Verizon Fined $1.3M Over Use of ‘Supercookies’

The FCC says the largest U.S. cell provider failed to disclose it was injecting tracking code into web traffic to serve advertisers.
Matthew HellerMarch 7, 2016

Verizon Wireless has agreed to pay $1.35 million to settle charges that it violated consumers’ privacy by inserting powerful tracking code into their web browsing to deliver targeted ads for marketers.

The Federal Communications Commission said Monday that Verizon began using Unique Identifier Headers (UIDH), also known as “supercookies,” as early as December 2012 but failed to disclose the practice until October 2014. Privacy advocates have warned that other companies, or even intelligence agencies, could hijack the code for their own purposes.

According to the FCC, at least one of Verizon Wireless’s advertising partners used UIDH to circumvent consumers’ privacy choices by restoring deleted cookies.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

As part of a settlement with the FCC, Verizon must pay a $1.35 million and will only be able to use the tracking mechanism when users connect to Verizon’s corporate family of services unless the company gets customers’ opt-in consent.

“Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they’re doing online,” FCC Enforcement Bureau Chief Travis LeBlanc said in a news release.

Re/Code said it was important for Verizon that it has the option of letting consumers opt out or requiring their consent for its own use of UIDH. “The FCC is allowing Verizon to collect and use a tremendous amount of data in conjunction with its own websites,” Re/Code noted.

The FCC began an investigation of Verizon Wireless in December 2014 after media reports raised privacy concerns about its use of the code, which is injected into web traffic as it flows across the internet, but persists across browsing sessions and can’t be deleted by wiping a browser’s history, in effect making it impossible to opt out.

At the time, Verizon downplayed the concerns, but researcher Jonathan Mayer discovered that an online advertising company called Turn was using the code to help follow people around online

The enforcement action against Verizon suggests the FCC is being more aggressive in protecting online privacy, Re/Code said.