FTC Orders Company That Used Verizon ‘Supercookies’ To Disclose Terms, Provide Opt-Out

Image courtesy of Amanda Hoffman

A couple of years ago, Verizon caught a lot of heat for a very sneaky practice: the company was inserting a unique, permanent piece of code into all the web traffic on your phone, without user consent, so that a third party could track your every digital move for advertising purposes. After a public outcry, Verizon finally stopped, and settled with the FTC… but that third-party remained a loose thread in the story. Until now.

The news about the trackers broke nearly two years ago, in early 2015.

In summary, the supercookie is a little header that you can’t see that Verizon appends to all web traffic coming out of your phone. The tracker, called a UIDH (unique ID header) is consistent and permanent.

Unlike regular site tracking code, clearing out your cookies and upping your privacy settings doesn’t do anything about them. And they build a comprehensive, unique, entirely trackable history of basically everything you’ve ever Googled or visited on your phone.

After a ProPublica investigation brought the tracking tech to light, the advertising clearinghouse that used them — Turn, Inc — said it would stop using them for the time being.

Consumers gained the ability to opt out of the program a few months later, in April, 2015.

Around the same time, the FCC began an investigation into the supercookies. Verizon and the FCC settled that case this March, with Verizon paying a $1.35 million fine and promising to notify consumers about tracking and make the sharing of that data an opt-in program.

Meanwhile, in a separate action, the FTC filed a complaint [PDF] against Turn, the third party receiving and using all that juicy user data.

The FTC complaint claims that while Turn was using the UIDH data to target and identify users, its privacy policy said otherwise. The policy, as quoted in the complaint, only mentioned standard web-tracking cookies and web beacons — not the permanent tracking cookie.

Doing something with user data that you don’t disclose in your privacy policy is a big no-no, so that’s where the FTC was able to come in.

Under the terms of the consent order [PDF], Turn basically agrees to stop misrepresenting itself to consumers. In the future, its privacy policy must be accurate about the extent of its online tracking and consumers’ ability to opt out.

And speaking of that opt-out, Turn also must provide an “effective” opt-out for anyone who doesn’t want their data tracked and used. And it has to make their new disclosure a “prominent hyperlink” on their home page.

The FTC voted 3-0 to accept the consent agreement; the public has until Jan. 19, 2017 to file a comment on it.