Site   Web

November 10, 2010

Flash Cookies Trigger Privacy Suits Against Online Marketers

The use of Flash cookies capable of re-installing browser tracking cookies – that users have previously deleted – has triggered the filing of multiple privacy lawsuits against some of the Web’s largest media companies. At issue is a user’s fundamental right to control how their tracking information is harvested and shared.

Issues raised in these lawsuits take behavioral advertising privacy concerns to a whole new level, particularly for sites that participate in ad networks that use Flash cookies. And if your site participates in an ad network that uses Flash cookies, you’d better have full disclosure in your Privacy Policy, or face the consequences.

The Lawsuits

Each of the lawsuits seeks class action status. The defendants include three leaders in the field of behavioral advertising – Clearspring Technologies, Inc., Quantcast Corporation, and Specific Media, Inc.

Behavioral advertising has used traditional “cookies” to track a user’s surfing behavior on the Internet. The cookies track clickstream data including sites visited and the related times on these sites, search engine queries, and content read and downloaded. The data harvested by the cookies is used to create a behavioral profile about a specific user that can be keyed to a specific demographic. Advertisers use this information to target ads that would appeal to the demographic. In essence, behavioral ads are targeted to specific consumers anonymously based on the specific consumer’s past surfing behavior.

The issues raised in these suits significantly increase the stakes in ongoing privacy disputes regarding behavioral advertising. What’s noteworthy in these suits are allegations regarding how a user’s surfing behavior is harvested – specifically, by the use of Flash cookies.

How Flash Cookies Work

First, as background, it’s important to understand traditional cookies. A traditional cookie is a small string of text transmitted by a server to a user that is stored by the user’s web browser. Because cookies are text files, they are not executable. Cookies may or may not have an expiration date, and if there is no expiration date, they exist until the browser terminates. Traditional cookies are often used for purposes of authentication and as identifiers for an online session such as a membership website.

Users generally have the ability to control traditional cookies. Web browser vendors generally offer software tools that offer users the ability to configure their browsers to accept or refuse certain cookies, or to delete them at time intervals of the user’s choosing.

Control over cookies by users presents a problem for advertisers. Cookie deletion by users skews the numbers that track and measure a user’s online activity. The result – targeted, behavioral ads are not targeted to the desired degree of effectiveness, and traffic counts are rendered inaccurate.

Flash cookies address this problem by installing on a user’s computer an Adobe Flash Media Player local shared object (LSO) for tracking purposes. The Adobe Flash Media Player is software that enables users to view content on their computers. The tracking results for the user are later merged with information from other sources for purposes of behavioral advertising. This procedure is similar to the procedure used with traditional cookies.

What’s different with Flash cookies is how they work. An independent report by academic researchers titled “Flash Cookies and Privacy” found that:

* when a user visits a Flash cookie site, it receives a traditional, browser cookie, plus an identical Flash cookie; and

* if the user deletes the browser cookie, the Flash cookie re-spawns the browser cookie.

What’s more, Flash cookies remain on the user’s computer and are hard to detect. By default, Flash cookies have no expiration date, and they’re stored in a different location on a user’s computer than traditional cookies.

Privacy Concerns

Plaintiffs in the current litigation as well as privacy advocates in general object to Flash cookies alleging that:

* Flash cookies are passed to a user’s computer without any notice by, or consent from, the user,

* resulting in a violation of a user’s fundamental right to control how their tracking information is harvested and shared.


The use of Flash cookies in the context of behavioral advertising presents new issues with related privacy concerns.

The Federal Trade Commission (FTC) has not yet issued formal guidelines or taken action against the use of Flash cookies, but that doesn’t mean that Flash cookies are not on the FTC’s radar screen. FTC Chairman Jon Leibowitz recently stated that the FTC is considering implementing a “do not track” list as a response to the growing concern over behavioral advertising in general.

Expect the FTC to act sooner rather than later.

In the meantime, if your site participates in an ad network that uses Flash cookies, you’d better have full disclosure in your Privacy Policy.

Leading Internet, IP and software lawyer Chip Cooper has automated the process of drafting Website Legal Forms for website legal compliance. Use his free online tool — Website Documents Determinator — to determine which documents your website really needs for website legal compliance. Discover how quick, easy, and cost-effective it is to draft your website legal forms at