We all receive advertisements when we surf the web, many of which are targeted at us based upon our personal website behavior. Does your company use Flash cookies,1 mobile device identifiers,2 or any other mechanism to provide targeted or “behavioral” advertising to customers? Flash cookies in particular have become the target of a raft of class actions filed recently for alleged violations of the Computer Fraud and Abuse Act, the Electronic Privacy Protection Act and various other federal and state laws that prohibit intentional accessing and tracking of consumer behavior online without consumer consent.
Targeted ads are the most effective for marketers and are often welcomed by consumers. Yet, some consumers have expressed privacy concerns, especially over the use of Flash cookies, and within the past year have filed at least twenty-nine class action lawsuits across the country naming at least thirty-nine companies (including ABC, Inc., Apple, Inc., Facebook, Inc., and Mazda Motor of America, Inc.) as defendants. The complaints suggest that while consumers may expect to see customized product suggestions on websites like Amazon or E-Bay, they have been surprised to receive tailored-advertising for personal issues like depression medication and financial assistance based upon prior website searches they believed were “private.” In the lawsuits, the consumers attack any unexpected technologies3 that override their privacy preferences. For example, consumers claim that the same Adobe Flash technology that is used to stream videos and optimize visual effects on many company websites is also used to store Flash cookies that allegedly reverse their privacy settings and track their activities across the internet such that even those consumers who specifically request not to be tracked will still receive ads targeted to their age, gender, location, and interests. Tracking devices (like Flash cookies) are not stored in browsers that consumers can see or control, so they are often imperceptible to consumers without computer forensics.
The gathering of data through Flash cookies can occur without even the company’s knowledge if outside vendors are operating, managing, or serving advertising on the website. Lack of knowledge of the vendors’ activities (while potentially a defense) did not keep Microsoft and McDonald’s (among others) from being sued last month because they used interCLICK to serve ads on their websites.
Mobile gathering has also been a popular target, with lawsuits following a recent Wall Street Journal Investigation that revealed several iOS and Android applications –- created by vendors for companies -- were transmitting age, gender, location and device identifier information to third-party advertising companies, allegedly without consumers’ knowledge or consent. In September 2010, Ringleader Digital (a mobile-web advertising company) was hit with a proposed class action lawsuit over use of HTML5 code to track iPhone and iPad users across a number of websites. In December 2010, Dictionary.com and the Weather Channel (among several others) were sued for iPhone and iPad applications made on their behalf.
To stay “ahead of the curve” – and outside of litigation – your company should develop a behavioral advertising strategy. The approach should be multi-disciplined and include: (1) litigation advice; (2) regular tag/device audits, procured through outside counsel to maintain work product and other privileges, that will reveal whether and to what extent Flash cookies, device identifiers and behavioral advertising is occurring through your websites and mobile applications; (3) annual privacy and data practices audits; (4) review of your existing and new vendor agreements to ensure appropriate insurance, defense and indemnity provisions for behavioral tracking and other privacy and data security issues; (5) training for your internal and outside digital marketing teams to heighten awareness of Flash cookie and behavorial advertising class actions issues; (6) regular review of industry, regulatory and legislative developments.
Finally, interested companies should know that on December 1, 2010, the FTC proposed a “universal browser setting” that would pre-set user preferences to prevent behavioral tracking as part of a “do not track” protocol. Several companies have already provided feedback that such a browser setting could curb internet advertising revenue significantly. This is because studies reveal that consumers are twice as likely to purchase products/services based upon targeted ads versus general online advertising. The comment period for the FTC “do not track” proposals was just extended and now ends on February 28, 2011. Comment may be coordinated through Wildman Harrold or directly on the FTC website by clicking here.