Second Privacy Lawsuit Over ‘Flash Cookies’ Falls Apart

The Federal Trade Commission is concerned about the state of online privacy, but the agency doesn’t believe it has the legal authority-yet-to take action against unwanted online tracking. Some internet lawyers, however, believe that existing law allows them to take action to punish trackers in court right now. Those crusades have met with little success, however, and would-be privacy plaintiffs won’t take much comfort from a recent ruling against the online marketing company interclick made clear.

When an internet user deletes his or her cookies, it’s often to inhibit online tracking. But some services-including, allegedly, interclick-use so-called “Flash cookies” to re-spawn the HTTP cookie. That is, they take data stored by Adobe’s Flash player and use it to slip a cookie back into the same computer that the user just deleted it from.

Privacy advocates widely consider this to be an unethical practice, because it involves online marketers essentially using technological back-doors to override the wishes of users. The FTC doesn’t like Flash cookies to be used for tracking, either. Adobe (NSDQ: ADBE) has condemned the practice, calling it a misuse of its Flash software; and it has changed around Flash privacy controls to make it easier for users to control the cookies.

Interclick also allegedly engaged in “history sniffing,” essentially a hack of browser software that allows a company to check if an internet user has visited certain websites.

While widely denounced, are these practice illegal? Judging from this court’s decision, probably not.

As is common in digital-privacy lawsuits, the plaintiffs’ lawyers in this case had a variety of claims. They said interclick and big advertisers that worked with the company-including McDonald’s, CBS (NYSE: CBS), Mazda, and Microsoft-were violating federal anti-hacking laws, as well as New York state deceptive business practices and trespass laws. The plaintiffs also brought a claim under federal anti-wiretapping law, but that was dropped earlier this year.

The judge threw out the anti-hacking claim entirely, saying that Bose didn’t suffer any real damage to her computer because of Flash cookies. The claim over deceptive business acts was left in against interclick but thrown out against the corporations that did business with it; the tresspass claim against interclick was left in.

In addition, the corporations that worked with interclick as their advertising partner are completely home free-a result that should reassure big advertisers that they don’t have to worry about being dragged in to privacy litigation because of the ad network they chose to do business with.

The judge expressed skepticism even about the few claims left in the lawsuit. “It’s clear to me those claims will eventually fail,” said Eric Goldman, a lawyer who writes frequently about internet privacy lawsuits, usually from critical standpoint. “The judge just didn’t pull the trigger on the motion to dismiss.”

Legal wonks interested in a detailed claim-by-claim analysis should check out attorney-blogger Venkat Balasubramani’s analysis, as well. Balasubramani notes this is the second privacy lawsuit over Flash cookies to meet a chilly reception in court. (The first was one against Specific Media.)

“This opinion is obviously a big setback for the plaintiffs’ bar,” said Ian Ballon, a Greenberg Traurig attorney who represents interclick.

The lawsuit was brought by KamberLaw, a firm that specializes in representing plaintiffs in internet cases. The head of the firm, Scott Kamber, discussed this suit and his views on online privacy generally with paidContent earlier this year. The named plaintiff in the case is Sonal Bose, a New York City resident, and the suit asks for class action status.

In a statement released today, interclick CEO Michael Katz said: “As we have said from the beginning, interclick has always taken consumer privacy very seriously and these claims were brought without merit. We are pleased that the central claims in the litigation have been dismissed by The United States District Court.”

»  Judge’s order in Bose v. interclick [PDF]

»  Original Bose v. interclick complaint [PDF]

»  Original Bose v. McDonald’s et al. complaint [PDF] (Consoldiated with the