The FCC announced last week that it reached a settlement with Verizon Wireless (“Verizon”) over its use of “supercookies.” More specifically, the FCC alleged that Verizon inserted unique identifiers into the headers of its customers’ HTTP requests to support its targeted advertising programs, and that customers had not consented to this practice. In this post, we analyze the settlement and some of its unique features.

Verizon’s Practices & FCC Investigation

Verizon allegedly had begun inserting Unique Identifier Headers (“UIDH”) — the supercookies — into its wireless customers’ HTTP requests since at least December 2012, but did not disclose this practice to consumers for nearly two years. The FCC contends that at least one third party was able to use the UIDH to restore cookies that consumers had deleted from their browsers.

The FCC began its investigation in December 2014 after news articles called attention to Verizon’s practices and the FCC received consumer complaints. The FCC alleged that that Verizon’s use of supercookies without consumer consent violated section 222 of the Communications Act and section 8.3 of the Open Internet Transparency Rule. Although the FCC did not provide more specific details regarding its allegations, section 222 requires carriers to protect customers’ proprietary information and to use that information only for authorized purposes, and the Open Internet Transparency Rule requires various public disclosures regarding an internet service provider’s practices. Verizon cooperated with the FCC’s investigation and updated its consumer-facing documents during the course of the investigation to disclose its UIDH practices.

The Consent Decree

Under the Consent Decree, Verizon must –

• Designate a senior corporate manager as the Compliance Officer to ensure Verizon’s compliance with the terms of the Consent Decree. The Compliance Officer or its direct reports must be “privacy certified by an industry certifying organization and keep current through appropriate continuing privacy education courses.”
• Develop a compliance plan that, among other things – (a) ensures its users provide prior opt-in consent to the use of UIDH and have the right to opt-out at any time, (b) requires Verizon to generate UIDH in compliance with reasonable and accepted security standards, (c) ensures that Verizon discloses its practices and use of UIDH in its privacy policies and FAQs.
• Submit annual compliance reports to the FCC for 3 years.
• Pay a $1.35 million fine.

Our Take

Companies considering engaging in consumer monitoring or tracking activities should always consider whether any law does – or conceivably could – prohibit or restrict that practice. This investigation and settlement demonstrates that the FCC is ramping up its privacy and information security enforcement efforts, amidst a flurry of other recent activity in this area from the CFPB, FDA, HHS, and, of course, the FTC. The FCC also just announced a proposal to create privacy rules for broadband internet (which we will write on separately).

The Verizon settlement may be the first settlement that requires compliance team members to be “privacy certified” – an implicit endorsement of the International Association of Privacy Professionals (IAPP) and its activity in developing privacy certifications. (Both authors are members of the IAPP and hold its CIPP/US certification). Compared to the FTC’s settlement terms that often require audits and reporting for a 20 year period, the FCC’s three-year reporting period appears quite reasonable. Also notably, the settlement requires not just “reasonable” security measures to be implemented, but also requires that those security measures be “accepted,” suggesting that there must be some form of consensus as to reasonableness – a potentially higher standard than we have observed in other settlements.

We will continue to monitor developments in federal agencies’ privacy and cybersecurity enforcement efforts.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.