• by Wendy Davis  @wendyndavis, March 16, 2016

In a victory for ad company Turn, a federal judge has sent a privacy lawsuit centered on Verizon's "supercookies" to arbitration.

U.S. District Court Judge Jeffrey White in the Northern District of California agreed with Turn that the consumers' allegations were closely connected to their subscriber agreements with Verizon -- which call for arbitration of all disputes.

The ruling grew out of a potential class-action complaint filed last April by New York state residents Anthony Henson and William Cintron, who alleged that Turn violated a consumer protection law prohibiting deceptive practices.

They alleged that Turn wrongly used a controversial technology that enabled it to track consumers for online ad purposes, even when they deleted their cookies. The allegations centered on Verizon's "supercookies" -- headers, called UIDHs, that Verizon previously injected into all unencrypted mobile traffic.

Those headers -- 50-character alphanumeric strings -- enabled ad companies to compile profiles of users and serve them targeted ads. The UIDHs also are known as “zombie” cookies, or "supercookies," because they allow ad companies to recreate cookies that users delete.

White said in his ruling that the questions raised by the lawsuit "concern substantially interdependent and concerted conduct" by Turn and Verizon.

"Here, Turn contends that it acted in partnership with Verizon to provide services that were disclosed to plaintiffs in their Verizon subscriber agreements," White wrote in a decision issued this week. "Therefore, Turn’s motion to compel arbitration under those same agreements is granted."

Verizon has used the headers since 2012 to track people's activity online and send them targeted ads, but didn't disclose their existence in its privacy policy until last year.

The company has always allowed people to opt out of receiving targeted ads powered by its own ad programs, but didn't initially allow them to avoid header insertions. Last year, Verizon changed its policies to allow people to opt out of the header injections. In October, Verizon again narrowed the program by deciding to only send the header to Verizon companies, including AOL.

Verizon initially said that outside ad networks weren't likely to draw on the headers in order to compile profiles of Web users. But in January of 2015, researcher Jonathan Mayer -- who is now with the FCC -- reported that the ad network Turn was using Verizon's headers to collect data and send targeted ads to mobile users who delete their cookies.

Turn initially acknowledged that it used the headers for ad targeting and defended the practice, stating that the company uses the “most stable identifier” possible.

Several days later, Turn said it had re-evaluated and would stop using Verizon's headers to target ads.

Turn consistently said it honors the industry's self-regulatory code and doesn't serve targeted ads to users if their cookies reveal that they opted out via links at sites operated by the self-regulatory groups Network Advertising Initiative or Digital Advertising Alliance. But when privacy-conscious users clear their cookies, they also delete the opt-out cookies installed by the DAA and NAI.

Turn also says it won't serve targeted ads to people who opt out via its own link, or Verizon's opt-out mechanism. (Verizon's mechanism can persist even when users delete their cookies, according to Turn.)

Last week, the Federal Communications Commission said it had fined Verizon $1.35 million to settle an investigation surrounding the supercookies. That investigation focused on whether Verizon violated the Communications Act's privacy provisions -- which require carriers to protect customers' "proprietary information" -- and whether the company violated a 2010 net neutrality rule requiring disclosure of broadband management practices.