result in fair compensation for those of us who have fallen foul of Marriott’s vast and long-lasting data breach, and also serve notice to other data owners that they must hold our data responsibly,” added Bryant in another supporting statement.

We’ve reached out to Marriott International for comment on the legal action.

A claim website for the action invites other eligible UK individuals to register their interest — and “hold Marriott to account for not securing your personal data”, as it puts it.

Here are the details of who is eligible to register their interest:

The ‘class’ of claimants on whose behalf the claim is brought includes all individuals who at any date prior to 10 September 2018 made a reservation online at a hotel operating under any of the following brands: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotel & Resorts, Four Points by Sheraton, Design Hotels. In addition, any other brand owned and/or operated by Marriott International Inc or Starwood Hotels and Resorts Worldwide LLC. The individuals must have been resident in England and Wales at some point during the relevant period prior to 10 September 2018 and are resident in England and Wales at the date the claim was issued. They must also have been at least 18 years old at the date the claim was issued.

The claim is being brought as a representative action under Rule 19.6 of the Civil Procedure Rules, per a press release, which also notes that everyone with the same interest as Bryant is included in the claimant class unless they opt out.

Those eligible to participate face no fees or costs, nor do affected guests face any financial risk from the litigation — which is being fully funded by Harbour Litigation Funding, a global litigation funder.

The suit is the latest sign that litigation funders are willing to take a punt on representative actions in the UK as a route to obtaining substantial damages for data issues. Another class action style suit was announced last week, alongside a class action in the Netherlands — targeting tracking cookies operated by data broker giants, Oracle and Salesforce.

Both lawsuits follow a landmark decision by a UK appeals court last year which allowed a class action-style suit against Google’s use between 2011 and 2012 of tracking cookies to override iPhone users’ privacy settings in Apple’s Safari browser to proceed, overturning an earlier court decision to toss the case.

The other unifying factor is the existence of Europe’s General Data Protection Regulation (GDPR) framework which has opened the door to major fines for data protection violations. So even if EU regulators continue to lack uniform vigour in enforcing data protection law, there’s a chance the region’s courts will do the job for them if more litigation funders see value in bringing cases to them to pursue class damages for privacy violations.

The dates of the Marriott data breach means it falls under GDPR — which came into force in May 2018.

The UK’s data watchdog, the ICO, proposed a $123M fine for the security failing in July last year — saying then that the hotel operator had “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”.

However it has yet to hand down a final decision. Asked when the Marriott decision will be finalized, an ICO spokeswoman told us the “regulatory process” has been extended until September 30. No additional detail was offered to explain the delay.

Here’s the regulator’s statement in full:

Under Schedule 16 of the Data Protection Act 2018, Marriott has agreed to an extension of the regulatory process until 30 September. We will not be commenting until the regulatory process has concluded.

EU websites’ use of Google Analytics and Facebook Connect targeted by post-Schrems II privacy complaints

A month after Europe’s top court struck down a flagship data transfer arrangement between the EU and the US as unsafe, European privacy campaign group, noyb, has filed complaints against 101 websites with regional operators which it’s identified as still sending data to the US via Google Analytics and/or Facebook Connect integrations.

Among the entities listed in its complaint are ecommerce companies, publishers & broadcasters, telcos & ISPs, banks and universities — including Airbnb Ireland, Allied Irish Banks, Danske Bank, Fastweb, MTV Internet, Sky Deutschland, Takeaway.com and Tele2, to name a few.

“A quick analysis of the HTML source code of major EU webpages shows that many companies still use Google Analytics or Facebook Connect one month after a major judgment by the Court of Justice of the European Union (CJEU) — despite both companies clearly falling under US surveillance laws, such as FISA 702,” the campaign group writes on its website.

“Neither Facebook nor Google seem to have a legal basis for the data transfers. Google still claims to rely on the ‘Privacy Shield’ a month after it was invalidated, while Facebook continues to use the ‘SCCs’ [Standard Contractual Clauses], despite the Court finding that US surveillance laws violate the essence of EU fundamental rights.”

We’ve reached out to Facebook and Google with questions about their legal bases for such transfers — and will update this report with any response.

