Verizon Wireless has reached a settlement with the Federal Communications Commission over Verizon’s insertion of unique identifier headers (“UIDH”), also known as “supercookies,” to track customers’ mobile Internet traffic without their knowledge or consent.  Verizon inserted UIDH into customers’ web traffic and associated the UIDH with customer proprietary information to create profiles and deliver targeted ads.  In at least one instance, a Verizon advertising partner overrode customers’ privacy choices by using the UIDH to restore cookies deleted by the customer.  For over two years Verizon Wireless did not disclose its use of UIDH in its privacy policies or offer consumers the opportunity to opt-out of the insertion of UIDH into their Internet traffic.

The FCC launched its investigation in December 2014 under (1) Section 222(b) of the Communications Act, which imposes restrictions on the use of proprietary information received for the provision of telecommunications services, and (2) the FCC’s Open Internet (or Net Neutrality) Transparency Rule, which requires that a broadband provider “publicly disclose accurate information regarding the network management practices, performance, and commercial terms of its broadband Internet access services sufficient for consumers to make informed choices regarding use of such services.” This is the first time the FCC has relied on the Open Internet rules to enforce privacy protections.

As part of its settlement with the Enforcement Bureau, Verizon will pay a $1.35 million penalty and will implement a compliance plan to notify consumers about its targeted advertising programs, obtain customers’ opt-in consent before sharing UIDH with third parties, and obtain customers’ consent before sharing UIDH internally within the Verizon corporate family.  Verizon was not required to, and did not, admit liability as part of the settlement.