The Federal Communications Commission fined Verizon Wireless $1.35 million Monday for tracking wireless customers Web browsing habits with technology left available to third-party advertisers without consumers’ knowledge or consent.
The agency’s settlement with the carrier concludes an FCC Enforcement Bureau investigation launched in December 2014 to examine Verizon’s use of so-called “supercookies,” or permanent identifiers installed in its devices to track customers as they surf from site to site.
Verizon used the unique and undeletable identifiers to more effectively deploy targeted advertising to consumers and left the tool open to use by a third party advertising partner. The headers — inextricably tied to a users’ individual devices — differ from traditional cookies, which can be deleted.
According to the investigation Verizon introduced the identifiers as early as December 2012 but failed to disclose the practice until October 2014.
After the disclosure Verizon said third-party advertisers were unlikely to use the supercookies to build consumer profiles until it was revealed last January a Verizon third-party advertising partner discovered the identifiers and used them to restore cookies intentionally deleted by customers from their devices, “in effect overriding customers’ privacy choices,” the agency said in a statement Monday.
Verizon acknowledged the issue but didn’t update its privacy policy or offer customers the choice of opting out until March 2015.
In addition to paying the $1 million-plus fine Verizon ongoing will have to inform customers about the presence of the supercookies on their devices and seek their consent before tracking their data or let them opt out of tracking altogether.
“Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they’re doing online,” FCC Enforcement Bureau Chief Travis LeBlanc said Monday.
“Privacy and innovation are not incompatible,” he continued. “This agreement shows that companies can offer meaningful transparency and consumer choice while at the same time continuing to innovate. I would like to acknowledge Verizon Wireless’s cooperation during the course of this investigation and its willingness to make changes to its practices for the benefit of its customers.”
In a press release the agency cited Communications Act Section 222 as the basis for its action — the same legislation the agency described as the basis for upcoming privacy regulations to govern the use of consumer data by Internet service providers including Verizon, AT&T, Comcast, Cox and Time Warner Cable, which could be announced as soon as this month.
Section 222 gives the FCC authority over how common carriers like telephone networks use customer proprietary network information — personal data on customers carriers retain due to the nature of their relationship in facilitating private communications.
When the FCC reclassified ISPs as common carriers as part of its net neutrality rulemaking last year, it forbore from applying Section 222 to ISPs, describing the rules as too telephone centric, and opted instead to draft new privacy rules for broadband later.
A panel of experts challenged the FCC’s wisdom and legal ability to implement such rules last week, suggesting new technology like virtual private networks and encryption block much of the data ISPs can see already and that the FCC should follow the FTC’s example with flexible standards and case-by-case enforcement.
A group of privacy, civil liberties and net neutrality advocates including the American Civil Liberties Union, Public Knowledge and New America’s Open Technology Institute challenged those claims and called for new rules in a letter to FCC Chairman Tom Wheeler Monday.
“Regardless of encryption, ISPs still receive data related to the frequency, timing, location, and volume of a user’s Internet access,” the letter reads. “This information can reveal intimate details about the subscriber, such as when a user has recently become employed or given birth to a child.”
“Moreover, many Internet users do not even know what VPNs are, much less how to use them. Consumers should not be forced to pay for extra precautions to protect their privacy.”
The dozen groups said ISPs engage in prolific data mining as part of business practices aimed at monetizing consumers personal information, and that the FTC’s approach — making companies disclose their practices via lengthy and legal language-heavy user privacy agreements, and case-by-case enforcement — isn’t enough.
“Research shows that consumers rarely read privacy policies; when they do, these complex legal documents are difficult to understand,” the groups wrote. “Moreover, emphasizing notice or disclosure favors the interests of businesses over consumers and fails to establish meaningful privacy safeguards.”
During a speech last Thursday FCC Wireline Competition Bureau Chief Matthew DelNero said the the move is backed by years of regulatory agency precedent, including at the FCC, and pointed to three chief areas the rules will address — “transparency, choice and data security.”