Privacy watchers will know that noyb’s founder, Max Schrems, was responsible for the original legal challenge that took down an anterior EU-US data arrangement, Safe Harbor, all the way back in 2015. His updated complaint ended up taking down the EU-US Privacy Shield last month — although he’d actually targeted Facebook’s use of a separate data transfer mechanism (SCCs), urging its data supervisor, Ireland’s DPC, to step in and suspend its use of that tool.

The regulator chose to go to court instead, raising wider concerns about the legality of EU-US data transfer arrangements — which resulted in the CJEU concluding that the Commission should not have granted the US a so-called ‘adequacy agreement’, thus pulling the rug out from under Privacy Shield.

The decision means the US is now what’s considered a ‘third country’ in data protection terms, with no special arrangement to enable it to process EU users’ information.

More than that, the court’s ruling also made it clear EU data watchdogs have a responsibility to intervene where they suspect there are risks to EU people’s data if it’s being transferred to a third country via SCCs.

European data watchdogs swiftly warned there would be no grace period for entities still illegally relying on Privacy Shield — so anyone listed in the above complaint that’s still referencing the defunct mechanism in their privacy policy won’t even have a proverbial figleaf to hide their legal blushes.

noyb’s contention with this latest clutch of complaints is that none of the aforementioned 101 websites has a valid legal basis to keep transferring visitor data to the US via the embedded Google Analytics and/or Facebook Connect integrations.

“We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now,” said Schrems, honorary chair of noyb.eu, in a statement.

Since the CJEU’s Schrems II ruling, and indeed since the Safe Harbor strike down, the US Department of Commerce and European Commission have stuck their heads in the sand — signalling they intend to try cobbling together another data pact to replace the defunct Privacy Shield (which replaced the blasted-to-smithereens (un)Safe Harbor. So, er… ).

Yet without root-and-branch reform of US surveillance law, any third pop by respective lawmakers at papering over the legal schism of US national security priorities vs EU privacy rights is just as surely doomed to fail.

The more cynical among you might say the high level administrative manoeuvers around this topic are, in fact, simply intended to buy more time — for the data to keep flowing and ‘business as usual’ to continue.

But there is now substantial legal risk attached to a strategy of trying to pretend US surveillance law doesn’t exist.

Here’s Schrems again, on last month’s CJEU ruling, suggesting that Facebook and Google could be in the frame for legal liability if they don’t proactively warn EU customers of their data responsibilities: “The Court was explicit that you cannot use the SCCs when the recipient in the US falls under these mass surveillance laws. It seems US companies are still trying to convince their EU customers of the opposite. This is more than shady. Under the SCCs the US data importer would instead have to inform the EU data sender of these laws and warn them. If this is not done, then these US companies are actually liable for any financial damage caused.”

And as noyb’s press release notes, GDPR’s penalties regime can scale as high as 4% of the worldwide turnover of the EU sender and the US recipient of personal data. So, again, hi Facebook, hi Google…

The crowdfunded campaign group has pledged to continue dialling up the pressure on EU regulators to act and on EU data processors to review any US data transfer arrangements — and “adapt to the clear ruling by the EU’s supreme court”, as it puts it.

Other types of legal action are also starting to draw on Europe’s General Data Protection Regulation (GDPR) framework — and, importantly, attract funding — such as two class action style suits filed against Oracle and Salesforce’s use of tracking cookies earlier this month. (As we said when GDPR came into force back in 2018, the lawsuits are coming.)

Now, with two clear strikes from the CJEU on the issue of US surveillance law vs EU data protection, it looks like it’ll be diminishing returns for US tech giants hoping to pretend everything’s okay on the data processing front.

noyb is also putting its money where its mouth is — offering free guidelines and model requests for EU entities to use to help them get their data affairs in prompt legal order. 

“While we understand that some things may need some time to rearrange, it is unacceptable that some players seem to simply ignore Europe’s top court,” Schrems added, in further comments on the latest flotilla of complaints. “This is also unfair towards competitors that comply with these rules. We will gradually take steps against controllers and processors that violate the GDPR and against authorities that do not enforce the Court’s ruling, like the Irish DPC that stays dormant.”

