By Jon Hood

A class action lawsuit alleges that a high-profile widget website is using Flash-based cookies to track the activity of users all over the web.

The suit, filed last week in a California federal court, alleges "a pattern of covert online surveillance" by Clearspring, which provides web widgets to major websites. Several of those sites -- including Walt Disney, Warner Brothers Records, and Demand Media -- are also named as defendants.

According to the suit, Clearspring targets web surfers who visit affiliate sites and sets a tracking device in those users' Flash players. According to the suit, when users try to clear their browser cookies, the Flash player restores them, allowing Clearspring to "harvest ... consumers['] personal information for online marketing activities."

The suit cites an academic report from UC Berkeley confirming the plaintiffs' allegations. The report, entitled "Flash Cookies and Privacy," describes the practice of using Flash to revive cookies that users thought they had deleted:

"We found that top 100 websites are using Flash cookies to 'respawn,' or recreate deleted HTTP cookies. This means that privacy-sensitive consumers who 'toss' their HTTP cookies to prevent tracking or remain anonymous are still being uniquely identified online by advertising companies."

No warning

The suit also claims that Clearspring's affiliates fail to warn consumers of the practice, leaving them completely unaware that their every online action is potentially being tracked. Further, the suit alleges that the affiliates' "privacy documents omit entirely the actual identity of [their] association with Clearspring," leaving consumers in the dark as to the extent of the connection between the two companies.

That allegation is also backed up by the Berkeley study, which found that "[f]ew websites disclose their use of Flash in privacy policies."

The suit also points to a statement from Adobe, which owns Flash, condemning the alleged practice unless providers can show "user knowledge and express consent."

The plaintiffs allege that Clearspring's practice compromises private and potentially damaging consumer information. Several of the named plaintiffs are minors, and one plaintiff who suffered from depression visited a health-related website to obtain information on the disorder. According to the complaint, the computer activity log recorded that user's name and eight-digit computer ID number.

The complaint charges Clearspring with trespass, unjust enrichment, and violation of several California consumer protection statutes, including the California Computer Crime Law and the California Invasion of Privacy Act. In addition to damages, the suit requests an injunction ordering that Clearspring delete all confidential data and allow future consumers to decline participation in the alleged scheme.