New Net-Use Tracking Tactics Capture Privacy Claims

Marketing based on data about peoples' Internet use has been a significant issue because the practice presents the opportunity of gathering a wealth of possible information for behavioral-marketing purposes, such as data about an individual user's friends, linkages, locations and influences. The data is valuable beyond the mere collection and targeting of any individual user because it can be used to determine not only what an individual user wants, but also what his or her friends want.

Cookies, Sweet and Not

Internet data behavioral-based marketing may encompass a number of Internet Web sites. Individual Web sites, for instance, collect user information by placing cookies on the computers of users who visit the sites. An independent academic report, conducted by the University of California Berkeley School of Law Center for Law & Technology and published in 2009, entitled “Flash Cookies and Privacy,” found that use of cookies is widespread among the most popular Internet sites. The report found that more than 50% of the 100 most popular Web sites examined used cookies. (The report is available at http://ssrn.com/abstract=1446862.)

These cookies provide several opportunities to improve user experience, such as by saving individual user preferences to make return visits to the Web sites easier for users. However, the use of cookies may result in a privacy-violation claim, even though most such claims have proven to be unfounded.

Relevant Rulings

In In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497, Internet users initiated proceedings against DoubleClick, a company responsible for a large amount of Internet advertising.

The Internet users alleged that DoubleClick's practice of placing cookies on the hard drives of Internet users who accessed DoubleClick-affiliated Web sites constituted violations of the Stored Communications Act (“SCA”), the Wiretap Statute and the Computer Fraud and Abuse Act.

The court found that DoubleClick was not liable under the SCA or the Wiretap Statute, because DoubleClick fell into the consent exceptions of those statutes. The court reasoned that when Internet users agreed to the terms and conditions of the DoubleClick-affiliated site, they essentially were consenting to those sites using their information, and so DoubleClick could not be held liable for the use of such information. Ultimately, DoubleClick's legal difficulties arose from engaging in deceptive trade practices. The company said one thing (we will not sell users' data), and did another (sold users' data).

Rather than pursuing a claim that the use of Internet data collection violates Internet users' privacy, Internet users are employing a new tactic. In particular, they claim that it is unlawful for data-collection companies to use certain technology to collect data, such as Flash cookies (see, Edward Valdez et al v. Quantcast Corporation et al, 2:2010-cv-05484 (C.D. Cal., 2010)).

Flash technology, created by Adobe, is the standard technology that most Internet users have installed on their system that allows them to view interactive content online. The Flash cookies allow new cookies to be installed when an Internet user deletes old cookies. The Quantcast complaint alleges that the defendants tracked, stored and resold personal information about consumers, including data about finances and health.

Cookie Tidbits

The new cookie technology was developed to overcome the shortcomings of the existing technology, which uses a string of text transmitted to an Internet site user by the site's server, and is stored by the user's Web browser. When the Internet user contacted the site's server, stored cookies were then used to identify the user. Existing cookies are often used for purposes of authentication and as identifiers for an online session, such as might be required on a membership Web site. These stored strings of text may be easily erased, requiring more of a site's server resources to be used after the erasure and before a second interaction.

Additionally, cookie erasure presents tracking problems for Internet data behavior trackers, such as advertisers. Cookie deletion, for example, may skew various measures of a particular Internet user's behavior. This results in less accurate targeted behavioral ads and traffic counts.

From a technological perspective, controlling cookies isn't difficult. In particular, an Internet user can simply refuse all cookies. All standard browsers allow this option. This is not a very practical solution, though, because most sites use cookies for useful, benign, purposes. Also, many sites require cookies to be enabled before they allow Internet users to view them.

A better alternative is to selectively block or remove undesirable cookies while keeping good ones ' or doing both. A number of approaches exist, including editing the actual contents of the cookie folder to selectively block cookies from sites that a user chooses not to give data, and using the features of any of the major browsers that have added ways to limit or eliminate some or all information sent from a cookie.

It should be noted, however, that the problem with Flash cookies is that they are all linked to the Adobe Web site. If an Internet user blocked all Flash cookies from Adobe, then the user would no longer be able to access Web sites that require Flash technology to function on his or her computer or other Web-accessing device.

Path of Least Resistance

As noted in Ashcroft v. ACLU, 542 U.S. __, 124 S. Ct. 2783, 2788 (2004), courts are loath to impose legal restrictions when technological alternatives are easy to use and inexpensive (or free). The Supreme Court's reasoning largely mirrored that of the district court, which focused on the existence of plausible less-restrictive technical alternatives and determined that the Child Online Protection Act (“COPA”) violates the First Amendment.