We’ve reached out to Ireland’s Data Protection Commission to ask what steps it will be taking in light of the latest noyb complaints, a number of which target websites that appear to be operated by an Ireland-based legal entity.

Schrems original 2013 complaint against Facebook’s use of SCCs also ended up in Ireland, where the tech giant — and many others — locates its EU EQ. Schrem’s request that the DPC order Facebook to suspend its use of SCCs still hasn’t been fulfilled, some seven years and five complaints later. And the regulator continues to face accusations of inaction, given the growing backlog of cross-border GDPR complaints against tech giants like Facebook and Google.

Ireland’s DPC has still yet to issue a single final decision on any of these major GDPR complaints. But the legal pressure for it and all EU regulators to get a move on and enforce the bloc’s law will only increase, even as class action style lawsuits are filed to try to do what regulators have failed to.

Earlier this summer the Commission acknowledged a lack of uniformly “vigorous” enforcement of GDPR in a review of the mechanism’s first two years of operation.

“The European Data Protection Board [EDPB] and the data protection authorities have to step up their work to create a truly common European culture — providing more coherent and more practical guidance, and work on vigorous but uniform enforcement,” said Věra Jourová, Commission VP for values and transparency then, giving the Commission’s first public assessment of whether GDPR is working.

We’ve also reached out to France’s CNIL to ask what action it will be taking in light of the noyb complaints.

Following the judgement in July the French regulator said it was “conducting a precise analysis”, along with the EDPB, with a view to “drawing conclusions as soon as possible on the consequences of the ruling for data transfers from the European Union to the United States”.

Since then the EDPB guidance has come out — inking the obvious: That transfers on the basis of Privacy Shield “are illegal”. And while the CJEU ruling did not invalidate the use of SCCs it gave only a very qualified green light to continued use.

As we reported last month, the ability to use SCCs to transfer data to the U.S. hinges on a data controller being able to offer a legal guarantee that “U.S. law does not impinge on the adequate level of protection” for the transferred data.

“Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place,” the EDPB added.

Oracle and Salesforce hit with GDPR class action lawsuits over cookie tracking consent

The use of third party cookies for ad tracking and targeting by data broker giants Oracle and Salesforce is the focus of class action style litigation announced today in the UK and the Netherlands.

The suits will argue that mass surveillance of Internet users to carry out real-time bidding ad auctions cannot possibly be compatible with strict EU laws around consent to process personal data.

The litigants believe the collective claims could exceed €10BN, should they eventually prevail in their arguments — though such legal actions can take several years to work their way through the courts.

In the UK, the case may also face some legal hurdles given the lack of an established model for pursuing collective damages in cases relating to data rights. Though there are signs that’s changing.

Non-profit foundation, The Privacy Collective, has filed one case today with the District Court of Amsterdam, accusing the two data broker giants of breaching the EU’s General Data Protection Regulation (GDPR) in their processing and sharing of people’s information via third party tracking cookies and other adtech methods.

The Dutch case, which is being led by law-firm bureau Brandeis, is the biggest-ever class action in The Netherlands related to violation of the GDPR — with the claimant foundation representing the interests of all Dutch citizens whose personal data has been used without their consent and knowledge by Oracle and Salesforce. 

A similar case is due to be filed later this month at the High Court in London England, which will make reference to the GDPR and the UK’s PECR (Privacy of Electronic Communications Regulation) — the latter governing the use of personal data for marketing communications. The case there is being led by law firm Cadwalader

Under GDPR, consent for processing EU citizens’ personal data must be informed, specific and freely given. The regulation also confers rights on individuals around their data — such as the ability to receive a copy of their personal information.

It’s those requirements the litigation is focused on, with the cases set to argue that the tech giants’ third party tracking cookies, BlueKai and Krux — trackers that are hosted on scores of popular websites, such as Amazon, Booking.com, Dropbox, Reddit and Spotify to name a few — along with a number of other tracking techniques are being used to misuse Europeans’ data on a massive scale.

Per Oracle marketing materials, its Data Cloud and BlueKai Marketplace provider partners with access to some 2BN global consumer profiles. (Meanwhile, as we reported in June, BlueKai suffered a data breach that exposed billions of those records to the open web.)

