Flash Cookies

Last week, the Online Interest-Based Advertising Accountability Program released a compliance warning to clarify that its Self-Regulatory Principles for Online Behavioral Advertising (OBA Principles) apply―not just to traditional HTTP cookies―but to other types of tracking technologies that enable the tracking of consumers across different platforms and devices.  

The compliance warning admonished companies developing and implementing

By Brian Ryoo

The United States District Court for the Western District of Washington recently dismissed in part an online privacy lawsuit alleging that Amazon “circumvented” browser privacy controls in order to track users’ web browsing activities.  The plaintiffs in Del Vecchio v. Amazon had alleged that Amazon “exploit[ed]” browser controls in Internet Explorer by

The United States District Court for the Western District of Seattle recently dismissed an online privacy case involving the alleged improper use of browser and Flash cookies in Del Vecchio v. Amazon.  Finding that the plaintiff “simply not plead adequate facts to establish any plausible harm,” this opinion follows closely on the heels of

Online advertiser ScanScout has entered into a consent agreement with the Federal Trade Commission in connection with claims it made that consumers could opt out of receiving targeted ads by changing their computer’s web browser settings to block cookies.  According to the FTC, these claims were deceptive with respect to the use of so-called “Flash cookies” since browser settings did not allow users to remove or block the Flash cookies used by the company.  Flash cookies generally cannot be controlled through browser privacy settings, in contrast to traditional “HTTP” cookies.

Under the terms of the proposed settlement, ScanScout must post a prominent notice on its home page stating the following:  “We collect information about your activities on certain websites to send you targeted ads. To opt out of our targeted advertisements, click here.”  The company must provide a hyperlink to an opt-out mechanism that offers users the ability – through a single click or a single change to a browser setting – to prevent the company from:

  • collecting information that can identify the user or her computer;
  • associating any previously collected data with the user; or
  • in the absence of any affirmative action by the user, redirecting the user’s browser to third parties that collect data. 

The opt out choice must remain in effect for a minimum of five years.  There also must be a clear and prominent notice within close proximity of the opt out mechanism that provides certain additional disclosures, including the current status of the user’s choice and any circumstances that, if initiated by the user, would disable the choice made by a user. Continue Reading FTC Settles Flash Cookie and COPPA Claims

As we’ve described in this recent article, the past year has witnessed a surge in privacy litigation that shows no signs of easing.   Many of these suits involve allegations that defendants have used Flash local shared objects (“Flash cookies”) for the purpose of tracking Internet users’ browsing activity. Flash cookies differ from traditional browser cookies in

Adobe’s Flash Player includes a local storage feature that enables websites and applications to remember consumer data, such as log-in credentials and form information.  However, media and data companies’ use of this feature, which is sometimes referred to as a “Flash cookie,” has been the subject of a number of recent lawsuits.  Specifically, plaintiffs allege

Just two days after the Director of the FTC’s Bureau of Consumer Protection announced that the agency would not tolerate an “arms race” aimed at developing technologies that subvert user choice regarding online tracking, two firms accused of employing such technologies agreed to settle lawsuits against them.  Quantcast and Clearspring–which provide web analytics and certain functionality to consumer-facing websites–were named in several class action complaints this summer.  The suits alleged that the companies used “Flash cookies” (i.e., local shared objects stored in the memory of Adobe’s Flash Player plug-in) to track user activity on websites where Quantcast and Clearspring provide their services.  The publishers of some of those sites were also named in the suits.  

Although the use of traditional “HTTP” cookies for tracking has become so commonplace as to be relatively uncontroversial, Flash cookies have been criticized because they are unaffected by browser privacy settings.  Moreover, as noted by researchers at UC-Berkeley, Flash cookies can be used to re-create or “respawn” browser cookies after a user deletes the latter.  The plaintiffs in the Quantcast and Clearspring cases seized on these distinctive qualities in asserting that the defendants used Flash cookies to “circumvent” users’ privacy settings.  The complaints included claims under the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Video Privacy Protection Act, and various state laws.Continue Reading Quantcast, Clearspring Agree to Settle “Flash Cookies” Suits

On the eve of the reported settlement of the Flash cookie litigation by Quantcast and Clearspring, Covington alum Kashmir Hill reports at Forbes about an online practice that could be the next “Flash cookie” among privacy advocates:  web history sniffing.

According to the Complaint (PDF) filed last week in federal court in California, a Netherlands company called Midstream Media illicitly collected information about users’ web histories on its network of “YouPorn” websites.  The litigation claims that Midstream used a JavaScript security flaw to determine whether particular pages had been visited by particular browser, apparently to track which users had also visited its competitors’ sites.

Like other online privacy litigation litigation that we’ve seen this year, the Midstream plaintiffs’ case relies on state consumer protection statutes and the Computer Fraud and Abuse Act, or CFAA — which existed long before both history sniffing and video streaming.  Even with the creative license that comes from extending these laws to the Internet, it’s not at all clear that the plaintiffs will be able to succeed.Continue Reading The New Flash Cookie: History Sniffing