Dataium LLC, a Tennessee-based data aggregation and analytics company serving the automotive industry, recently settled an administrative action filed by the State of New Jersey alleging the company sold users’ data to a third-party data analytics company without the users’ notice or consent. Specifically, the NJ AG alleged that Datium engaged in a data-collection practice known as “history sniffing” without adequately disclosing the practice to its users and getting users’ consent. “History sniffing” lets a company see what other websites a user has visited by looking at how the browser displays hyperlinks (if a site has been visited it will be purple rather than blue). In addition, the NJ AG alleged that for $2,500, Dataium sold 400,000 users’ personally identifying information—including name, phone number, e-mail address, and vehicle preference—to Acxiom, one of the world’s largest data analytics companies without sufficient notice and consent from users. Under the agreement reached with New Jersey, Dataium will fully disclose to its users its practices and give them the ability to opt-out of those practices. It has also agreed to pay $400,000, and within 90 days to set up and implement a comprehensive Privacy Program designed to protect the privacy and confidentiality of consumer information. As part of the Privacy Program, Dataium must designate an employee responsible for the program, develop and deliver to the AG an independent privacy assessment report, implement reasonable privacy controls and procedures to address the risks identified in the report, and regularly test and monitor the effectiveness of those controls and procedures. The consent order agreed to by Dataium sets out a long list of requirements for a privacy assessment report, which must be addressed, reported on, and delivered to the NJ AG three times over the five-year reporting period. This settlement is similar to one reached with Epic Marketplace by the FTC which we reported on last year.
TIP: This case is a reminder that companies engaging in new tracking activities – like history sniffing – should think through how they provide notice and what type of consent is appropriate. For history sniffing, this case suggests that opt-out notice is sufficient.