While Salesforce claims its marketing cloud ‘interacts’ with more than 3BN browsers and devices monthly.

Both companies have grown their tracking and targeting capabilities via acquisition for years; Oracle bagging BlueKai in 2014 — and Salesforce snaffling Krux in 2016.

 

Discussing the lawsuit in a telephone call with TechCrunch, Dr Rebecca Rumbul, class representative and claimant in England & Wales, said: “There is, I think, no way that any normal person can really give informed consent to the way in which their data is going to be processed by the cookies that have been placed by Oracle and Salesforce.

“When you start digging into it there are numerous, fairly pernicious ways in which these cookies can and probably do operate — such as cookie syncing, and the aggregation of personal data — so there’s really, really serious privacy concerns there.”

The real-time-bidding (RTB) process that the pair’s tracking cookies and techniques feed, enabling the background, high velocity trading of profiles of individual web users as they browse in order to run dynamic ad auctions and serve behavioral ads targeting their interests, has, in recent years, been subject to a number of GDPR complaints, including in the UK.

These complaints argue that RTB’s handling of people’s information is a breach of the regulation because it’s inherently insecure to broadcast data to so many other entities — while, conversely, GDPR bakes in a requirement for privacy by design and default.

The UK Information Commissioner’s Office has, meanwhile, accepted for well over a year that adtech has a lawfulness problem. But the regulator has so far sat on its hands, instead of enforcing the law — leaving the complainants dangling. (Last year, Ireland’s DPC opened a formal investigation of Google’s adtech, following a similar complaint, but has yet to issue a single GDPR decision in a cross-border complaint — leading to concerns of an enforcement bottleneck.)

The two lawsuits targeting RTB aren’t focused on the security allegation, per Rumbul, but are mostly concerned with consent and data access rights.

She confirms they opted to litigate rather than trying to try a regulatory complaint route as a way of exercising their rights given the “David vs Goliath” nature of bringing claims against the tech giants in question.

“If I was just one tiny person trying to complaint to Oracle and trying to use the UK Information Commissioner to achieve that… they simply do not have the resources to direct at one complaint from one person against a company like Oracle — in terms of this kind of scale,” Rumbul told TechCrunch.

“In terms of being able to demonstrate harm, that’s quite a lot of work and what you get back in recompense would probably be quite small. It certainly wouldn’t compensate me for the time I would spend on it… Whereas doing it as a representative class action I can represent everyone in the UK that has been affected by this.

“The sums of money then work — in terms of the depths of Oracle’s pockets, the costs of litigation, which are enormous, and the fact that, hopefully, doing it this way, in a very large-scale, very public forum it’s not just about getting money back at the end of it; it’s about trying to achieve more standardized change in the industry.”

“If Salesforce and Oracle are not successful in fighting this then hopefully that send out ripples across the adtech industry as a whole — encouraging those that are using these quite pernicious cookies to change their behaviours,” she added.

The litigation is being funded by Innsworth, a litigation funder which is also funding Walter Merricks’ class action for 46 million consumers against Mastercard in London courts. And the GDPR appears to be helping to change the class action landscape in the UK — as it allows individuals to take private legal action. The framework can also support third parties to bring claims for redress on behalf of individuals. While changes to domestic consumer rights law also appear to be driving class actions.

Commenting in a statement, Ian Garrard, managing director of Innsworth Advisors, said: “The development of class action regimes in the UK and the availability of collective redress in the EU/EEA mean Innsworth can put money to work enabling access to justice for millions of individuals whose personal data has been misused.”

A separate and still ongoing lawsuit in the UK, which is seeking damages from Google on behalf of Safari users whose privacy settings it historically ignored, also looks to have bolstered the prospects of class action style legal actions related to data issues.

While the courts initially tossed the suit last year, the appeals court overturned that ruling — rejecting Google’s argument that UK and EU law requires “proof of causation and consequential damage” in order to bring a claim related to loss of control of data.

The judge said the claimant did not need to prove “pecuniary loss or distress” to recover damages, and also allowed the class to proceed without all the members having the same interest.

Discussing that case, Rumbul suggests a pending final judgement there (likely next year) may have a bearing on whether the lawsuit she’s involved with can be taken forward in the UK.

