Night of the Living . . . Cookies?
It may sound like a failed attempt to make Sesame Street into a horror movie, but for many popular websites, so-called “zombie” cookies are no joke. Since July, a number of class-action lawsuits have been filed in federal court challenging the use of zombie cookies, or “Flash cookies” as they are more commonly known, claiming they violate the privacy rights of computer users. Unlike typical HTTP cookies, Flash cookies are not only difficult to delete, but they can also recreate a deleted HTTP cookie or, in zombie terms, bring a dead cookie back to life.
Most internet users recognize the typical HTTP cookies used to store user browsing habits; these cookies can easily be removed through cookie privacy controls in a browser. Flash cookies on the other hand are stored in a separate directory from typical HTTP cookies and are not controlled by the browser – making them difficult to purge by users not aware of the difference.
Flash cookies are placed on a user’s hard drive when a website embeds Flash content from the Adobe Flash program on a page including when users watch videos on Web sites such as YouTube. These cookies are used to store user preferences and deliver Web analytics to publishers, but recent lawsuits have focused on the alleged potential of the Flash cookies to intercept and pass on private or identifying user data without the user’s knowledge or consent.
In the last four months, at least five class-action lawsuits have been filed in California accusing multi-media companies of systematically engaging in and facilitating a “covert operation of surveillance” and violating several laws including the Electronic Communications Privacy Act and California’s Invasion of Privacy Act. The complaints focus on the use of the Flash cookies to collect data where companies failed to provide notice to consumers through Terms of Service and/or a Privacy Policies. Additionally, these suits allege that by recreating deleted HTTP cookies, the Flash cookies circumvent a user’s intent to clear browser cookies, an alleged violation of privacy and cyber laws.
Although courts have upheld the use of HTTP cookies in the past, it is unclear how courts will apply existing laws to this new breed of cookie. Since these lawsuits alleging privacy violations expose businesses to unforeseen litigation liability, it is a good time to examine your company’s use of cookies and conduct a legal review of your privacy policy so your company can avoid this privacy nightmare.