Dutch privacy foundation sues software giant Adobe for privacy violations

The Dutch privacy foundation Stichting Data Bescherming Nederland (SDBN) is suing computer software giant Adobe, alleging that the company secretly collects and shares personal data of millions of Dutch citizens with companies in the online advertising market. The foundation demands that Adobe cease these practices and compensate the affected Dutch citizens for any damages.

Adobe is accused of placing cookies on websites including those of KPN, TUI, Douglas, and the Dutch Tax Authority. The American company also allegedly collects personal data through mobile apps such as Marktplaats, Buienradar, and Ziggo GO. Adobe supposedly does this without the necessary consent, sometimes placing cookies even before users have made a choice to allow them.

According to SDBN, anyone who regularly uses the internet through a Chrome browser and downloads and uses apps is a "victim of Adobe." Anouk Ruhaak, the chairperson of the foundation, stated, "Did you do your Christmas or Sinterklaas shopping online? Then Adobe probably knows quite accurately what you looked at and where you bought your pepernoten or perfume."

According to SDBN, Adobe creates user profiles from the collected data and shares them with other parties. The foundation warned of many risks associated with this practice, including potential identity fraud, and claimed that Adobe earns a significant amount of money through these activities.

"The dubious market of collecting and trading personal data is in violation of the GDPR. This must stop," Ruhaak said. According to her, attempts to contact Adobe have been fruitless, leading the foundation to take legal action. The foundation has yet to specify the amount of compensation they seek from Adobe for the alleged victims.

The SDBN aims to ensure that large tech companies better respect the online privacy of Dutch citizens. Previously, the organization has taken similar legal actions against companies like X and Amazon.

In response, Adobe stated that the mass claim was based on a misunderstanding and denied the allegations of privacy violation. Adobe claimed that it is the clients' own websites that gather this data, and the software company merely processes them.

Adobe explained in a written statement that the client is the data controller and, in that capacity, makes decisions and bears responsibility for which cookies are placed on their websites. According to the company, clients are also responsible for how they use the collected data.

Clients using Adobe Experience Cloud, the program central to SDBN's complaint, have the option to tailor cookie consent requests to local laws, according to Adobe.

SDBN acknowledged this stance as already known but disagreed with Adobe's interpretation.

On Wednesday, the Dutch Tax Authority announced that it had disabled certain functions of software giant Adobe as a precaution. "The Dutch Tax Authority considers the protection of personal data to be of utmost importance. The service has therefore asked Adobe for clarification about the use of cookies as described in the article, but no answer has been received at this time," a spokesperson stated via email.

RTL, responding on behalf of Buienradar to the mass claim, said that Adobe only processes data about site visitors. According to a spokesperson, this involves keeping statistics on website visitors. Adobe cannot and may not use this data for its own purposes, the media company said.

Marktplaats emphasized the importance of complying with all privacy regulations. Travel organization TUI stated it takes the matter "very seriously" and announced a "thorough" investigation.