FCC Fines Verizon Wireless US$1.35 Million for Use of Tracking Cookies Without Consent

On March 7, 2016, the Enforcement Bureau of the Federal Communications Commission released an Order and Consent Decree settling an investigation of Verizon Wireless’s use of Unique Identifier Headers (UIDH). According to the Consent Decree, Verizon Wireless had used these “supercookies” without customers’ knowledge or consent to track their wireless broadband activities for the purpose of targeted advertisements from Verizon and third parties.¹ Verizon Wireless agreed to pay a fine of US$1,350,000, as well as to implement a compliance plan and obtain customer opt-in consent before sharing supercookies with a third party to deliver targeted advertising.

The Verizon Wireless Order reflects the FCC’s heightened interest in the privacy obligations of telecommunications and cable providers.² The Verizon Wireless Order follows on the heels of a November 2015 settlement with Cox Communications, Inc. for US$595,000 in the FCC’s first ever privacy and data security enforcement action against a cable operator.³ The Verizon Wireless Order comes during the same month that the FCC is widely expected to initiate a rulemaking proceeding proposing privacy rules for broadband providers.

The Investigation

In December 2014, the FCC began investigating Verizon Wireless practices regarding  protection of customer proprietary information and the extent of diclosures regarding insertion of UIDH into consumer wireless Internet traffic over its network.⁴ In particular, the Bureau was investigating Verizon Wireless’s actions under Section 222 of the Communications Act of 1934,⁵ which imposes a duty on carriers to protect customers’ proprietary information and prohibits them from using proprietary information obtained from other carriers for purposes of providing any telecommunications service for any other purpose, and under  the Transparency Rule,⁶ which, among other things, requires broadband Internet access service providers to publicly disclose accurate information regarding their services.

Through the course of the investigation, the Bureau determined that Verizon Wireless had begun using UIDH as early as December 2012, but had not disclosed this practice until October 2014 and had not  updated its privacy policy and other customer-facing information to disclose its use of UIDH and provide consumers a related opt-out capability until March 2015.⁷ The Bureau also found that at least one Verizon Wireless advertising partner had used UIDH for the unauthorized purpose of restoring cookie IDs that users had cleared from their browsers by associating them with Verizon Wireless’s UIDH, thereby overriding customers’ privacy choices.⁸ Finally, the Bureau found that Verizon Wireless “inserted UIDH into the Internet traffic made from mobile device lines, including enterprise, government, and Mobile Virtual Network Operator (MVNO) lines, which were ineligible to participate in Verizon Wireless’s targeted advertising programs.”⁹

The Order and Consent Decree

Under the terms of the settlement, Verizon Wireless will pay a fine of US$1,350,000 and implement a three-year compliance plan. As part of that plan, Verizon Wireless must, among other things:

• Obtain opt-in consent from a customer before sharing UIDH with a third party for targeted advertising;

• Obtain opt-in or opt-out consent before sharing UIDH internally among Verizon entities;

• Generate UIDH using methods that comply with reasonable and accepted security standards; and

• Maintain its current practices of (a) “removing UIDH from enterprise, government, and MVNO lines within a reasonable period after activation and in those cases not use such UIDH for any purpose,” (b) allowing customers who opt in to sharing UIDH subsequently to opt out, and (c) disclosing its UIDH practices in its privacy policies and FAQs and updating them as appropriate.¹⁰

In addition, Verizon Wireless must submit regular compliance reports during the three-year term of the compliance plan, report any noncompliance with the Consent Decree, and appoint a compliance officer.

If during the term of the compliance plan the Commission adopts a customer opt-in or opt-out consent rule related to the subject matter of the Consent Decree, such rule will supersede the related terms of the Consent Decree.¹¹