Virtually all websites use cookies, software code that is placed on a user’s computer upon visiting a particular website, to perform a number of tasks including tracking how that user navigates through the site and remembering the user’s log in information or other preferences. Indeed, cookies facilitate speedy Internet surfing by caching images and allowing users to surf without having to constantly input the same information over and over again. When used in this way, cookies provide many positive elements that users like about the Internet.

Cookies, however, are also used as a means by which companies can collect vast amounts of information about users. Behavioral advertising – also known as behavioral targeting or interest-based advertising – is powered for the most part by standard browser cookies. The current self-regulatory privacy regime justifies the use of cookies by providing consumers with the ability to use their browser to delete their cookies, thus depriving behavioral advertisers of the information needed to conduct targeted advertising campaigns.

Recently, however, it has come to light that some third party advertising networks that work with advertisers and publishers have been using a new type of cookie called “Flash cookies,” or “Flash Local Shared Objects,” a harder-to-delete version of the traditional cookie. Flash cookies are a part of Adobe’s Flash player, a popular program loaded on a high percentage of the computers connected to the Internet. Like standard cookies, Flash cookies can be used to track consumer behavior and store information about consumers, including user preferences and credentials. Unlike standard cookies, Flash cookies are not deleted when the user uses regular browser functions to delete standard cookies. Additionally, Flash cookies can be used to respawn standard cookies that have been deleted by the consumer. Flash developer Adobe has publicly condemned the latter practice in a letter to the Federal Trade Commission, and Adobe now offers a tool on its website to manage Flash settings and erase Flash cookies.1  

The use of Flash cookies troubles many consumers because it contravenes the currently-understood consumer expectation around managing cookies on their computers. Indeed, the use of Flash cookies, which are not necessarily deleted when a consumer deletes regular cookies from her browser, may well contradict brand advertiser privacy policies.

Some Internet marketing companies that use Flash cookies to create audiences in the behavioral advertising area, along with certain media companies that work with those companies, have been sued recently in several class action lawsuits.

According to the complaints, third party behavioral advertising companies develop Flash cookies that track users’ behavior and preferences, and partner with media companies to install the Flash cookies on users computers to track their web browsing behavior. Included in the complaint are allegations that Flash cookies remain in a user’s computer even after the user deletes cookies using her browser’s “delete cookies” feature. Furthermore, according to the complaints, the Flash cookies are capable of re-installing browser tracking cookies that the user previously deleted, thus circumventing the user’s ability to prevent tracking of her online behavior. This is accomplished, according to the complaints, without the user’s knowledge or consent and violates the posted privacy policies and website terms of use. Additionally, and more startling, is that the complaints allege that the various defendants tracked and sold consumer personally identifiable information, as well as information concerning consumer health and finances. The defendants have denied the allegations.

As a result of these developments there is at least one bill before Congress that attempts to address the problems caused by Flash cookies and implement a nationwide privacy law that would preempt existing state laws with respect to data collection. 2 While comprehensive review of this bill is beyond the scope of this legal alert, we note the following concepts addressed by the bill, which may be instructive for clients as they develop and implement new privacy policies and new technological measures for data collection going forward: (1) verification of information – the bill would require websites to verify personally identifiable information collected from users prior to the implementation of this law; (2) user access to information – the bill would require websites to allow a user to access information collected about that user; (3) information security – the bill would require websites to develop policies and procedures for maintaining the integrity of collected information and preventing breaches of same; (4) opt-in / opt-out – while an opt-out method of obtaining user consent is permitted, this bill provides a safe harbor for websites that use an opt-in method to obtain user consent, including prohibiting private causes of action against companies using an opt-in method; and (5) changes in privacy policy – it appears that express affirmative consent would be required to continue to use any personally identifiable information currently maintained by a company after it implements a new privacy policy to comply with this new law, and any subsequent changes could only be implemented after a 30 day notice period of the intended changes.

What Does This Mean To You?

If your company is among those using Flash cookies, we note a study released earlier this year which makes the following salient recommendations for Flash cookie best practices: (1) Flash cookies should not be used to override consumer preferences; (2) consumers should be made aware of the use of Flash cookies via normal channels such as a website’s privacy policy; (3) consumers should be given an easy way to opt-out of the use of Flash cookies as a tracking mechanism.2

With respect to potential legislation regulating these kinds of issues, we recommend that companies developing new database software attempt to implement within those applications the technical capabilities to comply with provisions like those discussed above. These would include allowing consumers to access to their own information stored by the company, giving consumers advance notice of changes in a privacy policy, and establishing an opt-in method for obtaining user consent. We specifically recommend that companies collecting user information begin to track when and how consumers consent to the collection of information, and consider creating applications that individually separate user information and could be used to allow users to access their individual information.

Perhaps most importantly, these developments serve as a reminder that companies should not view their online privacy policies and terms of use as static documents, but rather as documents that evolve over time and which require periodic review and updating. We urge companies who have not audited their privacy policies and terms of use in the last 12 months to take this opportunity to do so.