• by Wendy Davis  @wendyndavis, December 20, 2016

Ad company Turn has agreed to settle allegations that it deceived consumers by tracking them for ad purposes after they attempted to avoid such tracking, the Federal Trade Commission said Tuesday.

The settlement, which bars Turn from misrepresenting its online data collection practices, centers on the company's use of a controversial "supercookie" technology. From 2013 through early 2015, the company allegedly tracked Verizon wireless users via headers -- called X-UIDHs -- that Verizon injected into all unencrypted mobile traffic.

Those headers -- 50-character alphanumeric strings -- enabled ad companies to compile profiles of users and serve them targeted ads. The X-UIDHs also are known as “zombie” cookies, or "supercookies," because they allow ad companies to recreate cookies that users delete.

“Turn tracked millions of consumers online and through mobile apps even if they had taken steps to block or limit tracking,” Jessica Rich, head of the FTC's consumer protection bureau, stated. “The FTC’s order will ensure the company honors consumers’ privacy choices.”

The FTC alleged in its complaint that Turn misled consumers by implying in its privacy policy that users could control online tracking by refusing to accept cookies. Until April of 2015, Turn's privacy policy didn't mention its use of tracking headers, according to the FTC. Instead, the company said it used cookies for tracking, and that people could control whether their browsers accepted cookies.

"You can instruct your browser, by editing in options, to stop accepting cookies or prompt you before accepting a cookie from the websites you visit," the privacy policy stated, according to the FTC. "If you do not accept cookies, however, you may not be able to enjoy the full functionality of many of the websites you visit."

Those statements amounted to a representation that consumers could avoid tracking by rejecting cookies, the FTC alleged.

Turn said Tuesday that it agreed to settle the case in order to avoid litigation. "Turn complies with applicable law and industry standards and regulations," the company stated. "This agreement will have no impact on the work we do for our clients or our ability to compete in the market."

The company didn't admit to wrongdoing as part of the settlement.

Verizon has used the controversial tracking headers for ad targeting since 2012, but didn't disclose their existence in its privacy policy until late 2014. Initially, Verizon didn't let its subscribers opt out of the header insertions. But last year, faced with pressure from lawmakers, Verizon revised its policies to allow opt-outs. The company later narrowed the program by saying it would only send the header to Verizon companies, including AOL.

Verizon originally predicted that ad networks weren't likely to draw on the headers in order to compile profiles of Web users. But in January of 2015, researcher Jonathan Mayer reported that Turn drew on Verizon's headers to collect data and send targeted ads to mobile users who delete their cookies.

Turn initially acknowledged Mayer's report, and defended use of the tracking headers. “At Turn, we always use the most stable identifier available to inform our bidding and campaign execution,” Max Ochoa, Turn's former general counsel and chief privacy officer, said in a blog post. “In the case of Verizon devices, we use the non-cookie UIDH identifier.”

He added that clearing cookies “is not a widely recognized method of reliably expressing an opt-out preference."

Several days later, the company changed its position and stopped using the tracking headers.

The FTC also alleged that Turn misled consumers by stating in its privacy policy that they could opt out of receiving tailored ads by clicking on an opt-out link. Turn said that clicking on that link would result in users receiving an opt-out cookie that "tells our servers not to deliver tailored, anonymous ads to you that deliver high value to the sites and apps you love."

But, according to the FTC, the opt-out cookie only applied to mobile browsers, and didn't block targeted ads on mobile apps.

Earlier this year, the Federal Communications Commission fined Verizon $1.35 million to settle an investigation surrounding the headers. That investigation focused on whether Verizon violated the Communications Act's privacy provisions -- which require carriers to protect customers' "proprietary information" -- and whether the company violated a 2010 net neutrality rule requiring disclosure of broadband management practices.