Verizon has agreed to pay a $1.35 million fine and adopt a 3-year compliance program for failing to adequately notify its customers about its use of "supercookies" to enable the delivery of targeted advertising. The penalties, which were adopted as part of a consent decree with the Federal Communications Commission's Enforcement Bureau, settled the agency's investigation into whether the company violated net neutrality transparency rules and the FCC's customer proprietary network information (CPNI) privacy rules. The consent decree may provide a preview of further enforcement activity and upcoming proposals on Internet privacy.
The consent decree involved Verizon Wireless's insertion of Unique Identifier Headers (UIDH) into customers' IP address headers when the customers visited websites. These "supercookies," which cannot be readily deleted by the customer, were used in two targeted advertising programs – Verizon Selects and Relevant Mobile Advertisement (RMA). Verizon Selects uses customer information to develop profiles to deliver targeted ads. Such information includes websites visited, device location, apps and device features used, email addresses, and information about Verizon Wireless products and services used by the customer (some of which the FCC states qualifies as CPNI for purposes of the FCC's privacy rules). The RMA program used less detailed information, including email addresses, information about Verizon Wireless products and services (such as device type), and interest information obtained from other companies. Verizon sometimes made UIDH information available to third parties.
Verizon customers had to affirmatively opt into the Verizon Selects program. Customers were automatically enrolled in the RMA program unless they opted out. Although Verizon obtained these consents and provided information about the programs, Verizon Wireless did not initially disclose or provide information about the use of UIDH identifiers.
Specific violations are unclear
The consent decree provides little information about how the FCC believes that Verizon violated the rules. That said, it appears the FCC claimed that the failure to disclose the use of UIDH inserts violates the transparency rules adopted in the FCC's 2010 Net Neutrality Order. Since Verizon's actions occurred before the FCC's 2015 Open Internet Order revised the transparency rule, the violations alleged by the FCC arose under the prior version of those rule.
The FCC also did not specify how Verizon Wireless's use of UIDH may have violated the CPNI rules, other than stating that those rules impose a duty on telecommunications carriers to protect their customers' proprietary information and that a carrier may not use CPNI obtained from another carrier for its own marketing efforts. Since the activity discussed in the consent decree occurred before the FCC extended the CPNI rules to Internet access services in its 2015 Open Internet Order, it appears that the FCC believes Verizon Wireless was sharing information obtained from customers of its traditional wireless service. The FCC's reference to the traditional CPNI rules barring one carrier from using CPNI obtained from another carrier is also curious as it is not clear what other carriers, either affiliated with Verizon, or a third party, may have been implicated.
The FCC also may have been concerned that the disclosures Verizon Wireless made about UIDH may not have been accurate. The FCC noted that Verizon's FAQs addressing UIDH said it was unlikely that websites and advertisers would try to build customer profiles for online advertising or any other purpose using UIDH. Contrary to this claim, the FCC pointed to news reports that one Verizon Wireless advertising partner, "used UIDH for unauthorized purposes," citing articles reporting that an online advertising clearinghouse used UIDH to restore cookies that customers had cleared from their browsers by associating the customers with Verizon Wireless UIDHs.
In addition to paying the substantial fine, Verizon Wireless agreed to a compliance plan that, among other requirements, obligates the company to:
- Obtain opt in consent before sharing UIDH with a third party for advertising purposes;
- Generate UIDH using "methods that comply with reasonable and accepted security standards;"
- Continue to allow customers to opt out the RMA program;
- Preclude sharing of UIDH internally among Verizon companies without opt out or opt in consent.
A preview of things to come?
The FCC is poised to propose privacy rules for broadband Internet access companies. These proposed rules may affect the ability of online advertising companies partnering with Internet service providers to obtain customer information for targeted advertising. It is highly likely that those proposed rules will address use of technology such as UIDHs by wireless and wireline broadband providers in targeted marketing programs. Aspects of the new rules, including requiring opt in consent before providing customer information to third parties, and opt in or opt out consent for sharing information among an Internet access provider's affiliated companies, could well be included in the FCC's proposals. Specific and detailed disclosure also is likely to be among the requirements the FCC will propose.