• by Wendy Davis  @wendyndavis, March 7, 2016

Verizon has agreed to settle a Federal Communications Commission probe by paying a $1.35 million fine for using "supercookies" to track mobile customers' Web activity for ad-targeting purposes.

The FCC investigation dates to December of 2014, shortly after it came to light that Verizon was inserting unique tracking headers -- 50-character alphanumeric strings -- into all unencrypted traffic on the mobile network. Ad networks were able to use those headers to send targeted ads to mobile users, even when they tried to avoid tracking by deleting their cookies.

Verizon also promised to obtain subscribers' opt-in consent before sharing tracking headers with a third party for targeted ad purposes. The company will allow consumers to opt out of having headers inserted into mobile traffic, and to opt out of having the headers used for ad purposes by companies affiliated with Verizon.

Sen. Bill Nelson (D-Florida), the ranking Democrat on the Senate Commerce Committee cheered news of the fine. “This is a win for consumers that will hopefully make companies think twice before engaging in practices that violate consumer privacy,” he said in a statement issued Monday.

The FCC's investigation focused on whether Verizon violated the Communications Act's privacy provisions -- which require carriers to protect customers' "proprietary information" -- and whether the company violated a 2010 net neutrality rule requiring disclosure of broadband management practices.

News of the fine comes as the FCC is preparing to draft comprehensive new broadband privacy regulations.  

Verizon began using the headers in late 2012, but didn't disclose the practice until October of 2014, according to the FCC. Also, the company didn't include information about the headers in its privacy policy until March of 2015.

When the company first rolled out the system, users couldn't opt out of the header insertions. But in January of 2015, faced with pressure by lawmakers, the company decided to allow customers to avoid having the headers injected into traffic. Last October, Verizon again narrowed the program by deciding to only send the header to Verizon companies, including AOL.

Verizon also initially insisted that outside ad networks weren't likely to draw on the headers in order to compile profiles of Web users. But in January of 2015, researcher Jonathan Mayer -- who is now with the FCC -- reported that the ad network Turn was using Verizon's headers to collect data and send targeted ads to mobile users who delete their cookies (the small text files that store the kind of information used for ad targeting).

Turn currently is facing separate litigation in California over its use of the supercookies. Initially, Turn acknowledged using the UIDHs for ad targeting and defended the practice, stating that the company uses the “most stable identifier” possible. Several days later, Turn's chief privacy officer Max Ochoa said the company had re-evaluated and would stop using Verizon's headers to target ads.

The FCC doesn't mention Turn by name in the settlement agreement, but the document states that "at least one" of Verizon's ad partners used the headers "for unauthorized purposes to circumvent consumers’ privacy choices by restoring deleted cookies."