Acting Attorney General John J. Hoffman announced today that six states, led by New Jersey, have entered into a $750,000 settlement agreement with digital advertising company PointRoll, Inc. that resolves the States’ investigation concerning whether the company violated consumers’ privacy by unlawfully circumventing the privacy settings in Apple Inc.’s Safari Web browsers.
PointRoll is a digital ad and technical services company owned by the Gannett Corp. New Jersey and the other participating states allege that it unlawfully deployed a browser circumvention technique that allowed it to place browser cookies on consumers’ Safari Web browsers despite privacy settings configured to “block cookies from third-parties and advertisers” or, alternatively, set to “accept cookies” from “visited sites” (with respect to Safari browsers on Apple iPhones and iPads) between December 13, 2011 and February 15, 2012. Cookies are small files set in Internet users’ Web browsers that allow advertisers to gather information about those users including, depending on the type of cookie, their Web surfing habits.
New Jersey, which has civilly prosecuted numerous high-profile cyber-privacy cases, including one that resulted in a $1 million settlement with on-line gaming company E-Sports Entertainment, led the multi-state Executive Committee that investigated PointRoll. The State’s share of the settlement is approximately $200,000, which will be used to fund consumer protection initiatives.
“We take very seriously the issue of Internet privacy, and are committed to upholding laws intended to protect New Jersey consumers when they are on-line,” said Acting Attorney General Hoffman.
“Today’s settlement with PointRoll should serve as a reminder that we will not tolerate conduct that involves circumventing browser privacy settings without the consumer’s knowledge or consent,” Hoffman said. “People have every right to surf the Web without fear that businesses are employing technical tricks to bypass their privacy settings.”
In addition to paying New Jersey and the other participating states, PointRoll must do the following under the multi-state settlement:
- Not take action to override an Internet browser’s cookie-blocking settings configured by user choice or by default.
- Not misrepresent or omit material facts concerning the purposes for which it collects and uses consumer information, or the extent to which consumers may exercise control over the collection, disclosure or use of such information.
- Implement a Privacy Program within six months that includes employee training on the importance of user privacy, as well as the duty of PointRoll employees to help maintain it. The Privacy Program is also to include annual internal assessments of the effectiveness of the Privacy Program’s controls, and updates to those controls when the internal assessments identify a need.
- Ensure that its servers are configured to instruct Safari Web browsers to expire any cookie placed by PointRoll using its browser circumvention technique, if those systems encounter such a cookie, for a period of two years.
- Cooperate with compliance monitoring by the participating states, including providing a written report that describes PointRoll’s compliance with the Privacy Program requirement, and allowing the inspection and copying of all records that may be required to verify compliance.
In addition to lead state New Jersey, the states of Connecticut, Florida, Illinois, Maryland and New York are party to the PointRoll settlement.
Deputy Attorney General Glenn T. Graham, assigned to the Division of Law’s Consumer Fraud Prosecution section, and Deputy Attorneys General Elliott Siebers and Edward Mullins, assigned to the Government and Healthcare Fraud Section, handled the PointRoll matter on behalf of the State.
SOURCE: NJ Office of the Attorney General, Dept. of Law & Public Safety
Related: Settlement Agreement