What is a Flash cookie and why should we worry?

Starting with the basics, what is a “Flash cookie” you ask?  They are files known as LSOs (local shared objects) installed on your browser by websites that use Adobe Flash. Similar to HTML cookies (hence the Flash cookie name), an LSO stores data such as graphics, usually for user convenience so graphics and video files load more rapidly upon a return visit.  Privacy concerns about Flash cookies have arisen because they store information about the websites you visit and can persist even after you opt-out of behavioral ad tracking or delete HTML cookies.  These persistant consumer tracking mechanisms have lead some commentators to conjure up a vision of the undead… tracking your online by naming these LSOs  Zombie cookies.

Although Flash cookies were identified by Wired Magazine in 2009 as an undisclosed privacy risk, until recently they were largely ignored.  At the same time, the online advertising industry, the Federal Trade Commission and U.S. Congress have worked to greatly increase consumer awareness of advertising that tracks consumers’ online activities. Several organizations, including the Network Advertising Alliance, provide tools to allow consumers to detect and opt-out of cookies found on their browsers.  The NAA provides a tool, but in most cases Flash cookies go undetected and are difficult to block. 

Now online ad networks that place Flash cookies have reason for concern. Yesterday the FTC announced charges against video ad network ScanScout. The complaint alleges that ScanScout deceptively claimed in its privacy policy that consumers could opt out of receiving ScanScout’s targeted ads by changing their computer’s web browser settings to block cookies.  But, because ScanScout uses Flash cookies, the persistant tracking mechanisms can not be blocked through browser settings.

Practice Tip:  Check your privacy policy often and ensure that it accurately depicts your website’s collection and use of private information, tracking technology,  and allows consumers to opt out of ALL of your tracking mechanisms.