Verizon will pay the Federal Communications Commission (FCC) $1.35 million in a settlement over the company's use of “supercookies” without customer knowledge or consent.
The cellular service provider uses a tracker called a “Unique Identifier Header” or UIDH which is inserted into all unencrypted web traffic that flows through the wireless network by default in order to track user demographics for its advertising program.
Verizon must also notify customers of its targeted advertising programs and obtain customer opt-in consent before sharing UIDH information with third parties or within the Verizon corporate family, according to an FCC press release.
“Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they're doing online,” FCC Enforcement Bureau Chief Travis LeBlanc said in the release.
Verizon said in a statement emailed to SCMagazine.com that it “gives customers choices" about how the company uses their data. "We work hard to provide customers with clear, complete information to help them make decisions about our services,” the statement said, noting that “over the past year [it has] made several changes" to its advertising programs that have given its consumers more options. The settlement reflects those changes.
“We will continue to give customers the information they need to decide what programs and services are right for them,” Verizon said.
Calling the settlement an unqualified win for consumers, online security, and privacy advocates who have been calling for tracking only on an opt-in basis, Electronic Frontier Foundation (EFF) Staff Attorney Nate Cardozo told SCMagazine.com, “Verizon's use of the UIDH trucking header was, to our eyes, clearly illegal from the time we first found out about it in late 2014, and we told Verizon as much at the time."
Cardozo said the header allowed a number of dangerous online tracking practices that Verizon couldn't control, especially at the beginning of the program when Verizon didn't permit users an opt-out.
In 2014, the FCC launched an investigation into Verizon's use of the UIDHs that revealed the company had been inserting them into consumer traffic since 2012, but failed to disclose its use of them until October 2014, the release said.
In January 2015, a Verizon advertising partner reportedly used the UIDHs for unauthorized purposes to effectively override customers' privacy settings by restoring cookie IDs that users had cleared from their browsers by associating them with Verizon UIDHs.