If you use anything but standard browser cookies to identify unique your users or their devices, you should be aware of the latest privacy enforcement action from the FTC. The FTC brought action against ScoutScan, an ad network, for inaccurate disclosure about their use of Flash cookies. From the FTC’s release:
According to the FTC complaint, from at least April 2007 to December 2010, ScanScout’s website privacy policy discussed how it used cookies to track users’ behavior. The privacy policy stated, “You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies.” However, changing browser settings did not remove or block the Flash cookies used by ScanScout, the FTC charged. The claims by ScanScout were deceptive and violated the FTC Act, the complaint alleged.
Our takeaways:
- Make sure your disclosure is clear and precise. The FTC did not rule that Flash cookies or other non-cookie methods cannot be used. Rather, the FTC is signaling that if those methods are used, disclosure must be clear and precise about if and how users can control those methods. If you use Policymaker, our templates provide a good starting point for explaining the identification methods that you use.
- The principle isn’t limited to ad-network Flash cookies. The FTC’s action should be read to apply not only to Flash cookies, but also to any method used to identify a user, computer or device. Your disclosure should be precise if you store unique IDs through other means, like HTML5 storage, or if you use methods like UDIDs or device fingerprinting. Also, even though ScanScout is an ad network, the principle would seem to apply to any service or app that collects data.
- Be sure to qualify your third-party data collectors. The PrivacyChoice Tracker List keeps tabs on when ad companies use non-cookie methods to track users. If you give other companies access to your users through your app or site, check to see what methods they use and how they disclose it.