The online ad exchange PulsePoint has agreed to pay $1 million to settle charges that it circumvented Safari users' privacy settings, the New Jersey Attorney General said this week.
PulsePoint (formed by a 2011 merger of Datran Media and ContextWeb), also agreed to implement a comprehensive five-year privacy program.
The settlement grew out of allegations that PulsePoint “hacked” Safari's privacy controls in order to set tracking cookies. The Safari browser automatically blocks cookies by third parties, like ad networks and exchanges.
The hack was first exposed in February 2012, when Stanford graduate student Jonathan Mayer published a report outlining how ad companies were able to set cookies despite Safari's default settings. Mayer's report, later confirmed by privacy expert Ashkan Soltani, named four companies that allegedly did so -- Google, PointRoll, Vibrant Media and WPP's Media Innovation Group.
Soon after that report was published, consumers filed class-action litigation against those companies. Earlier this week, PointRoll said in court papers that it had resolved the lawsuit, but litigation is continuing against the other companies.
Google also paid around $23 million to settle Federal Trade Commission charges about the alleged circumvention.
A separate investigation by the New Jersey authorities -- which cost $175,000, according to court papers -- led to the charges against PulsePoint. State officials said in court papers that PulsePoint served an estimated 215 million ads to Safari users in New Jersey from June of 2009 through February of 2012.
PulsePoint said the cookies were set by predecessor company ContextWeb, and that PulsePoint executives were not aware of the practice until last February, at which time they stopped employing the workaround. “In ContextWeb's case, the cookie was primarily limited to technical purposes such as fraud detection, debugging and advertisement frequency capping, and was not for behavioral tracking purposes,” stated a spokesperson.