For years Verizon Wireless has been inserting unique identifier headers (UIDH) – known as “supercookies” – into its customers’ mobile Internet traffic. Customers weren't asked or informed.
These headers were used to target specific ads to specific consumers. Verizon used the data in its own advertising programs and marketed the data to third parties.
After a Federal Communications Commission (FCC) investigation, Verizon has agreed to obtain customers’ opt-in consent before sharing this information with third parties, and will obtain customers’ opt-in or opt-out consent before using it within the Verizon corporate family.
“Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they’re doing online,” FCC Enforcement Bureau Chief Travis LeBlanc said in a statement. “Privacy and innovation are not incompatible. This agreement shows that companies can offer meaningful transparency and consumer choice while at the same time continuing to innovate.”
The investigation began in late 2014. The issue at hand was whether Verizon Wireless failed to appropriately protect customer proprietary information and whether it provided the proper disclosures.
The investigation found that Verizon Wireless began inserting UIDH into consumer Internet traffic as early as December 2012, but didn't disclose it was doing it until October 2014.
Verizon Wireless tried to assure regulators that the third-party companies that were getting the information were unlikely to use it to build profiles on Verizon Wireless customers. But just over a year ago there were news reports that one of these partners used the data for unauthorized purposes – restoring cookie IDs that users had cleared from their browsers.
$1.35 million fine
Under the terms of the settlement with the FCC, the company must pay a fine of $1.35 million and adopt a three-year compliance plan.
The company must abide by Section 222 of the Communications Act, which requires carriers to protect their customers’ proprietary information and use such information only for authorized purposes. It also expressly prohibits carriers that obtain proprietary information from other carriers for the provision of telecommunications services to use such information for any other purpose.
The settlement is the second of the agency's Open Internet enforcement actions. Last June it proposed a $100 million fine against AT&T Mobility for misleading its customers about the data speed limits on its so-called “unlimited” mobile data plans.