On July 23, 2013, New York digital media company, PulsePoint, Inc. (“PulsePoint”), and the New Jersey Attorney General entered into a Consent Order following an investigation by the NJ Office of Consumer Protection into whether PulsePoint violated its Consumer Fraud Act in connection with its use of cookies and online advertisement services provided to New Jersey consumers.

What PulsePoint Admitted to Doing

Without (NJ) consumers’ knowledge or consent, PulsePoint used hidden code to place cookies on Apple Safari web browsers by bypassing privacy settings that were specifically set to block such cookies.  (“Cookies” are small packages of data that are stored on computers for various tracking purposes by websites and advertisers.)  According to the New Jersey AG, these unauthorized cookies may have enabled third party advertisers to target consumers with ads based on their online activities.  Through this activity, during a two and a half year period, PulsePoint was able to place as many as 215 million targeted ads on web browsers in New Jersey alone.

PulsePoint stopped this activity only after the Wall Street Journal reported in February 2012 that a number of companies, including Google, had engaged in similar practices.

What PulsePoint Agreed to Do

First and foremost, as part of the settlement, PulsePoint agreed to pay a total of One Million Dollars ($1,000,000.00) to the State of New Jersey.  This payment, broken down, includes: (i) a civil penalty in the amount of $566,196.96; (ii) reimbursement of the State’s attorneys’ fees in the amount of $32,048.00; (iii) reimbursement of the State’s investigative costs in the amount of $1,755.04; (iv) a payment of $150,000.00 to be used in the State’s sole discretion for the promotion of consumer privacy programs; and (v) a payment of $250,000.00 to be used by the State for in-kind advertising services to, among other things, protect the public from fraudulent and deceptive practices.

PulsePoint also agreed to implement certain business practices as part of the settlement.  Among other things, PulsePoint must implement a series of privacy controls and procedures to ensure that it protects the privacy and confidentiality of the consumer information that it obtains.  PulsePoint also is enjoined from altering consumers’ privacy settings on their web browsers without affirmative consent.  PulsePoint also agreed to hire an independent third party to provide regular privacy assessment reports to the State for five years and to maintain systems that will instruct Safari web browsers to expire any cookies that may have been placed there by PulsePoint before the settlement.

Finally, PulsePoint agreed to provide detailed information on its website about the types of consumer information that it collects and how that information is used.  Its website also must include instructions on how consumers can manage cookies and restrict, limit, opt out of, or otherwise control, the information PulsePoint may collect about them.

What the Future May Hold

It is likely that other states’ attorneys general will institute their own investigations into PulsePoint and other Internet marketing companies following this million dollar settlement.   Class action lawsuits may also be filed for similar alleged privacy violations.