Privacy & Information Security Law Blog

On August 18, 2010, a complaint was filed in the U.S. District Court for the Central District of California, alleging that Specific Media, Inc. violated the Computer Fraud and Abuse Act, as well as state privacy and computer security laws, by failing to provide adequate notice regarding its online tracking practices.  The suit, brought by six web users, seeks class action status and over $5 million in damages, and cites Specific Media’s use of Flash cookies to re-create deleted browser cookies as one of the offending practices.

According to the complaint, Specific Media violated users’ privacy, financial interests and computer security rights by storing tracking codes as Adobe Flash Player local shared objects (“LSOs”), instead of as browser cookies, in order to “re-spawn” browser cookies after users intentionally deleted them.  The complaint alleges that Specific Media re-created the cookies so it could obtain personally identifying information, monitor online activity, and sell users’ data.  In addition, the complaint asserts that Specific Media’s privacy documents are “deceptive by design,” and “sufficiently vague,” such that users are not fully informed about how their information is collected and used.

This use of Flash cookies came to light about a year ago when academic researchers at the University of California, Berkeley, and other universities, published an article which found that more than 50% of sites sampled are using Flash cookies to store information about visitors, and that some are using Flash cookies to “re-spawn” browser cookies deleted by consumers at the browser level.  The paper explains that visitors to a site using Flash cookies in this way receive a standard browser cookie, and an identical Flash cookie.  If a consumer deletes the browser cookie, the Flash cookie may be used to “re-spawn” the browser cookie, without providing notice to, or obtaining consent from, the consumer.  Flash cookies are not managed by browser cookie privacy controls, rather, users must delete them using Adobe’s online privacy controls.

This action against Specific Media follows other recent suits brought in federal court, alleging similar claims of Flash cookie use against targeted advertising networks Quantcast and Clearspring Technologies, and popular customers of their services, including MTV and Disney.

On April 28, 2011, Specific Media announced that the claims against it had been dismissed.