The online analytics firm KISSmetrics quietly overhauled its web tracking methods over the weekend, and is now permitting users to block its surveillance, in a hurried response to a report slamming the company for using sneaky techniques to track web users who visit some of the biggest sites on the net.

The 17-person Bay Area startup made the changes after two of its highest profile customers — Hulu and Spotify — suspended their use of the service on Friday in light of the research and the Wired.com story that was first to report it. Separately, Hulu and KISSmetrics were also sued in federal court Friday for allegedly violating federal privacy laws, first reported by Online Media Daily.

One of the issues was a tracking technique that bypassed traditional cookies by storing unique identifiers in temporary documents that browsers use to speed website rendering. These so-called ETags acted just like cookies, even if users erased or blocked traditional cookies.

Sometime over the weekend, KISSmetrics published a longer privacy policy, and changed the “How It Works” page on its website to reveal that the company would stop using ETags. “As of July 30, 2011 KISSmetrics uses standard first-party cookies to generate a random identity assigned to visitors to our customers sites,” the new text promises. “This identity by itself does nothing.” The company added in a separate privacy policy for end-users that users can now set an opt-out cookie that excludes them from tracking entirely — as one can do with many online advertising companies and some analytics companies.

That change contrasts sharply with the company’s initial response, which was to tell Wired.com that the persistent tracking and cookie re-spawning was legal, and then to tell users that if they wanted to stop the tracking they could install a browser add-on called AdBlock Plus.

KISSmetrics’ reversal comes against a backdrop of federal regulators, browser makers, privacy activists and ad tracking companies trying to define what tracking actually is and whether it should be regulated.

Following a series of stories in the Wall Street Journal, several key lawmakers introduced privacy protection bills earlier this year, though with Congress’ priorities elsewhere, they lack the momentum to pass anytime soon. In December, the FTC called on browser-makers to add a “Do Not Track” setting that essentially lets users tell websites to leave them alone — though it’s less like a shield and more like a “privacy, please” sign on a hotel door. One of the big questions surrounding Do Not Track is about web analytics software, which sites use to determine what’s popular on their site, how many unique visitors a site has a month, where users are coming from, and what pages they leave from.

While KISSmetrics seemed to be busy over the weekend changing its privacy policy and code, there was no mention of the changes on its Twitter feed. Wired.com asked founder Hiten Shah Monday morning for comment, which he said would be coming soon. But as of press time, Shah had not responded to that e-mail or a follow-up.

Ashkan Soltani, one of the lead researchers on the Berkeley study, wasn’t impressed with the changes, calling it “privacy whitewashing.”

“They are trying to figure out a way to weather the storm,” Soltani said.

Moreover, he added that the research covered only the top 100 websites, and that there were likely many more examples of invasive tracking in the top 1,000 and in the seedier portions of the internet, particularly porn sites.

“I’m not getting paid to do this,” Soltani said. “The FTC is not sitting around looking for this — there is no one sitting around watching. Unless there are clear policies around what tracking is legitimate, companies will continue to push the envelope.”

This is the second time that Soltani’s been part of a Berkeley team that looked at how the top 100 websites were using cookies. In 2009, a similar study found that a number of top websites, including Hulu, were using tracking companies Quantcast and Clearspring to re-create cookies that users deleted. In a settlement of a subsequent lawsuit, those two companies agreed to stop using that method, but their customers — including Hulu — only agreed that if they started doing that on their own, they’d note it in their privacy policies.

But this time around, according to Soltani, Hulu wasn’t just hiring a company to do intensive tracking. Hulu itself was running its own script that used so-called Zombie cookies stored inside Flash, which is needed to play back videos.

The incident might also play into a growing concern in D.C. over online tracking.

Those who wish to opt-out of online tracking have a range of tools they can use, ranging from blocking cookies and clearing their caches, using browsers’ ‘incognito’ modes, and trying ad-ons and browser tools such as Better Privacy, Tracking Protection Lists, Ghostery and Abine, among others.