The Federal Communications Commission today announced a settlement resolving an investigation into Verizon Wireless’s practice of inserting unique identifier headers or so-called “supercookies” into its customers’ mobile Internet traffic without their knowledge or consent. These unique, undeletable identifiers – referred to as UIDH – are inserted into web traffic and used to identify customers in order to deliver targeted ads from Verizon and other third parties. As a result of the investigation and settlement, Verizon Wireless is notifying consumers about its targeted advertising programs, will obtain customers’ opt-in consent before sharing UIDH with third parties, and will obtain customers’ opt-in or opt-out consent before sharing UIDH internally within the Verizon corporate family.
“Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they’re doing online,” said FCC Enforcement Bureau Chief Travis LeBlanc. “Privacy and innovation are not incompatible. This agreement shows that companies can offer meaningful transparency and consumer choice while at the same time continuing to innovate. We would like to acknowledge Verizon Wireless’s cooperation during the course of this investigation and its willingness to make changes to its practices for the benefit of its customers.”
In December 2014, the FCC’s Enforcement Bureau launched an investigation into whether Verizon Wireless failed to appropriately protect customer proprietary information and whether the company failed to disclose accurate and adequate information regarding its insertion of UIDH into consumer Internet traffic over its wireless network, in violation of the FCC’s 2010 Open Internet Transparency Rule and Section 222 of the Communications Act. The Bureau’s investigation found that Verizon Wireless began inserting UIDH into consumer Internet traffic as early as December 2012, but failed to disclose this practice until October 2014.
After acknowledging its use of UIDH, Verizon Wireless asserted that third-party advertising companies were unlikely to use these so-called “supercookies” to build consumer profiles or for any other purpose. In January 2015, however, news reports claimed that a Verizon Wireless advertising partner used UIDH for unauthorized purposes – restoring cookie IDs that users had cleared from their browsers by associating them with Verizon Wireless’s UIDH, in effect overriding customers’ privacy choices. The following month, Verizon Wireless acknowledged the concerns raised by these news reports and committed to work with its partners to address the issue.
Under the terms of the settlement, the company must also pay a fine of $1,350,000 and adopt a three-year compliance plan.
Section 222 of the Communications Act imposes a duty on carriers to protect their customers’ proprietary information and use such information only for authorized purposes. It also expressly prohibits carriers that obtain proprietary information from other carriers for the provision of telecommunications services to use such information for any other purpose. Section 8.3 of the Commission’s rules, known as the Open Internet Transparency Rule, requires every fixed and mobile broadband Internet access provider to publicly disclose accurate information regarding the network management practices, performance, and commercial terms of its broadband Internet access services sufficient for consumers to make informed choices regarding use of such services and for content, application, service, and device providers to develop, market, and maintain Internet offerings.
Today’s settlement represents the second Open Internet enforcement action taken by the FCC. In June 2015, the FCC proposed a $100 million fine against AT&T Mobility for misleading its customers about the data speed limits on its so-called “unlimited” mobile data plans.
The Verizon Wireless Order and Consent Decree are available at: https://apps.fcc.gov/edocs_public/attachmatch/DA-16-242A1.pdf.