Two Congressmen recently wrote the Federal Trade Commission (FTC) asking the FTC to investigate the privacy implications of the installation of files called Flash cookies or Supercookies on consumers’ computers. These Supercookies allow companies such as Hulu.com to gain personal information from consumers without their knowledge for behavioral advertising targeting. The two Congressmen, Joe Barton (R-TX) and Ed Markey (D-MA), are Co-Chairman of the Congressional Bi-Partisan Privacy Caucus.
Supercookies are Hidden
The Congressmen’s letter is based on an August Wall Street Journal article discussing the use of Supercookies. Supercookies differ from regular “cookies” because Supercookies are hidden from view and cannot be deleted. Consumers are unaware these files are placed on their computer. They remain on a computer even when the consumer clears the browsing history and cache. And they record information even when the consumer is browsing in “private browsing” mode.
Supercookies Common on Many Top Websites
A recent study found 100 Supercookies placed on users’ computers by 37 of the top 100 websites. Some Supercookies can even “respawn” traditional cookies after a consumer deletes them. Amazingly, the study also suggests that owners of the top website surveyed have little or even no knowledge that their websites are being used by third party tracking companies to place Supercookies on consumers’ computers.
Class Action Suits Filed on Secret Use of Supercookies
Earlier this year, a California class action lawsuit against Web measurement company Quantcast and widget maker Clearspring based on surreptitious placement of Supercookies settled for $2.5 Million. Another class action lawsuit in California against Kissmetrics and Hulu.com alleging that surreptitious placement of cookies and similar tracking files violates the Computer Fraud and Abuse, Electronic Communications, and Video Privacy Protection Acts, as well as several similar state laws, is still pending. Most recently, on Nov. 23, 2011 web video company Metacafe settled a similar suit by the agreeing to stop use of Supercookies to recreate users’ regular cookies. FTC Action/Settlement
The FTC itself on Nov. 8, 2011 both filed a complaint and announced a settlement agreement containing a consent injunction against ad network ScanScout (which was acquired last year by Tremor Media). The agreement requires ScanScout and Tremor to give prominent notice on its website that it is collecting information to send the consumer targeted ads, unless the consumer opts out by clicking on a hyperlink declining to receive targeted ads. The agreement also requires that the hyperlink take consumers to a mechanism that allows them to block the company from collecting information that can identify them or their computer, from redirecting their browser to third parties that collect date with their approval; and from associating any previously collected personal data with them. The consumer’s choice must last for at least five years, unless the consumer changes it. The agreement will be subject to public comment for 30 days, continuing through December 8, 2011, after which the Commission will decide whether to make it final.
Implications of Secret Use of Supercookies
The FTC investigation requested by Congressmen Barton and Markey, the pending class action lawsuits, and actions by the FTC are likely to lead to additional regulations and limits on behavioral advertising through the use of Supercookies. The FTC is likely to rule that obtaining personal data using Supercookies without notice and an opportunity for consumers to opt out violates current laws and FTC privacy guides. It is unclear whether companies will be liable for engaging in behavioral advertising by acquiring and using personal data obtained by third parties with the use of Supercookies, but we expect further limits on such use.
Authors: Paul Van Slyke | Gregory Casamento | Patrick Hatfield |