Any attempted solution to a legal difficulty that does not take into account and leverage the power of existing and emerging technologies is not only likely to be invalidated by the courts, as in Ashcroft and United States v. Playboy Entertainment Group, 529 U.S. 803, 813 (2000), but is also likely to be ineffective. The best solution to this dilemma is a governmental scheme that avoids broadly applicable statutory restrictions, and encourages the naturally developing use of technological solutions to the problem.

While Flash cookies are a new technology, their use appears to be covered by existing case law. Additionally, it appears that as long as the use of Flash cookies is disclosed in the appropriate Terms of Use agreement and/or privacy policy, the new technology may be used lawfully. Indeed, a plaintiff would be more likely to succeed in a claim against a Web site that uses Flash cookies but does not disclose in a clear and conspicuous way the use of such cookies in its terms of service.

FTC Action

The Federal Trade Commission (“FTC”) has taken the position that behavioral marketing should be self-regulated, but the agency has prosecuted Web-site owners who fail to disclose behavioral-targeting techniques in a clear and conspicuous manner as a violation of Section 5(a) of the Federal Trade Commission Act.

In FTC and Sears Holding Management Corporation, Docket No. 4264 (Aug. 31, 2009), the FTC found that Sears invited Internet users who visited its Web site to disclose information in exchange for a $10 coupon. The FTC also found that Sears obscured the extent of the data collection, which included health, banking and other sensitive data, in its privacy statements. The Sears settlement agreement required Sears to provide clear and conspicuous disclosure to consumers about the extent of data collection separate from other privacy agreements in a way that was unavoidable, so as to ensure that the consumer had proper notice.

Conclusion

A court considering the lawful use of Flash cookies will likely hold that Flash-cookie users will not be liable under any federal laws because their use will fall within the consent exceptions under the SCA and the Wiretap Statute.

Additionally, Flash-cookie users will not be liable under the Computer Fraud and Abuse Act, because it is unlikely the plaintiffs will meet the statutory threshold of $5,000 in losses.

Nevertheless, as the FTC becomes more stringent in enforcing notice requirements for behavioral targeting, counsel and principals involved in Web sites that use Flash cookies should be prudent in ensuring that they provide the appropriate notice to consumers of that use and of data to be collected.

Targeting consumers as prospective customers by using behavioral-based marketing is a technique used by traditional, and Internet, publishers and advertisers to increase the effectiveness of their campaigns.

In the past, marketing firms conducted surveys of readers' preferences and affiliations. Today, Internet marketing firms collect data associated with individuals' Internet behavior; a practice that has been found to be lawful.

However, the use of new technology makes peoples' efforts to keep Internet behavior private more difficult, has given rise to renewed claims from consumers of unlawful intrusiveness by Internet data-collectors, and has revived the argument that such behavior unlawfully violates privacy expectations.

Marketing based on data about peoples' Internet use has been a significant issue because the practice presents the opportunity of gathering a wealth of possible information for behavioral-marketing purposes, such as data about an individual user's friends, linkages, locations and influences. The data is valuable beyond the mere collection and targeting of any individual user because it can be used to determine not only what an individual user wants, but also what his or her friends want.

Cookies, Sweet and Not

Internet data behavioral-based marketing may encompass a number of Internet Web sites. Individual Web sites, for instance, collect user information by placing cookies on the computers of users who visit the sites. An independent academic report, conducted by the University of California Berkeley School of Law Center for Law & Technology and published in 2009, entitled “Flash Cookies and Privacy,” found that use of cookies is widespread among the most popular Internet sites. The report found that more than 50% of the 100 most popular Web sites examined used cookies. (The report is available at http://ssrn.com/abstract=1446862.)

These cookies provide several opportunities to improve user experience, such as by saving individual user preferences to make return visits to the Web sites easier for users. However, the use of cookies may result in a privacy-violation claim, even though most such claims have proven to be unfounded.

Relevant Rulings

In In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497, Internet users initiated proceedings against DoubleClick, a company responsible for a large amount of Internet advertising.

The Internet users alleged that DoubleClick's practice of placing cookies on the hard drives of Internet users who accessed DoubleClick-affiliated Web sites constituted violations of the Stored Communications Act (“SCA”), the Wiretap Statute and the Computer Fraud and Abuse Act.

The court found that DoubleClick was not liable under the SCA or the Wiretap Statute, because DoubleClick fell into the consent exceptions of those statutes. The court reasoned that when Internet users agreed to the terms and conditions of the DoubleClick-affiliated site, they essentially were consenting to those sites using their information, and so DoubleClick could not be held liable for the use of such information. Ultimately, DoubleClick's legal difficulties arose from engaging in deceptive trade practices. The company said one thing (we will not sell users' data), and did another (sold users' data).

