The Federal Trade Commission recently announced that it entered into a settlement with Epic Marketplace, Inc., (Epic) an online advertising company, of charges that its "history sniffing" practices violated Section 5 of the FTC Act. The settlement serves as another reminder that companies operating online need to consult legal counsel when drafting privacy policies and regularly monitor those policies to make sure they accurately reflect the company’s information sharing practices.

Epic acted as an intermediary between website owners and advertisers by purchasing advertising space on the owners’ websites and contracting with advertisers to place their ads on those websites. Epic used "cookies" to collect data from consumers who visited websites on which the company had purchased advertising space (Epic Network). Through a merger, Epic acquired a company that engaged in "history sniffing," which involves using a code to determine whether a consumer has previously visited a web page, based on how the consumer’s web browser styles the display of the page’s hyperlink.

The FTC alleged that by including the history-sniffing code in advertisements it placed on the Epic Network, Epic was able to determine whether someone viewing the advertisement had also previously visited web pages outside of the Epic Network. Based on the knowledge it obtained on which web pages a consumer had visited, Epic assigned the consumer to various interest categories and used those categories to send the consumer targeted advertisements.

According to the FTC, Epic had engaged in deceptive acts or practices because its privacy policy represented expressly or by implication that the company collected information only on consumers’ visits to websites in the Epic Network, and did not disclose that Epic was engaged in history-sniffing, a fact consumers would have found to be material in deciding whether to use Epic’s opt-out mechanism.

The settlement bars Epic from engaging in history-sniffing and requires it to delete and destroy all data obtained through the practice. It also bars any misrepresentations about Epic’s privacy policies, including about the extent to which data is collected, used, disclosed or shared or a software code on a web page determines if the consumer has previously visited a website.