On March 7, 2016, the Enforcement Bureau of the Federal Communications Commission released an Order and Consent Decree settling an investigation of Verizon Wireless’s use of Unique Identifier Headers (UIDH). According to the Consent Decree, Verizon Wireless had used these “supercookies” without customers’ knowledge or consent to track their wireless broadband activities for the purpose of targeted advertisements from Verizon and third parties. Verizon Wireless agreed to pay a fine of US$1,350,000, as well as to implement a compliance plan and obtain customer opt-in consent before sharing supercookies with a third party to deliver targeted advertising.
The Verizon Wireless Order reflects the FCC’s heightened interest in the privacy obligations of telecommunications and cable providers. The Verizon Wireless Order follows on the heels of a November 2015 settlement with Cox Communications, Inc. for US$595,000 in the FCC’s first ever privacy and data security enforcement action against a cable operator. The Verizon Wireless Order comes during the same month that the FCC is widely expected to initiate a rulemaking proceeding proposing privacy rules for broadband providers.
In December 2014, the FCC began investigating Verizon Wireless practices regarding protection of customer proprietary information and the extent of diclosures regarding insertion of UIDH into consumer wireless Internet traffic over its network. In particular, the Bureau was investigating Verizon Wireless’s actions under Section 222 of the Communications Act of 1934, which imposes a duty on carriers to protect customers’ proprietary information and prohibits them from using proprietary information obtained from other carriers for purposes of providing any telecommunications service for any other purpose, and under the Transparency Rule, which, among other things, requires broadband Internet access service providers to publicly disclose accurate information regarding their services.
The Order and Consent Decree
Under the terms of the settlement, Verizon Wireless will pay a fine of US$1,350,000 and implement a three-year compliance plan. As part of that plan, Verizon Wireless must, among other things:
- Obtain opt-in consent from a customer before sharing UIDH with a third party for targeted advertising;
- Obtain opt-in or opt-out consent before sharing UIDH internally among Verizon entities;
- Generate UIDH using methods that comply with reasonable and accepted security standards; and
- Maintain its current practices of (a) “removing UIDH from enterprise, government, and MVNO lines within a reasonable period after activation and in those cases not use such UIDH for any purpose,” (b) allowing customers who opt in to sharing UIDH subsequently to opt out, and (c) disclosing its UIDH practices in its privacy policies and FAQs and updating them as appropriate.
In addition, Verizon Wireless must submit regular compliance reports during the three-year term of the compliance plan, report any noncompliance with the Consent Decree, and appoint a compliance officer.
If during the term of the compliance plan the Commission adopts a customer opt-in or opt-out consent rule related to the subject matter of the Consent Decree, such rule will supersede the related terms of the Consent Decree.