FTC Takes on Super Cookies
On November 8, 2011, the Federal Trade Commission announced that an online advertiser, ScanScout, agreed to settle FTC charges that it deceptively used "Flash" cookies (also known as super cookies) to track consumers online. As explained by Wired, unlike traditional browser cookies, Flash cookies are not controlled by privacy controls in a Web browser. That means that even if a user adjusts browser settings to clear the computer of tracking objects, Flash cookies most likely will remain.
According to the FTC, ScanScout is an advertising network that places video ads on websites for advertisers. ScanScout engages in behavioral advertising – it collects information about consumers’ online activities and then serves video ads targeted to their interests.
General user data, such as your computer’s Internet Protocol (IP) address, operating system and browser type, pages you visited, and the date and time of your visit, is automatically collected through the use of “cookies”. Cookies are small files that are stored on your computer by a website to give you a unique identification. Cookies also keep track of services you have used, record registration information regarding your login name and password, record your preferences and keep you logged into the Site. You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies. Since each web browser is different, we recommend that you please look through your browser “Help” file to learn the correct way to modify your cookies set-up. . . We may use automatically collected information and cookies information for a number of purposes, including but not limited to. . . provide custom, personalized content, and information; monitor the effectiveness of our marketing campaigns. . . (emphasis added)
According to the FTC, however, ScanScout actually used Flash cookies that users could not block by adjusting their Web browser settings. The FTC alleged that ScanScout's representations that consumers could prevent ScanScout from collecting data about their online activities by changing their browser settings were false or misleading and constituted deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.
The settlement imposes a number of requirements on ScanScout. Specifically, the settlement:
- Prohibits the company from misrepresenting (1) the extent to which it collects, uses or discloses data about users or their online activities, (2) the extent to which users may exercise control over the collection, use or disclosure of data collected from or about them, their computers or devices or their online activities.
- Requires the company to take a number of steps to improve the transparency of, and users’ ability to control, its collection of user data for online behavioral advertising, including by implementing a mechanism that allows users to prevent ScanScout from: (1) collecting information that can be associated with users or contains a unique identifier, (2) redirecting users' browsers to third parties that collect data, absent a user's affirmative action, and (3) associating any previously collected data with them. Users' preferences must remain in effect for a minimum of five years.
- Requires the company to disclose: (1) that it collects information about users’ activities on certain websites to deliver targeted ads, (2) that, when users opt out, the company will not collect this information to deliver such ads, (3) users’ current preference, and (4) any circumstances that, if initiated by the user, would disable the mechanism or require the user to implement the mechanism again to maintain the preference (i.e., if a user switches browsers or devices, or deletes cookies, the user will have to opt out again).
- Requires the company, within or immediately adjacent to any behaviorally targeted display advertisement that the company serves, to include a hyperlink that takes users directly to the required choice mechanism.
- Because technical limitations currently prevent ScanScout from embedding a hyperlink in all of its video ads, the order requires the company to undertake reasonable efforts to develop and implement a hyperlink in its video ads and to report regularly to the FTC on its progress.
The settlement also requires ScanScout to retain documents relating to its compliance with the consent order and to disseminate the order to all current and future principals, officers, directors, managers, employees, agents, and representatives having supervisory responsibilities relating to the subject matter of the order. As typical for FTC enforcement actions, the order will remain in force for 20 years.
The FTC is proving to be an increasingly nimble privacy enforcer, with ever shorter news story-to-enforcement action cycles. This approach is consistent with the FTC's stated commitment to take enforcement actions in the areas where the agency believes there is significant non-compliance.