Flash cookies 2 – something to chew over

Following on from yesterday’s taster, this post looks at the UK-law issues surrounding the use of Flash cookies.

We are not aware of any reliable data on the prevalence of Flash cookie usage in the UK. However, a recent study by researchers at the University of California, Berkley, USA (available here) found that 54 of the 100 most popular US websites used them. Of those 54 websites, only four sites mentioned the use of Flash cookies as a tracking mechanism in their privacy policies. Further, of six randomly selected US Government websites, three were using Flash cookies to retain the personal information of users.

If the use of Flash cookies without disclosure to users is as prevalent in the UK as in the US (and, moreover, if the UK Government are making use of Flash cookies as their US counterparts are), there may be cause for concern.

Regulation 6 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 governs the confidentiality of communications and states that an electronic communications network may not be used to store or gain access to information in the terminal equipment of a subscriber or user unless the subscriber or user of that terminal equipment:

1. is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

2. is given the opportunity to refuse the storage of or access to that information.

The very nature of Flash cookies means that they are almost undetectable to the average user, making privacy self-help impossible except for the most sophisticated users. Users who do not know about Flash cookies are unlikely to have been given a reasonable opportunity to refuse the storage of information in such cookies. Further, websites which fail to include the use of Flash cookies in their privacy policy may well be in breach of their obligation to provide “clear and comprehensive information” about the storage and access of user information.

The Berkley paper concluded that “a tighter integration between browser tools and Flash cookies could empower users to engage in privacy self-help by blocking Flash cookies. But, to make browser tools effective, users need some warning that Flash cookies are present. Disclosures about their presence, the types of uses employed and information about controls are necessary first steps to addressing the privacy implications of Flash cookies.” It seems likely that the Information Commissioner would take a similar view of the issue.
With thanks to Sophie Lalor-Harbord.

Leave a Reply

Your email address will not be published. Required fields are marked *