Online advertising network ScanScout, Inc. has agreed to settle the FTC's charges that it deceptively represented that users could opt out of receiving targeted ads by changing their web browser settings to block and delete cookies. The FTC's press release on the settlement can be found here.

According to the FTC's Complaint, though, users could not really prevent ScanScout from collecting data about their online activities by changing their settings to block and delete cookies. The Complaint stated that while ScanScout provided information to users on how to manage HTTP cookies on their computers, so as to prevent tracking, the site's privacy disclosure did not adequately inform users regarding the use and management of Flash local shared objects, otherwise known as "Flash cookies," from being placed on their computers. Flash cookies, like HTTP cookies, can be used to store data correlated with the online activity on a computer.

To those tuned into the privacy law world, the issue of Flash cookies is one that continues to pop up over and over again. Back in 2010, a slew of class actions were brought in California federal court against a number of companies - many of them also advertising networks - over their alleged use of Flash cookies. Earlier this year, too, a number of companies were sued in New York federal court and in Arkansas state court over their alleged uses of Flash cookies. The ScanScout consent decree is just the latest progression with the Flash cookie issue. In addition to the ongoing threat of Flash-cookie-related litigation, companies should now be put on notice that the failure to properly disclose the use of Flash cookies can result in FTC enforcement.

As part of the consent order, ScanScout must comply with the following obligations:

• ScanScout must update its website privacy policy to include a hyperlink that will enable users to prevent ScanScout from collecting data on their online activity without their approval. The choice must be effective for at least five years.
• ScanScout must disclose that it collects information about users' activities on certain websites in order to deliver targeted ads, the current status of the user's choice (i.e., opted out or not opted out), and explain any circumstances that would automatically change the choice (e.g., use of a different browser or device).
• ScanScout must embed a hyperlink to the opt-out mechanism in or immediately adjacent to its targeted ads.
• ScanScout must make available to the FTC for inspection and copying for a period of five years, consumer complaints or inquiries directed or forwarded to ScanScout concerning certain aspects of its information practices, such as its collection of data, its opt-out practices, documents demonstrating compliance with the consent order, past terms of use, end-user license agreements, and privacy policies.

The FTC is accepting public comment on the consent order until December 8, 2011.

So what should companies do? For starters, since there can often be a disconnect between the various decision makers, companies need to first understand what type of data collection technologies are being used on their site - whether they are using Flash cookies, HTTP cookies, web beacons, etc. Then, companies need to understand exactly for what purposes these technologies are being used. Despite what some privacy advocates may argue, not all data collection technologies are used for invasive tracking purposes. For instance, Flash cookies have a number of benefits for computer users, including, but not limited to, saving user content for the purposes of logging in, playing a Flash-based game, and security / verification purposes. If third parties are employed on the site - such as third-party advertising networks, web analytics or statistics companies, or just other companies posting ads on the site - then it is important to also understand if and how these third parties are using data collection technologies. Also, companies should review their current website privacy policies to make sure that proper disclosures are being made in line with their use of data collection technologies. Policies should be clear, concise, and use plain language. They should also give consumers the appropriate choices and options for collection, and disclosures about the management of technologies need to be accurate.

Reed Smith has extensive experience on these issues, having represented a number of companies in the defense of Flash-cookie-related litigation. We have also assisted many companies on compliance advice related to their use and disclosure of Flash cookies. Those seeking additional advice on these issues should reach out to the authors of this article.

Client Alert 2011-280