About a year ago, a study by University of California Berkeley researchers found that many websites were using so-called “zombie” cookies that re-spawn even when a user tries to delete them. This issue is not unique to computer based browsers; similar zombie cookies are found on mobile browsers, i.e., internet browsers on iPhones and iPads. These zombie cookies take advantage of HTML5 code that allows more storage directly on the user’s computer. In other words, websites can store more information directly on your computer, which can be beneficial in many ways. However, these zombie cookies raise significant privacy concerns because a user cannot effectively clear out his cookies and prevent advertising companies from tracking his online activities.
Thus, in response to these cookies, two potential class-action lawsuits have recently been filed in California against companies that use these zombie cookies. One was filed against companies that use zombie cookies on computer browsers, the other was filed against companies that use zombie cookies on mobile browsers. Both lawsuits claim, among other things, that the defendants violated 18 U.S.C. § 1030, the Computer Fraud and Abuse Act (“CFAA”), by accessing computers without authorization or in excess of that authorization.
One potential hurdle to recovery under the CFAA is that subsection (g) allows a civil lawsuit only if the defendant’s actions that violated the CFAA and the actions caused: (1) loss to at least one person aggregating to at least $5000, (2) potential or actual modification or impairment of a medical examination, (3) physical injury to any person, (4) a threat to public health or safety, or (5) damage affecting a computer used by the US government for national security, national defense, or in the furtherance of justice. Class certification might make showing that there was a loss of over $5000 easier. Nevertheless, it will likely be difficult to demonstrate how these zombie cookies caused more than $5000 in damages to the plaintiffs in these lawsuits.
Regardless of whether these lawsuits are eventually successful, these zombie cookies give internet users less control over what information they send out via the internet. Someone dedicated to deleting cookies and thereby preventing advertising companies from tracking his internet browsing will be frustrated by these zombie cookies. Furthermore, it is common for internet users to delete their cookies every once in a while to protect their privacy, and this will be much more difficult to do with cookies that re-spawn after they are deleted. While cookies are not inherently bad, internet users need to be cognizant of the information that they are sharing over the internet, and zombie cookies makes it harder to track the information you send out over the internet.