“I’m very much hoping that the UK judiciary are open to seeing these kind of cases come forward because without these kinds of things as very large class actions it’s almost like closing the door on this whole sphere of litigation. If there’s a legal ruling that says that case can’t go forward and therefore this case can’t go forward I’d be fascinated to understand how the judiciary think we’d have any recourse to these private companies for these kind of actions,” she said.

Asked why the litigation has focused on Oracle and Saleforce, given there are so many firms involved in the adtech pipeline, she said: “I am not saying that they are necessarily the worst or the only companies that are doing this. They are however huge, huge international multimillion-billion dollar companies. And they specifically went out and purchased different bits of adtech software, like BlueKai, in order to bolster their presence in this area — to bolster their own profits.

“This was a strategic business decision that they made to move into this space and become massive players. So in terms of the adtech marketplace they are very, very big players. If they are able to be held to account for this then it will hopefully change the industry as a whole. It will hopefully reduce the places to hide for the other more pernicious cookie manufacturers out there. And obviously they have huge, huge revenues so in terms of targeting people who are doing a lot of harm and that can afford to compensate people these are the right companies to be targeting.”

Rumbul also told us The Privacy Collective is looking to collect stories from web users who feel they have experienced harm related to online tracking.

“There’s plenty of evidence out there to show that how these cookies work means you can have very, very egregious outcomes for people at an individual level,” she added. “Whether that can be related to personal finance, to manipulation of addictive behaviors, whatever, these are all very, very possible — and they cover every aspect of our lives.”

Consumers in England and Wales and the Netherlands are being encouraged to register their support of the actions via The Privacy Collective’s website.

In a statement, Christiaan Alberdingk Thijm, lead lawyer at Brandeis, said: “Your data is being sold off in real-time to the highest bidder, in a flagrant violation of EU data protection regulations. This ad-targeting technology is insidious in that most people are unaware of its impact or the violations of privacy and data rights it entails. Within this adtech environment, Oracle and Salesforce perform activities which violate European privacy rules on a daily basis, but this is the first time they are being held to account. These cases will draw attention to astronomical profits being made from people’s personal information, and the risks to individuals and society of this lack of accountability.”

“Thousands of organisations are processing billions of bid requests each week with at best inconsistent application of adequate technical and organisational measures to secure the data, and with little or no consideration as to the requirements of data protection law about international transfers of personal data. The GDPR gives us the tool to assert individuals’ rights. The class action means we can aggregate the harm done,” added partner Melis Acuner from Cadwalader in another supporting statement.

We reached out to Oracle and Salesforce for comment on the litigation.

Oracle EVP and general counsel, Dorian Daley, said:

The Privacy Collective knowingly filed a meritless action based on deliberate misrepresentations of the facts.  As Oracle previously informed the Privacy Collective, Oracle has no direct role in the real-time bidding process (RTB), has a minimal data footprint in the EU, and has a comprehensive GDPR compliance program. Despite Oracle’s fulsome explanation, the Privacy Collective has decided to pursue its shake-down through litigation filed in bad faith.  Oracle will vigorously defend against these baseless claims.

A spokeswoman for Salesforce sent us this statement:

At Salesforce, Trust is our #1 value and nothing is more important to us than the privacy and security of our corporate customers’ data. We design and build our services with privacy at the forefront, providing our corporate customers with tools to help them comply with their own obligations under applicable privacy laws — including the EU GDPR — to preserve the privacy rights of their own customers.

Salesforce and another Data Management Platform provider, have received a privacy related complaint from a Dutch group called The Privacy Collective. The claim applies to the Salesforce Audience Studio service and does not relate to any other Salesforce service.

Salesforce disagrees with the allegations and intends to demonstrate they are without merit.

Our comprehensive privacy program provides tools to help our customers preserve the privacy rights of their own customers. To read more about the tools we provide our corporate customers and our commitment to privacy, visit salesforce.com/privacy/products/

OneKey wants to make it easier to work without a desktop by integrating apps into mobile keyboards

“The app that you use the most on your phone and you don’t realize it is your keyboard,” says Christophe Barre the co-founder and chief executive of OneKey.

