Cookies, FTC and Privacy – Why You Should Care About Them
Cookies have attracted lots of attention recently. I mean the tracking kind, not the edible kind in Christmas patterns and colors.
ScanScout, an on-line advertiser, recently settled a FTC enforcement action regarding the language in their privacy policy ("PP") about cookies. ScanScout's PP claimed that users could configure their browsers to block the cookies they use to gather information about users in order to send them targeted advertising. Turns out, however, the tracking cookies they were using were flash cookies that could not be blocked as stated. FTC found this to be deceptive and the enforcement action ensued.
What does this mean to you or your business?
Use of cookies
Consider not using flash cookies if you are currently doing so or considering so. Many people consider flash cookies deceptive and invasive. In fact, a primer on flash cookies by the Electronic Privacy Information Center shows that the breadth of information gathered by these cookies to probably be beyond the comfort zone of today's privacy-conscious consumers.
Have a Privacy Policy
Yes, it might be tempting to resolve this issue by simply not having a PP. After all, if you don't have a PP, you can't be found to be violating it right? Maybe, but you create other risks by deciding not to have a PP. First, consumers have increasingly shown themselves to be skeptical about having anything to do with websites that do not have privacy policies, so you might be losing business. Second, not having a PP will prevent you from using certain useful services (such as Google Analytics, which requires users to post a privacy policy) and conducting promotions or contests using many social media platforms.
Reference cookies practices in your Privacy Policy
Make sure that you have a full understanding of your cookies practices and that of any third party (such as Google Analytics) who provides apps or tools you use in your interface with users. Your PP should spell out exactly what cookies are used, whether they are persistent, whether you use flash cookies, how you use information gleaned from cookies (e.g. do you utilize information for targeted internal or external marketing), whether you share gathered information with third parties, and how users can block cookies (including providing a mechanism to block flash cookies - a key requirement of the ScanScout consent decree). Finally, if you use third-party services that utilize cookies, consider referencing the third-party service's cookies policy in your PP.
Finally, if you are going to be making any changes to your website privacy policy, make sure it is properly publicized to your clients, customers and/or users, ideally with a click-through mechanism where they must accept the new privacy policy before accessing your site.
What are your thoughts on use of cookies for marketing?
by E Hsu
Gloss