Flash in the pan?

Businesses have wised up that their customers are concerned about privacy. That’s why privacy promises, like any other claim you convey, have to be truthful. So when you describe how you use — and don’t use — people’s information, be sure to give them the straight story, avoiding steps that would undermine their privacy choices. That’s the nuts-and-bolts conclusion companies should draw from the FTC’s settlement with ScanScout, the first agency action addressing Flash cookies.

ScanScout is a video ad network that places ads on websites for advertisers and, in the process, tracks people’s online browsing so that those ads line up with the person’s interests. To do that, ScanScout puts cookies on people’s browsers. ScanScout told people they used cookies to collect browsing data and explained that users could opt out by altering the settings on their browsers to delete or block cookies. To quote the company’s privacy policy, “You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies.”

The problem, according to the FTC’s complaint, is that for a two-year period ScanScout actually used Flash local shared objects — also known as “Flash cookies.” In some ways, cookies and Flash cookies are similar: They both can be used to track a person’s browsing habits and serve up targeted ads. But there are important differences, too. ScanScout’s Flash cookies couldn’t be controlled through a computer’s browser. That meant that even if people followed the information they got from ScanScout and changed their browsers’ privacy settings to delete or block cookies, ScanScout’s Flash cookies were unaffected. ScanScout could still collect browsing data and serve targeted ads to people who thought they’d opted out. That, said the FTC, made ScanScout’s claims false and misleading.

If your business has an online presence — and these days, who doesn’t? — the ScanScout settlement offers a timely reminder to make sure what you say about your privacy practices lines up with what really happens to people’s information. You’ll also want to check out key provisions of the FTC’s order with the company:

► ScanScout can’t misrepresent its data collection practices or the extent to which people are able to control how their information is collected, used, or shared.

► ScanScout has to take steps to improve the transparency of what it does and consumers’ ability to control the collection of their data for online behavioral advertising. For example, ScanScout has to provide a mechanism consumers can use to opt out of getting targeted ads and has to honor that request for at least five years.

► Near the opt-out mechanism, ScanScout has to explain:

1. that it collects information about consumers’ online activities to deliver targeted ads;
2. that if people opt out, ScanScout won’t collect information to deliver targeted ads;
3. whether people are currently opted in or opted out of tracking;
4. and that if people switch browsers or devices or delete their cookies, they’ll have to opt out again.

► On its homepage, ScanScout has to place a clear and prominent notice with a hyperlink that says “We collect information about your activities on certain websites to send you targeted ads. To opt out of our targeted advertisements, click here.”

► In all its targeted display ads, ScanScout has to include a hyperlink that takes people to the opt-out mechanism and lets them know that clicking the hyperlink will give them choices about getting targeted ads. Because the technology to include a similar hyperlink in video ads isn’t quite there yet, ScanScout has to work to develop an effective method.

Looking for a plain-language explanation of cookies and what they do? Read Cookies: Leaving a Trail on the Web available at onguardonline.gov.