Online Analytics Firm Settles Suit Over Unstoppable User Tracking

A screenshot of a “cookie” hidden in the browser cache.

KISSmetrics, a popular tool for websites to monitor who is using their site, has agreed to settle a lawsuit accusing the company of using shady techniques to recreate cookies after users deleted them and track users who blocked cookies.

The company was sued in August 2011, just after reported on research into the company’s practices by UC Berkeley researchers including Ashkan Soltani. The suit, brought on behalf of John Kim and Dan Schutzman, accused the company of violating California and federal anti-hacking laws and misappropriating their personal information for profit.

In the proposed settlement (.pdf), the two plaintiffs will split $5,000, while their lawyers will get 100 times as much: more than $500,000 in legal fees for work ranging in rates from $350 to $580 per hour. Though the original lawsuit included KISSmetrics clients, such as Spotify and AOL, these companies were dismissed from the suit in the spring.

There’s no payout for the general public. Instead, the public will have to be satisfied that KISSmetrics largely agrees not to use sneaky methods to track users any more — unless users are given notice and a choice. Those methods include using JavaScript, HTML5, Flash and browser caches to store copies of a cookie’s unique ID in order to re-create it if the cookie was deleted.

KISSmetrics tracking techniques worked even if a user had cookies turned off and private browsing mode turned on. The company’s tracking codes including one function with the damning name “cram cookie.”

KISSmetric’s founder Hiten Shah initially defended the practice, telling Wired there was nothing illegal about the techniques it was using.

“We don’t do it for malicious reasons. We don’t do it for tracking people across the web,” Shah said in July 2011. “I would be having lawyers talk to you if we were doing anything malicious.” — one of KISSmetrics’ clients in 2011 — faces a separate lawsuit, as it had been previously busted using Flash cookies and promised in a settlement not to do it again.

KISSmetrics did not, however, admit guilt in the proposed settlement, which awaits approval from a federal court judge.