Nov 212013
 November 21, 2013  Posted by  Breaches, Business, Featured News, Online, U.S.

Acting Attorney General John J. Hoffman, the Division of Law and the Division of Consumer Affairs announced today that Dataium, a Tennessee-based data analytics company serving the automotive industry, has entered into a settlement agreement that resolves allegations it engaged in unlawful “history sniffing” by using software code to track Web sites visited by consumers without their knowledge or consent.

Under terms of the settlement, Dataium has agreed to a $400,000 payment to the State, with $99,000 to be paid over the next two years, and the $301,000 balance suspended. The suspended amount will be due immediately if Dataium fails to honor all terms of the settlement. The suspended payment obligation will be vacated after five years if Dataium continues to comply with all settlement terms, and does not violate the New Jersey Consumer Fraud Act.

In addition to the settlement’s monetary terms, Dataium is required under the agreement to create a privacy program designed to protect consumers, and to post a page or pages within its Web site informing the public about what type of consumer information it collects, and what it does with that information.

Located in Nashville, Dataium aggregates and analyzes billions of Internet-based consumer car-shopping sessions to enable its industry clients to understand consumer demands and trends. The State alleges that Dataium used JavaScript code to track Web sites visited by consumers without their knowledge. The State also alleges that Dataium sold the personal identifying information of consumers to a third-party data company known as Acxiom without notice to those consumers.

“Whether New Jersey citizens are surfing the Web or off-line, they have a right to privacy. They also have a right to feel confident their personal identifying information is not being sold without their knowledge or consent,” said Acting Attorney General Hoffman. “The Internet and sophisticated data collection technology are important tools, but they also can be used to take advantage of consumers. We will not allow that. We remain committed to protecting the privacy of consumers, and to holding accountable anyone whose data-collection efforts threaten that privacy.”

”Dataium allegedly used software code to track the Web sites visited by consumers without their knowledge or consent. The company also allegedly transferred the personal information of 400,000 consumers to one of the largest data brokers in the world,” said Division of Law Director Christopher S. Porrino. “Our bedrock of consumer privacy rests on notice and choice. At the very least, Dataium should have notified consumers and disclosed their data transfer practices.”

”Today’s settlement with Dataium should serve as a warning to those who seek to unlawfully procure and sell information about consumers,” said Division of Consumer Affairs Director Eric T. Kanefsky. “Companies should provide online customers with notice as to what information they are collecting, how they use such information, and to whom they intend to sell such information. The bottom line is that consumers should be aware of who is collecting information about them when they are online and how they’re doing it, and they should have every opportunity to control what happens to that information.”

History sniffing is a technique whereby a JavaScript code is created that scans a Web site visitor’s browsing history from the Web browser. Since Web browsers display Web site links in a different color after a user visits that Web site, a “sniffer” is able to determine the Web sites visited by a user based on the color of the link. The Federal Trade Commission has found that the practice of history sniffing circumvents user choice by preventing the most common and widely known method for blocking online tracking – deleting cookies.

The State’s investigation of Dataium determined the company engaged in history sniffing for a two-year period, from November 2010 through November 2012. Specifically, Dataium is alleged to have tracked more than 181,000 user visits to various car dealership Web sites, popular search engines and news articles and, in the process, collected the browsing history of individual browser users without their knowledge or consent. The company denies the allegation.

In addition, the State determined that Dataium had sold for $2,500 the personal identifying information of 400,000 consumers – without their knowledge or consent — to Acxiom, one of the world’s largest data analytic companies. The information sold by Dataium to Acxiom included consumers’ names, phone numbers, e-mail addresses, Dataium IDs, and vehicle preferences. The transaction was part of a data supplier “test agreement” between the two companies, ostensibly to determine “the value of marrying online behavior from Dataium with offline behavior from Axciom.”

Among the other terms of settlement, Dataium has agreed not to collect information about Web sites visited by consumers without explicitly disclosing the manner in which it collects such information, and offering consumers a mechanism for opting out of such information collection.

Deputy Attorneys General Jah-Juin Ho, Edward Mullins and Glenn Graham, and Assistant Attorneys General Kevin Jespersen and Brian McDonough, assigned to the Division of Law’s Affirmative Civil Enforcement group, and Investigators Brian Morgenstern and Aziza Salikhov, assigned to the Division of Consumer Affairs, handled the Dataium matter on behalf of the State.

You can access the settlement agreement here (pdf, 17 pp.)

SOURCE: NJ Attorney General’s Office

Sorry, the comment form is closed at this time.