• by Wendy Davis , Staff Writer @wendyndavis, August 16, 2010

One year ago, researchers at the UC Berkeley School of Law called attention to a relatively new privacy threat: Web companies' surreptitious use of Flash cookies.

While Flash cookies can have entirely legitimate uses -- like remembering users' preferences for Flash-based applications like online video players -- some companies have been using such cookies to store the same type of information that's normally found on HTTP cookies. With this type of data, Flash cookies can be used to reconstruct deleted HTTP cookies, effectively thwarting consumers' attempts to prevent tracking.

Flash cookies are stored in a different place from HTTP cookies, which makes deleting them complicated -- though by no means impossible. For instance, users who want to shed Flash cookies can do so via Adobe's online controls. But the problem for users who don't like tracking is that many aren't aware that Flash cookies even exist, let alone how to delete them.

After the Berkeley paper was published, government officials and others criticized the use of Flash cookies to circumvent users' privacy settings. Such complaints shouldn't have been a surprise. After all, it seems fairly obvious that companies should have known that consumer protection advocates would look askance at efforts to get around users' privacy choices.

Now, two potential class-action lawsuits also have been filed about the use of Flash cookies. The first, filed last month, names Quantcast as a defendant along with a host of Web companies including ABC, MySpace, ESPN, Hulu, JibJab Media, MTV, NBC Universal and Scribd.

The second lawsuit, filed last week in federal district court in the Central District of California, targets Clearspring and publishers who allegedly used its widget, including Walt Disney, Warner Brothers Records, and Demand Media. This case alleges that using Flash cookies to recreate HTML cookies "unfairly wrests control from users who choose to delete their cookies in order to avoid being tracked."

"Plaintiffs and the class members did not voluntarily disclose their personal and private information, including their Internet surfing habits, to defendants -- and indeed never even knew that defendants existed or conducted data collection and monitoring activities," the lawsuit alleges.

But, as problematic as the alleged data collection practices are, these types of lawsuits are notoriously hard to win given that in many cases consumers can't show they suffered any tangible harm as a result of an alleged privacy breach. Still, the publicity over the allegations could in itself lead some companies to reexamine some of their more questionable practices.