Web Browsing Tracking Technologies ("Flash Cookies")
Wednesday, November 10, 2010
Web Browsing Tracking Technologies ("Flash Cookies")
Issued By CASRO's General counsel on November 10, 2010
In the last few months, class action lawsuits have been filed against three major Internet advertising technology providers, Quantcast, Clearspring and Specific Media, over their use of locally shared objects, colloquially known as "flash cookies." A fourth class action lawsuit has been filed against Ringleader, a web analytics company that deployed an HTML5 application to track users' web browsing on mobile phones. With the exception of the lawsuit against Specific Media, each lawsuit also named as defendants a number of major content providers, such as CNN and MTV, which had allowed these technologies to be placed on their websites. This memorandum provides a brief description of the technologies at issue, explains the law and theories behind these four lawsuits, and provides some general recommendations on how to lawfully and ethically use these technologies. If you are unsure if your website is using flash cookies, this would be an opportune time to evaluate whether your website uses flash cookies or some other technology, such as HTML5, and what those technologies are designed to do.
While web developers have used flash cookies since 2005, their use has become sufficiently widespread now to enter the consciousness of general web users. For example, the Wall Street Journal ran a series of stories in July on the use of flash cookies and the tracking of users' web browsing. Like traditional HTML cookies, flash cookies are used to track users and store information about them. Unlike traditional cookies, flash cookies base their existence within Adobe's Flash application, and offer a number of advantages (from the developer's perspective) over HTML cookies. Flash cookies can be larger, do not expire and are not stored within a browser, and therefore are not deleted when a user chooses to delete all cookies using the browser's privacy functions. In addition, flash cookies can be used to "re-spawn" or restore traditional HTML cookies upon their deletion. HTML5 is simply the next version of the standard web programming language, but among its new features is the enhanced ability for developers to store data on users' devices. In this way, HTML5 "cookies" are similar to flash cookies. This functionality has a number of benefits, such as the possibility for offline access to websites, but also allows for applications such as those in the Ringleader lawsuit to be used.
The use of flash cookies and similar technologies presents a number of legal risks, including: 1) an FTC enforcement action for unfair trade practices (Adobe has specifically asked the FTC to become involved on this subject); 2) a regulatory action in the European Union; and 3) private lawsuits, such as those mentioned earlier. The steps that are required to comply with these applicable laws and/or to avoid lawsuits depend on how the flash cookies or similar technologies are being used. If flash cookies are being used to track user activity across websites, CASRO's restrictions on the use of active agents also applies.
In the four class action lawsuits mentioned above, the plaintiffs asserted violations of a number of federal and state computer and privacy statutes as well as several common law claims, including: the federal Computer Fraud and Abuse Act and the Electronic Communications Act, the California Computer Crime Law and Invasion of Privacy Act as well as common law unjust enrichment and trespass claims. In all four lawsuits, flash cookies or a similar HTML5 application were allegedly being used to track users' browsing by assigning a unique identifier to each computer. The cookie would relay back information when the user would visit a website served by a particular advertising network using the technologies. In all four cases, many of the content providers' websites entirely failed to disclose the use by the relevant advertising network of flash cookies (or HTML5) on their websites. In addition, in each of the Quantcast, Clearspring and Specific Media lawsuits, the flash cookies were being used to re-spawn deleted cookies. The alleged violation of each statute and common law claim can ultimately be reduced to the accessing by each of the four main companies and the other content provider defendants of the users' computers without authorization or exceeding any authorization that was given.
Ordinarily, HTML cookies are used by developers for authentication, storing site preferences, shopping cart contents or identifiers for a server-based session on a single website. Flash cookies and HTML5 can be used for the same purposes. Where flash cookies and HTML5 are being used for the same functions as traditional HTML cookies, the principles of notice and choice apply. In the context of flash cookies, which are not necessarily controlled through browser preferences, easy instructions should be given to the user on how to "opt-out" of receiving the cookie. The use of flash cookies to re-spawn/restore deleted HTML cookies is almost certainly illegal. The practice defeats the consumer's choice and thereby would violate the relevant EU laws, constitute an unfair trade practice in the US and also likely violate many of the laws cited in the four class action lawsuits.
Further, the CASRO Code of Standards and Ethics (the "Code") defines rules that govern the use of "active agents." "Active agent technology" is defined in the Code "as any software or hardware device that captures the behavioral data about data subjects in a background mode, typically running concurrently with other activities. This category includes tracking software that allows Research Organizations to capture a wide array of information about data subjects as they browse the Internet... Active agent technology also includes direct to desktop software downloaded to a user's computer that is used solely for the purpose of alerting potential survey respondents, downloading survey content or asking survey questions. A direct to desktop tool does not track data subjects as they browse the Internet and all data collected is provided directly from user input." The Code requires not only informed consent from the user, but also imposes many requirements that are designed to protect the reputation of the research industry. For example, the active agent may not turn off anti-spyware software, hijack the user's computer, make the computer perform erratically, or be difficult to uninstall.
In addition, on a routine and ongoing basis, users who participate in the research should receive clear periodic notification that they are actively recorded as participants, so as to ensure that their participation is voluntary.