Just two days after the Director of the FTC’s Bureau of Consumer Protection announced that the agency would not tolerate an “arms race” aimed at developing technologies that subvert user choice regarding online tracking, two firms accused of employing such technologies agreed to settle lawsuits against them. Quantcast and Clearspring–which provide web analytics and certain functionality to consumer-facing websites–were named in several class action complaints this summer. The suits alleged that the companies used “Flash cookies” (i.e., local shared objects stored in the memory of Adobe’s Flash Player plug-in) to track user activity on websites where Quantcast and Clearspring provide their services. The publishers of some of those sites were also named in the suits.
Although the use of traditional “HTTP” cookies for tracking has become so commonplace as to be relatively uncontroversial, Flash cookies have been criticized because they are unaffected by browser privacy settings. Moreover, as noted by researchers at UC-Berkeley, Flash cookies can be used to re-create or “respawn” browser cookies after a user deletes the latter. The plaintiffs in the Quantcast and Clearspring cases seized on these distinctive qualities in asserting that the defendants used Flash cookies to “circumvent” users’ privacy settings. The complaints included claims under the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Video Privacy Protection Act, and various state laws.
Under the proposed settlement agreement, Quantcast and Clearspring (but apparently not the publisher defendants) would pay 2.4 million dollars to one or more non-profit organizations that are dedicated to promoting consumer privacy awareness. The agreement also provides that Quantcast and Clearspring must refrain from using Flash cookies to (1) respawn browser cookies; (2) serve as an alternative to browser cookies for tracking user activities that are “unrelated to the delivery of content through the Flash Player, or the performance of the Flash Player, without adequate disclosure”; or (3) “otherwise counteract any computer user’s decision to prevent the use of or to delete previously created HTTP cookies.”
The publisher defendants would be required to propose to “at least one of the industry groups” that maintain self-regulatory principles governing the collection and use of consumer data online that their principles be amended to include express prohibitions on the use of Flash cookies for browser cookie respawning. The publisher defendants would also have to provide users with the opportunity to opt-out of behavioral tracking by, for example, linking to the Network Advertising Initiative’s opt-out tool.
The settlement is in some respects surprising given the strong defenses the defendants appeared to have. (We detailed some of those defenses here.) Of course, given the increasing scrutiny of techologies that can be used to track users without users’ knowledge or consent, the defendants’ pledges to better conform their business practices to user expectations and to support consumer privacy education may prove to be prudent. But considering the substantial obstacles the plaintiffs faced, a settlement–especially of this size–will certainly raise some eyebrows in the privacy legal community.
It should be noted that Quantcast and Clearspring are not the only Flash cookies suits: VideoEgg (now known as SAY Media) and Specific Media face similar suits filed by the same plaintiffs’ counsel in the same court. Although there has been no significant activity in the Specific Mediacase since the filing of the complaint, VideoEgg appears poised to fight the suit against it, having recently filed a motion to transfer venue. It will be interesting to watch these suits play out. A decision at the motion to dismiss or summary judgment stage would likely produce favorable law for defendants in many of the privacy suits now pending.