Verizon Wireless Will Pay $1.35 Million to Settle FCC Supercookie Investigation

Verizon Wireless Will Pay $1.35 Million to Settle FCC Supercookie Investigation
Image: Pixabay
March 7, 2016

The Federal Communications Commission (FCC) has announced a settlement resolving an investigation into Verizon Wireless's practice of inserting unique identifier headers, or so-called "supercookies," into its customers' mobile Internet traffic without their knowledge or consent. These unique, undeletable identifiers—referred to as UIDH—are inserted into web traffic and used to identify customers in order to deliver targeted ads from Verizon and other third parties.

The FCC says that, as a result of the investigation and settlement, Verizon Wireless is notifying consumers about its targeted advertising programs, will obtain customers' opt-in consent before sharing UIDH with third parties, and will obtain customers' opt-in or opt-out consent before sharing UIDH internally within the Verizon corporate family.

"Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they're doing online," said FCC Enforcement Bureau Chief Travis LeBlanc. "Privacy and innovation are not incompatible. This agreement shows that companies can offer meaningful transparency and consumer choice while at the same time continuing to innovate. We would like to acknowledge Verizon Wireless's cooperation during the course of this investigation and its willingness to make changes to its practices for the benefit of its customers."

In December 2014, the FCC's Enforcement Bureau launched an investigation into whether Verizon Wireless failed to appropriately protect customer proprietary information and whether the company failed to disclose accurate and adequate information regarding its insertion of UIDH into consumer Internet traffic over its wireless network, in violation of the FCC's 2010 Open Internet Transparency Rule and Section 222 of the Communications Act. The Bureau's investigation found that Verizon Wireless began inserting UIDH into consumer Internet traffic as early as December 2012, but failed to disclose this practice until October 2014.

According to the FCC, after acknowledging its use of UIDH, Verizon Wireless asserted that third-party advertising companies were unlikely to use these so-called "supercookies" to build consumer profiles or for any other purpose. In January 2015, however, news reports claimed that a Verizon Wireless advertising partner used UIDH for unauthorized purposes—restoring cookie IDs that users had cleared from their browsers by associating them with Verizon Wireless's UIDH, in effect overriding customers' privacy choices. The following month, Verizon Wireless acknowledged the concerns raised by these news reports and committed to work with its partners to address the issue.

The FCC says that it was not until late March 2015, over two years after Verizon Wireless first began inserting UIDH, that the company updated its privacy policy to disclose its use of UIDH and began to offer consumers the opportunity to opt-out of the insertion of unique identifier headers into their Internet traffic.

Under the terms of the settlement, Verizon Wireless must also pay a fine of $1,350,000 and adopt a three-year compliance plan.

The settlement with Verizon represents the second Open Internet enforcement action taken by the FCC. In June 2015, the FCC proposed a $100 million fine against AT&T Mobility for misleading its customers about the data speed limits on its so-called "unlimited" mobile data plans.

The full Verizon Wireless Order and Consent Decree can be viewed here.