Website analytics firm KISSmetrics and more than 20 of its customers, including Spotify, AOL's About.me, Slideshare.net, Spokeo and the news site Gigaom.com were sued Monday on the grounds that KISSmetrics' tracking technology violated federal and state privacy laws.
The suit (.pdf), filed in a federal court in Northern California, is seeking class-action status and unspecified damages.
At issue are methods KISSmetrics used -- first reported by Wired.com -- to track users who have deleted their cookies. The company juggled a variety of other technologies including Flash, Silverlight, HTML5 and so-called ETags in cached browser files to place and read unique identifiers.
The suit was filed by a group of lawyers, including Scott Kamber, who already filed suit against Hulu and KISSmetrics on Friday, the same day a U.C. Berkeley report said those companies were re-creating cookies after users deleted them.
Sometime over the weekend, KISSmetrics published a longer privacy policy, and changed the "How It Works" page on its website to reveal that the company would stop using ETags. "As of July 30, 2011 KISSmetrics uses standard first-party cookies to generate a random identity assigned to visitors to our customers sites," the new text promises. "This identity by itself does nothing." The company added in a separate privacy policy for end-users that users can now set an opt-out cookie that excludes them from tracking entirely -- as one can do with many online advertising companies and some analytics companies.
KISSmetrics founder Hiten Shah told Wired.com that KISSmetrics was very respectful of privacy and that it's hardly the only site on the net to use ETags as cookie replacements.
"KISSmetrics has never shared any information about a user with any third party, including with any customer other than the one that interacted with that user," Shah said via e-mail. "Our business model is uniquely pro-privacy precisely because our tools enable insights without sharing any user information across websites and without developing or storing user profiles across sites, and that for this reason, KISSmetrics offers key differences from third parties that link up user data across the Internet."
But the lawsuit has a different take.
"Defendants circumvented Plaintiffs and Class Members browser privacy controls, conducted tracking in unreasonable and unexpected way, and used Plaintiffs and Class Members’ Computer Assets to store LSOs [Local Storage Objects, or cookie-like files in Flash] and engage in other tracking exploits....", the suit alleged. "Defendants did so knowing Plaintiffs and Class Members’reasonably believed their privacy was protected."
UPDATE: Shah responded to the suit itself, saying:
A similar set of suits were filed in 2009, after U.C. Berkeley researchers uncovered "zombie cookies" being used on some of the net's top sites, including Hulu, thanks to technology from Quantcast and Clearspring. Those suits were settled for $2.4 million and a promise from the two providers never to use that technology again.
Those companies' clients were largely spared in the settlement and agreed only to disclose in their privacy policy if they were using Adobe Flash's storage capability. They also agreed to provide a link in the policy for users who wanted to block that storage.
When asked about the suit, Spotify told Wired.com that it used KISSmetrics to "help us understand customer registration and purchase flow, and to make the process of using our website as easy as possible for users," and that it takes privacy seriously.
"Following the recent report raising concerns around KISSmetrics’ treatment of cookies, we took immediate action to suspend our use of KISSmetrics and began a thorough investigation," spokeswoman Alison Bonny said. "Spotify can confirm that it has never had the ability to see or use any customer information from KISSmetrics’ other clients. Kissmetrics has assured us that none of its other clients have had the ability to see or use information about Spotify's customers."
Kissmetrics and GigaOm did not immediately respond to requests for comment on the suit. UPDATE 8/3 8:15 PM Pacific: GigaOm CEO Paul Walborsky responded in a blog post, calling the allegations are based on "misinformation" but added that the company "suspended the use of it on our site while we investigate the claims." /UPDATE
The other companies named in the suit are BabyPips, Moo.com, RavenTools, Shoedazzle, 8tracks.com, Hasoffers.com, Kongregate.com, Livemocha.com, Rockettheme, RunKeeper, SEOMoz, Sharecash.org, visual.ly, Condueit (wibiya.com), and Flite (widgetbox.com).
Photo Credit: Yuan2003
See Also:- Web-Analytics Firm KISSmetrics Reverses Course on Sneaky Tracking
