3 Comments

Summary:

A number of lawsuits have claimed that tracking cookies installed on users’ computers are a breach of privacy, especially new forms of “zombie cookies” that can recreate themselves even if they are deleted. But so far the courts have not agreed that this actually causes harm.

privacy-card-3x2

Updated: If you know anything about computers and web browsing, you probably know that websites place small data files called “cookies” on your PC so that they can remember you when you return. Most of us have gotten pretty used to this, but a new strain of cookies has appeared over the past couple of years that is causing some controversy. Known as “flash cookies,” they recreate themselves even after a user deletes them, and there have been several lawsuits aimed at advertisers and services that employ them.

So far, however, the courts seem unsympathetic — one suit was thrown out earlier this year. This week, a second claim was struck down in the state of New York, after the judge ruled that tracking users for advertising purposes is not something that deserves compensation.

The most recent judgment came in a lawsuit launched against digital-advertising software firm Interclick as well as advertisers including McDonald’s, Mazda and Microsoft. In this case, the plaintiff tried to argue that the use of “flash cookies” and other methods to track her for advertising purposes, even after she had deleted her cookies, was a breach of the Computer Fraud and Abuse Act as well as New York’s unfair competition laws and the common law principle of trespass. As noted in a post on law professor Eric Goldman’s blog, virtually all of the claims were thrown out by the judge, except a deceptive business practices claim against Interclick and the charge of trespassing on the plaintiff’s PC.

Internet advertising is no different than other kinds

The interesting thing about the case was that the judge specifically said that the plaintiff wasn’t entitled to compensation for the invasion of her privacy, even though the software used by the advertisers and websites in question recreated her cookies after she had deleted them. As Kashmir Hill at Forbes describes, Judge Deborah Batts said that as far as the court is concerned, internet advertising is no different than other kinds of advertising, and tracking users for that purpose doesn’t meet the test for the kind of harm the law was designed to protect against. Batts said:

Advertising on the Internet is no different from advertising on television or in newspapers [and] even if [the plaintiff] took steps to prevent the data collection, her injury is still insufficient to meet the statutory threshold.

In other words, the plaintiff wasn’t able to show that she suffered any economic harm as a result of the use of flash cookies. A similar case in May came to a very similar conclusion — according to the court, the plaintiffs failed to prove that the loss of their personal information caused them any kind of economic harm, in part because the prosecution couldn’t prove that even the plaintiffs themselves saw this information as having any specific economic value. The court also said that the plaintiffs hadn’t shown that exchanging this information for services from the websites in question was an unfair trade.

As Eric Goldman explains, a failure to make the economic-harm argument is what caused the death of many cookie-related lawsuits from the early part of the last decade, such as a well-known case against Doubleclick. Some observers had expected that the rise of “undeletable” or “zombie” cookies — which reappear even if the user decides to delete them or prevent themselves from being tracked — would change this trend, but the early evidence seems to show otherwise.

Other “zombie cookie” lawsuits still outstanding

It remains to be seen how these cases will affect some of the other “zombie cookie” lawsuits that have sprung up over the past year, such as the claim recently launched by privacy advocate Ashkan Soltani against a group of websites and services, including GigaOM’s parent company (please see disclosure below). Together with a group of researchers from UC Berkeley, Soltani recently identified the use of a number of technologies by San Francisco-based startup KISSmetrics that allowed unique identifiers to be tracked even if the user deleted his or her cookies (Update: Soltani says he is not associated with the lawsuit and was just an advisor to the researchers). Among other things, as Wired magazine described, the service used the “E-Tag” standard that is built into modern browsers:

The service, called KISSmetrics, is used by sites to track the number of visitors, what the visitors do on the site, and where they come to the site from [but] the researchers say the site is using sneaky techniques to prevent users from opting out of being tracked.

After the Wired article appeared, KISSMetrics said that the claim from Soltani “significantly distorts our technology and business practices” and that the service never used the information from the cookies to identify individual users or track them across different websites, and that it never shared any of the information collected with any third party. Despite this, however, KISSMetrics also said that it was changing its practices to support the emerging “Do Not Track” standard, which makes it easy for users to opt out of having any info collected.

As we’ve written before at GigaOM, the federal government has shown a keen interest in adopting new privacy-related requirements for websites and services, and in particular is pushing companies to offer consumers an obvious way of opting out of being tracked for advertising purposes, such as supporting the Do Not Track standard. The Federal Trade Commission released a draft report late last year looking at the issue, saying self-regulation by the advertising industry isn’t working — something that critics say is proven by cases such as KISSMetrics — and calling on the government to introduce new legislation to specifically protect online privacy.

But until that legislation appears, if it ever does, it looks as though the courts are not going to fight the tracking-cookie battle themselves, until someone manages to prove that having your browsing history or other information shared with an advertiser actually produces some quantifiable economic harm.

Post and thumbnail photos courtesy of Flickr user Josh Hallett

Disclosure: Giga Omnia Media, the parent company of GigaOM, is named as a defendant in the class action suit against KISSmetrics. (Please see our response here.) In order to preserve our editorial objectivity on this issue, corporate decisions related to the case are not shared with any members of the editorial team.

KISSmetrics is backed by True Ventures, a venture capital firm that is an investor in the parent company of this blog, GigaOm. Om Malik, founder of GigaOm, is also a venture partner at True.

  1. Interesting but kind of scary

    Share
  2. The courts don’t seem to care? Neither do I, especially.

    Share
  3. Periodically, I have to clear cookies that come from ZEDO, even when I have not visited a site that is linked to them. They have been fined before, and they should be shut down if they continue using these flash cookies. I do not want their PCH pop-ups or their ’4 MORE YEARS’ ads.

    Share

Comments have been disabled for this post