• by Wendy Davis  @wendyndavis, January 14, 2010

Web users are not yet deleting Flash cookies as often as they shed more traditional cookies, but that doesn't mean it's a good idea to use Flash technology to track consumers online. That's according to a new report commissioned by media audit company BPA Worldwide.

The report, authored by analytics expert Eric Peterson, warns that the use of Flash cookies, also called "local shared objects," to override consumers' choices could invite new privacy laws. "With the attention given to consumer privacy on the Internet at both individual and governmental levels, we believe that companies making inappropriate or irresponsible use of the Flash technology are very likely asking for trouble, (and potentially putting the rest of the online industry at risk of additional government regulation)," writes Peterson, CEO and principal consultant at Web Analytics Demystified.

Several years ago, Peterson shook up the online ad industry with a report that around 40% of Web users deleted their cookies at least monthly. Before that research was published, many industry observers assumed that relatively few people trashed cookies.

Peterson's study about cookie deletions helped fuel searches for new tracking technologies that would prove more permanent than traditional cookies. Some companies began hailing Flash cookies -- which were initially developed to store users' preferences for Flash-based applications like online video players -- as a potential tracking tool.

Flash cookies are not stored in the same place as HTTP cookies, which means that users who tell their browsers to delete cookies aren't getting rid of Flash cookies. Users can erase Flash cookies through other means, including at Adobe's online controls. But at this point, few people appear to be aware that Flash cookies even exist.

The use of Flash cookies appears to have grown in recent years. Researchers at UC Berkeley reported last summer that 54 of the top 100 sites set Flash cookies, while 31 of them stored similar information on Flash cookies as on HTTP cookies. At those sites, even if users delete their HTTP cookies, they can be reconstructed based on information on the Flash cookies. What's more, Berkeley researchers found that at least one company was using a Flash cookie even when users had opted out of tracking through the Network Advertising Initiative's opt-out cookie.

Peterson recommends that Web sites that use Flash cookies disclose their existence in privacy policies, make sure consumers can easily opt out of tracking via Flash cookies, and also refrain from using such cookies to override consumers' preferences.

Jules Polonetsky, director of the think tank Future of Privacy Forum, says he supports Peterson's recommendations, but would go one step further. He says that companies also should refrain from using Flash cookies for tracking, given that most consumers don't know about the technology. "To use a mechanism that most users are unaware of to track them is extremely poor privacy behavior," Polonetsky says.

Erica Newland, a policy analyst at the watchdog group Center for Democracy & Technology, agrees. "Right now the use of local shared objects do not align well with consumer expectations," she says. "No matter how they're implemented, we think these pose additional privacy concerns."