The Cookie Directive

Have you ever clicked on a website or blog and found an advertisement there for one of your favorite stores? Coincidence? Probably not.

By Patricia Vowinkel

Through the use of flash cookies and other technologies, businesses are tracking the online behavior of consumers collecting information about the sites we visit and the things we buy and using that information to target their advertising.

While retailers and technology companies are at the forefront of this, other businesses are tracking customers as well. Utilities, for instance, are promoting the use of smart meters, which gather information about customer electricity use and send it to utility billing departments.

Welcome to the 'Big Data' Era (09/15/11)
The Hack Attack Worsens (08/01/11)
Beating Back the Breach (06/01/11)
How a Nonmedia Company Can Pretend to be a Media Company (06/01/11)
Finally Going Mobile (09/01/11)

The information that is being gathered by these companies can be put to good use by helping to connect us with the goods and services we actually want. These tracking practices can help to make our lives more convenient, but to get something you have to give up something and that's privacy. As more businesses track consumers, the practice is raising questions about what degrees of privacy invasion are acceptable.

These issues are beginning to attract the interest of both regulators as well as plaintiffs' attorneys and that is increasing the risk for companies that engage in these practices, said Ben Beeson, partner in the global technology and privacy risks practice at Lockton.

A new European Union directive, for instance, will require companies to obtain "explicit consent" from web users before they make use of cookies, which are installed on a computer when an individual visits a website and can be used to remember log-in details as well as to target advertising based on browsing history.

The "Cookie Directive" goes into effect on May 25, but the details about how companies are supposed to implement it are still unclear.

In the United States, a bill that allows consumers to opt out of online tracking efforts, the Do Not Track Me Online Act of 2011, was introduced by U.S. Rep. Jackie Speier in February.

At least 29 related class-action lawsuits have been filed in the United States in the last year, naming at least 39 companies as defendants, according to a January client bulletin from the Chicago-based law firm of Wildman Harrold. Consumers have expressed privacy concerns especially over the use of flash cookies, which are not stored in browsers that consumers can see or control, according to the bulletin.

These lawsuits and the activity that arises out of them will be one of the big data security and privacy stories of 2011, said Dave Navetta, a Denver-based attorney who specializes in privacy issues with Information Law Group. Recent settlements have included an $8.5 million settlement for a class-action lawsuit by Gmail users over privacy violations related to Google Buzz and a $9.5 million settlement of a class-action lawsuit alleging privacy violations by Facebook's Beacon program. As a result of these settlements, Navetta said, it is likely that privacy related lawsuits will become more attractive to the plaintiffs' bar.

For most companies today, data breaches are still the primary concern when it comes to computer security. But privacy risk is an emerging issue that will require increased attention.

The technology has opened up new possibilities, but businesses that track consumer behavior are entering into uncharted territory, as the laws and regulations that delineate the boundaries between what is acceptable and what is not are still evolving.

PATRICIA VOWINKEL has worked for national media outlets for more than 20 years.

May 1, 2011

Newsletter Sign-up