Savvy internet users know that their movements on the Internet are tracked by the use of “cookies” placed on their computers and used by marketing firms to study consumer patterns and target advertising.  They also think that their internet browsers are equipped to remove those cookies.

What many users—even vigilant users—do not know, is that Local Shared Objects, commonly known as “flash cookies,” can survive this deletion process and remain on their computers in perpetuity.  Some flash cookies are programmed to surreptitiously “re-spawn” when deleted by a user.  This “re-spawning” is done without the user’s knowledge and, arguably, outside the consent given under various end user agreements and privacy policies.  The flash cookies can result in the transmission of personally identifying information and other data useful to a marketer or retailer.

In August 2009, researchers at the University of California at Berkeley published an article that revealed the prevalent use of flash cookies by major websites.  The research showed that more than half of the sites sampled store user information through flash cookies.

U.S. consumers have fought back against the creators of flash cookies and their customers by filing class actions.  The following four complaints (Aguirre, LA, Valdez, White) (.pdf) all filed in the Central District of California, were brought under the federal Computer Fraud and Abuse Act and state privacy and computer statutes.  The complaints allege that the defendants installed flash cookies on users’ computers without their knowledge or consent, and that that the defendants then tracked and sold personally identifiable information about consumers (including health and financial information).

Flash cookies were discussed at the U.S. Federal Trade Commission’s second Privacy Roundtable discussion on January 28, 2010.  The FTC is expected to release its report this fall regarding the Privacy Roundtable discussions it hosted.