Rather than pursuing a claim that the use of Internet data collection violates Internet users' privacy, Internet users are employing a new tactic. In particular, they claim that it is unlawful for data-collection companies to use certain technology to collect data, such as Flash cookies (see, Edward Valdez et al v. Quantcast Corporation et al, 2:2010-cv-05484 (C.D. Cal., 2010)).

Flash technology, created by Adobe, is the standard technology that most Internet users have installed on their system that allows them to view interactive content online. The Flash cookies allow new cookies to be installed when an Internet user deletes old cookies. The Quantcast complaint alleges that the defendants tracked, stored and resold personal information about consumers, including data about finances and health.

Cookie Tidbits

The new cookie technology was developed to overcome the shortcomings of the existing technology, which uses a string of text transmitted to an Internet site user by the site's server, and is stored by the user's Web browser. When the Internet user contacted the site's server, stored cookies were then used to identify the user. Existing cookies are often used for purposes of authentication and as identifiers for an online session, such as might be required on a membership Web site. These stored strings of text may be easily erased, requiring more of a site's server resources to be used after the erasure and before a second interaction.

Additionally, cookie erasure presents tracking problems for Internet data behavior trackers, such as advertisers. Cookie deletion, for example, may skew various measures of a particular Internet user's behavior. This results in less accurate targeted behavioral ads and traffic counts.

From a technological perspective, controlling cookies isn't difficult. In particular, an Internet user can simply refuse all cookies. All standard browsers allow this option. This is not a very practical solution, though, because most sites use cookies for useful, benign, purposes. Also, many sites require cookies to be enabled before they allow Internet users to view them.

A better alternative is to selectively block or remove undesirable cookies while keeping good ones ' or doing both. A number of approaches exist, including editing the actual contents of the cookie folder to selectively block cookies from sites that a user chooses not to give data, and using the features of any of the major browsers that have added ways to limit or eliminate some or all information sent from a cookie.

It should be noted, however, that the problem with Flash cookies is that they are all linked to the Adobe Web site. If an Internet user blocked all Flash cookies from Adobe, then the user would no longer be able to access Web sites that require Flash technology to function on his or her computer or other Web-accessing device.

Path of Least Resistance

As noted in Ashcroft v. ACLU , 542 U.S. __, 124 S. Ct. 2783, 2788 (2004), courts are loath to impose legal restrictions when technological alternatives are easy to use and inexpensive (or free). The Supreme Court's reasoning largely mirrored that of the district court, which focused on the existence of plausible less-restrictive technical alternatives and determined that the Child Online Protection Act (“COPA”) violates the First Amendment.

Any attempted solution to a legal difficulty that does not take into account and leverage the power of existing and emerging technologies is not only likely to be invalidated by the courts, as in Ashcroft and United States v. Playboy Entertainment Group , 529 U.S. 803, 813 (2000), but is also likely to be ineffective. The best solution to this dilemma is a governmental scheme that avoids broadly applicable statutory restrictions, and encourages the naturally developing use of technological solutions to the problem.

While Flash cookies are a new technology, their use appears to be covered by existing case law. Additionally, it appears that as long as the use of Flash cookies is disclosed in the appropriate Terms of Use agreement and/or privacy policy, the new technology may be used lawfully. Indeed, a plaintiff would be more likely to succeed in a claim against a Web site that uses Flash cookies but does not disclose in a clear and conspicuous way the use of such cookies in its terms of service.

FTC Action

The Federal Trade Commission (“FTC”) has taken the position that behavioral marketing should be self-regulated, but the agency has prosecuted Web-site owners who fail to disclose behavioral-targeting techniques in a clear and conspicuous manner as a violation of Section 5(a) of the Federal Trade Commission Act.

In FTC and Sears Holding Management Corporation, Docket No. 4264 (Aug. 31, 2009), the FTC found that Sears invited Internet users who visited its Web site to disclose information in exchange for a $10 coupon. The FTC also found that Sears obscured the extent of the data collection, which included health, banking and other sensitive data, in its privacy statements. The Sears settlement agreement required Sears to provide clear and conspicuous disclosure to consumers about the extent of data collection separate from other privacy agreements in a way that was unavoidable, so as to ensure that the consumer had proper notice.

Conclusion

A court considering the lawful use of Flash cookies will likely hold that Flash-cookie users will not be liable under any federal laws because their use will fall within the consent exceptions under the SCA and the Wiretap Statute.

Additionally, Flash-cookie users will not be liable under the Computer Fraud and Abuse Act, because it is unlikely the plaintiffs will meet the statutory threshold of $5,000 in losses.

Nevertheless, as the FTC becomes more stringent in enforcing notice requirements for behavioral targeting, counsel and principals involved in Web sites that use Flash cookies should be prudent in ensuring that they provide the appropriate notice to consumers of that use and of data to be collected.