A member of Y Combinator’s most recent cohort, OneKey has a plan to make work easier on mobile devices by turning the keyboard into a new way to serve up applications like calendars, to-do lists, and, eventually, even Salesforce functionality.

People have keyboards for emojis, other languages, and gifs, but there have been few ways to integrate business apps into the keyboard functionality, says Barre. And he’s out to change that.

Right now, the company’s first trick will be getting a Calendly-like scheduling app onto the keyboard interface. Over time, the company will look to create modules that they can sell in an app-store style marketplace for the keyboard space on smartphones.

ezgif.com-optimize.gif

For Barre, the inspiration behind OneKey was the time spent working in Latin America and primarily conducting business through WhatsApp. The tool was great for messaging, but enterprise functionality broke down across for scheduling or other enterprise app integrations.

“People are doing more and more stuff on mobile and it’s happening right now in business,” said Barre. “When you switch from a computer-based world to a mobile phone, a lot of the productivity features disappear.”

Barre, originally from the outskirts of Paris, traveled to Bogota with his partner. She was living there and he was working on a sales automation startup called DeepLook. Together with his DeepLook co-founder (and high school friend), Ulysses Pryjiel, Barre set out to see if he could bring some of the business tools he needed over to the mobile environment.

The big realization for Barre was the under-utilized space on the phone where the keyboard inputs reside. He thinks of OneKey as a sort of browser extension for mobile phones, centered in the keyboard real estate.

“The marketplace for apps is the longterm vision,” said Barre. “That’s how you bring more and more value to people. We started with those features like calendars and lists that brought more value quickly without being too specialized.”

The idea isn’t entirely novel. SwiftKey had a marketplace for wallpapers, Barre said, but nothing as robust as the kinds of apps and services that he envisions.

“If you can do it in a regular app, it’s very likely that you can do it through a keyboard,” Barre said.

Hearsay, maker of compliant tools for financial services, deepens ties with Salesforce

Financial services companies like banks and insurance tend to be heavily regulated. As such they require a special level of security and auditability. Hearsay, which makes compliant communications tools for these types of companies, announced a new partnership with Salesforce today, enabling smooth integration with Salesforce CRM and marketing automation tools.

The company also announced that Salesforce would be taking a minority stake in Hearsay, although company co-founder and CEO Clara Shih, did not provide any details on that part of the announcement.

Shih says the company created the social selling category when it launched 10 years ago. Today, it provides a set of tools like email, messaging and websites along with a governance layer to help financial services companies interact with customers in a compliant way. Their customers are primarily in banking, insurance, wealth management and mortgages.

She said that they realized if they could find a way to share the data they were collecting with the Hearsay toolset with CRM and marketing automation software in an automated way, it would make greater use of this information than it could on its own. To that end, they have created a set of APIs to enable that with some built-in connectors. The first one will be to connect Hearsay to Salesforce with plans to add other vendors in the future.

“It’s about being able to connect [data from Hearsay] with the CRM system of record, and then analyzing it across thousands, if not tens of thousands of advisors or bankers in a single company, to uncover best practices. You could then use that information like GPS driving directions that help every advisor behave in the moment and reach out in the moment like the very best advisor would,” Shih explained.

In practice, this means sharing the information with the customer data platform (CDP), the CRM and marketing automation tooling to deliver more intelligent targeting based on a richer body of information. So the advisor can use information gleaned from everything he or she knows about the client across the set of tools to deliver more meaningful personal message instead of a targeted ad or an email blast. As Shih points out, the ad might even make sense, but could be tone deaf depending on the circumstances.

“What we focus on is this human-client experience, and that can only be delivered in the last mile because it’s only with the advisor that many clients will confide in these very important life events and life decisions, and then conversely, it’s only in the last mile that the trusted advisor can deliver relationship advice,” she said.

She says what they are trying to do by combining streams of data about the customer is build loyalty in a way that pure technology solutions just aren’t capable of doing. As she says, nobody says they are switching banks because it has the best chat bot.

Hearsay was founded in 2009 and has raised $51 million, as well as whatever other money Salesforce will be adding to the mix with today’s investment. Other investors include Sequoia and NEA Associates. Its last raise was way back in 2013, a $30 million Series C.