The FTC has successfully prosecuted others on this same topic. In 2007, it for quietly bundling its adware along with affiliates' software that users thought they were downloading all by itself. In 2011, the FTC prosecuted online-ad company Chitika for expiring users' opt-out cookies after only 10 days, allowing the company to then place new ad cookies on users' computers.

The lesson in all of these cases is to manage your cookies transparently and consistently with users' previously expressed choices and settings.

The most likely reason the FTC will prosecute a company is substandard information security. The FTC has been routinely prosecuting cases in this area for years, in part because such cases are relatively easy to process. Usually, a data breach has occurred that causes a company to send out breach-notification letters. These letters and subsequent press reports give details about the company's security flaws. All the FTC then has to do is determine if the company took steps to assess its vulnerability to such a breach and then to follow up with readily available and affordable measures to prevent the breach.

Companies falling under the FTC's scrutiny in this area have included , Ceridian, Geeks.com, Life Is Good, Goal Financial, ValueClick, Reed Elsevier, TJX, Petco and BJ Wholesale. The FTC also coordinated with the U.S. Department of Health and Human Services on information-security investigations of Rite Aid and CVS Caremark.