Header graphic for print
Privacy Law Blog

News “Flash” – FTC Settlement Over Use of Flash Cookies Highlights FTC Focus on Consumer Notice and Choice

Posted in Behavioral Marketing

The Federal Trade Commission has announced a settlement agreement with ScanScout, Inc., an online advertising network alleged to have made misleading statements in its privacy policy which omitted to disclose ScanScout’s use of Flash cookies. The settlement terms require ScanScout to implement various conspicuous (i.e., not hidden in the privacy policy) notices regarding behavioral tracking and opt-out mechanisms that are reflective of recent FTC guidance and developing industry standards. Companies engaging in behavioral tracking (using Flash cookies or otherwise) may look to the terms of this settlement agreement for color on what the FTC wants to see in terms of consumer notices and choices.

ScanScout acts as an intermediary between web publishers and advertisers. ScanScout purchases advertising space on websites and contracts with advertisers to place video advertisements on the sites. ScanScout uses information gathered from cookies on users’ computers to deliver advertisements targeted to the user’s interests (as predicted by the user’s browsing history).

According to the FTC’s complaint, between 2007 and 2009 ScanScout used flash local shared objects – more commonly described as “Flash cookies” – in addition to HTML cookies to track consumers. As we’ve previously discussed, the use of Flash cookies has created controversy because Flash cookies are stored in a different location on a user’s computer than HTML cookies and are not controlled by certain web browser software – which means that they cannot be blocked or deleted by standard privacy controls within that software. (Some of these concerns have been alleviated by the latest version of Adobe Flash, which works with the latest versions of Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer to allow users to control or delete Flash cookies through the browser’s privacy settings.)

The FTC alleged that ScanScout acted deceptively in violation of the FTC Act because its privacy policy disclosed the use of HTML cookies and the method by which consumers could change their browser settings to block them, but failed to disclose that ScanScout was also using Flash cookies that could not be blocked in the same manner. The FTC alleged that ScanScout falsely represented, “expressly or by implication,” that consumers could prevent ScanScout from collecting data about their online activities by changing their browser settings to prevent the receipt of cookies.

The proposed settlement includes a consent order prohibiting ScanScout from misrepresenting (A) the extent to which data about users or their online activities is collected, used, disclosed, or shared; or (B) the extent to which users may control the collection, use, disclosure, or sharing of data collected from them. 

The proposed settlement also requires ScanScout to implement a number of “clear and prominent” disclosures to consumers. First, ScanScout must place a hyperlinked notice on its homepage(s) stating “We collect information about your activities on certain websites to send you targeted ads. To opt out of our targeted advertisements click here.” 

Second, the hyperlink must direct users to a mechanism by which users may prevent ScanScout from (a) collecting data that can be associated with a particular user; (b) redirecting users’ browsers to third parties that collect data (absent a click or other affirmative action by the user); and (c) associating any previously collected data with the user. The user’s choice must remain in effect for five years, but is subject to certain permissible uses (e.g., to implement the user’s choice to prevent the collection of data or to limit the number of times an advertisement is displayed). 

Third, “within close proximity to the mechanism,” ScanScout must disclose: (1) that ScanScout collects information about user’s online behavior in order to deliver targeted advertising; (2) that if the user implements the mechanism, ScanScout will not collect this information for the purpose of delivering targeted advertising; (3) the user’s current status (e.g., “not opted out” or “opted out”); and (4) any action initiated by the user that would disable the mechanism (e.g., use of a different browser or deletion of cookies).

Finally, ScanScout must include “within or immediately adjacent to” any targeted advertisement a hyperlink that takes consumers directly to the mechanism. Although it may not be technically possible to include hyperlinks in every targeted advertisement ScanScout currently serves, ScanScout must “[u]ndertake reasonable efforts to develop or implement” such hyperlinks within any targeted video advertisements it serves, and must report regularly to the FTC regarding its efforts to do so. 

The FTC voted 4-0 to approve the administrative complaint and proposed consent agreement. The FTC will publish a description of the consent agreement in the Federal Register, and it will be subject to public comments through December 8, 2011.