A blog in The Economist (“Beware the cookie monster”) last week picks up on the latest publication by a group of researchers associated with U.C. Berkeley. The point of the pundit piece? The peskiness of tracking cookies that persist despite a consumer’s decision to “opt-out.”
The researchers’ study took a wide view, looking at how, and how many, cookies would be placed on a single computer visiting the top 100 sites on the Internet. Along the way to finding that some 600 separate third parties placed nearly 5,000 cookies on a single computer visiting those 100 sites, the researchers found a few companies placed cookies that seemed to come back from the dead. Although The Economist only highlighted a few of the technical means companies employ to bring cookies back even after consumers try to get rid of them, at last count one of the researchers who contributed to the study has found 13 such means, a list which grows almost each time new technologies are implemented.
Barely had the virtual ink dried on this study, when the first of what could be several consumer class-action lawsuits was filed in US District Court in California. In it, the plaintiffs allege that certain of the companies mentioned in the study employ practices of continuing to track their online habits after they have tried to opt out, violating their expectations to privacy, as well as several federal and state laws.
If any of this sounds familiar, it should. This most recent study follows on from an earlier one some of the same researchers published in 2009, which highlighted similar practices embedding cookies using Adobe’s Flash program that couldn’t be removed. Then, their findings quickly engendered controversy, followed by lawsuits, more lawsuits, and finally settlements.
Controversies over what actually happens after a consumer “opts-out” might sound familiar for another reason. A few weeks ago, we posted comments on the results of yet another study, this one conducted by Stanford University’s Center for Internet and Society. According to Stanford’s study, half of the online advertising companies participating in the NAI’s self-regulatory framework still tracked consumers even after they had “opted out” from receiving behavioral advertising.
Both studies’ findings come in an atmosphere slightly changed since 2009. As the FTC continues to explore how a “Do Not Track” registry might work to bolster behavioral advertising companies’ self-regulatory efforts, one of the Commissioners last week intimated the FTC may soon request far more information from those companies regarding their practices, including details of their opt-out processes. Also, although the FTC continues its longstanding focus in this area on ensuring companies protect consumers’ personal information, it also recently brought its first case ever in the behavioral advertising area, in June approving an order against an online advertiser. At issue in that case? Ironically − a “do not track” cookie that died after a brief life of 10 days and stayed that way, setting the stage for resumed tracking without informing the consumer.
Companies would be well-served to settle on a policy for tracking consumers and follow it. As technologies evolve offering new ways to record consumers’ activities, and companies seek to use those technologies to retain an edge through more targeted marketing or advertising, they may wish to remember the basics to stay above the emerging regulatory and class-action fray over consumer tracking. Explain to consumers when their behavior is tracked when visiting their website; offer a clear and conspicuous means to opt out of such tracking; and respect consumers’ privacy preferences, even if that means saying “no” to more cookies.