Flash Cookies: A Regulatory Risk?

September 27, 2009

Many readers may already be aware of the characteristics and usage of Flash cookies. For those who aren’t, here’s a quick introduction:
Cookies (whether traditional HTTP cookies or Flash cookies) are used for authenticating, session tracking and remembering specific information about web site users, such as site preferences or the contents of their electronic shopping carts. Many people choose to delete HTTP cookies by altering privacy settings on their computer and clearing their web history. In fact, several studies have found that over 30% of users delete first party HTTP cookies once a month. Then, in 2005, United Virtualities (an online advertising company) developed a backup ID system for cookies that were being set up by web sites, ad networks and advertisers but increasingly deleted by users. This was called a Persistent Identification Element (PIE) and this was used to create a feature in Adobe’s Flash Player known as Local Shared Objects or ‘Flash cookies’.

Flash cookies have several characteristics that lead to more persistence than standard HTTP cookies:
1. they can contain up to 100KB of information by default, whereas HTTP cookies only store 4KB;
2. they do not have expiry dates by default, whereas HTTP cookies expire at the end of a session unless programmed to live longer by the domain setting the cookie; and
3. they are stored in a different location to HTTP cookies, so users may not know what files to delete in order to eliminate them.

Unsurprisingly, being a more resilient technology for tracking than HTTP cookies, they have become popular tools for web site operators. Indeed, a study by researchers at the University of California, Berkley, USA, found that 54 of the 100 most popular US web sites used them. Further, of six randomly selected US Government web sites, three were using Flash cookies to retain the personal information of users. However, their use creates an area of uncertainty for user privacy control. Erasing HTTP cookies, clearing history, erasing the cache, or choosing a delete private data option within the browser does not affect Flash cookies. Even the ‘Private Browsing’ mode recently added to most browsers such as Internet Explorer 8 and Firefox 3 still allows Flash cookies to operate fully and track the user.

Of the 54 web sites in the Berkley study, only 4 sites mentioned the use of Flash cookies as a tracking mechanism in their privacy policies. If the use of Flash cookies without disclosure to users is as prevalent in the UK as in the US (and, moreover, if the UK Government are making use of Flash cookies as their US counterparts are), there may be cause for concern.

Under UK law, reg 6 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 governs the confidentiality of communications. It states that an electronic communications network may not be used to store or gain access to information in the terminal equipment of a subscriber or user unless the subscriber or user of that terminal equipment:

1. is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

2. is given the opportunity to refuse the storage of or access to that information.

The very nature of Flash cookies means that they are almost undetectable to the average user, making privacy self-help impossible except for the most sophisticated users. Users who do not know about Flash cookies are unlikely to have been given a reasonable opportunity to refuse the storage of information in such cookies. Further, web sites who fail to include the use of Flash cookies in their privacy policy may well be in breach of their obligation to provide ‘clear and comprehensive information’ about the storage and access of user information.
The Berkley paper concluded that ‘a tighter integration between browser tools and Flash cookies could empower users to engage in privacy self-help by blocking Flash cookies. But, to make browser tools effective, users need some warning that Flash cookies are present. Disclosures about their presence, the types of uses employed and information about controls are necessary first steps to addressing the privacy implications of Flash cookies.’ It seems likely that the Information Commissioner would take a similar view of the issue.

As a result, UK web site operators using Flash cookies would be well advised to ensure their privacy policies are updated to explain the use of Flash cookies, and give users the opportunity to disable them.

Andrew Danson is an Associate in the Media, Communications and Technology Team at law firm Olswang. This article first appeared on the Datonomy blog at http://datonomy.blogspot.com/.