Verizon Fined $1.35M in Supercookie Ad Tracking Case

The FCC levied the fine to punish Verizon for sending undeletable data supercookies to more than 100 million customers from 2012 until 2014.

Verizon, supercookies, FCC, privacy, data security, tracking cookie, UIDH

Verizon has been fined $1.35 million by the Federal Communications Commission for using special data headers, or "supercookies," to target ads to millions of its mobile customers from 2012 to 2014.

The fine, which was announced by the FCC on March 7, resulted from an investigation the agency conducted into the practice after critics complained about the practice about three years ago.

The unique identifier headers (UIDHs), or supercookies, were inserted into the mobile Internet traffic of Verizon customers without their knowledge or consent to deliver targeted ads from Verizon and third parties, according to the FCC. Under the settlement with the agency, Verizon has agreed to notify consumers about its targeted advertising programs and will obtain opt-in consent from its customers before sharing UIDHs with third parties or within Verizon, the settlement states.

"Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they're doing online," FCC Enforcement Bureau Chief Travis LeBlanc said in a statement. "Privacy and innovation are not incompatible. This agreement shows that companies can offer meaningful transparency and consumer choice while at the same time continuing to innovate. We would like to acknowledge Verizon Wireless's cooperation during the course of this investigation and its willingness to make changes to its practices for the benefit of its customers."

Verizon later created an opt-in process for supercookies for its customers in March 2015 after several privacy advocates criticized the program because it previously did not allow customers to avoid participating in the ad tracking efforts, according to an earlier eWEEK story. The supercookie controversy even attracted the attention of four U.S. senators at the time, who asked the FCC and the Federal Trade Commission to look into the practice to determine if it intruded on the privacy of consumers.

Back in October 2014, Verizon denied that the ad program intruded on the privacy of its customers, according to an earlier eWEEK report.

The FCC's Enforcement Bureau, however, began an investigation into Verizon's use of supercookies in December 2014. The agency was looking at whether Verizon failed to protect customer data and failed to disclose the use of such cookies in violation of the FCC's 2010 Open Internet Transparency Rule and Section 222 of the Communications Act, the agency said.

"The Bureau's investigation found that Verizon Wireless began inserting UIDH into consumer Internet traffic as early as December 2012, but failed to disclose this practice until October 2014," the agency reported.

Verizon acknowledged its use of the UIDH data, but initially said that it was unlikely to be used by third parties, according to the FCC. The company later changed its position "and committed to work with its partners to address the issue."

In addition to paying a $1.35 million fine, Verizon must also create and meet a three-year compliance plan to prevent similar practices, the agency stated.

Section 222 of the Communications Act requires mobile carriers to protect their customers' proprietary information and use such information only for authorized purposes.

Verizon's unique identifying headers had been inserted into the mobile data transmissions of customers as part of the company's Relevant Mobile Advertising program. The intent of the ad program, according to Verizon, was not to intrude on privacy but to customize ads to users based on what they searched for online using their mobile devices. The codes and the information collected from customers did not identify customers, according to Verizon.

Critics, however, insisted that the UIDH codes could allow Web servers to build profiles of users through their mobile devices. Verizon had been using the UIDH data, which is dynamic and changes often on users' devices, since late 2012.

In November 2014, AT&T dropped its own similar experiment with phone-tracking tags that gave users unique identifiers, even if the users had opted out of mobile ad-tracking services, according to a previous eWEEK report. That controversial tracking program had also been criticized by privacy advocates, who argued that tracking user information even if users opted out of the tracking was not fair. The AT&T testing was built around a numeric code that changed every 24 hours on mobile devices and was used to help serve ads on an anonymous basis, similar to a cookie in online advertising. The testing was completed by AT&T at the time and was removed from the company's mobile network, according to the report.

The tracking tags, which were also known as "perma-cookies," had allowed Internet sites to track a specific mobile phone and create a database of information about what the user of the phone was doing, such as looking for sports scores or searching for restaurants or shops.