Ad company Turn has agreed to settle allegations that it deceived consumers by tracking them for ad purposes after they attempted to avoid such tracking, the Federal Trade Commission said Tuesday.
The settlement, which bars Turn from misrepresenting its online data collection practices, centers on the company's use of a controversial "supercookie" technology. From 2013 through early 2015, the company allegedly tracked Verizon wireless users via headers -- called X-UIDHs -- that Verizon injected into all unencrypted mobile traffic.
Those headers -- 50-character alphanumeric strings -- enabled ad companies to compile profiles of users and serve them targeted ads. The X-UIDHs also are known as “zombie” cookies, or "supercookies," because they allow ad companies to recreate cookies that users delete.
“Turn tracked millions of consumers online and through mobile apps even if they had taken steps to block or limit tracking,” Jessica Rich, head of the FTC's consumer protection bureau, stated. “The FTC’s order will ensure the company honors consumers’ privacy choices.”
Those statements amounted to a representation that consumers could avoid tracking by rejecting cookies, the FTC alleged.
Turn said Tuesday that it agreed to settle the case in order to avoid litigation. "Turn complies with applicable law and industry standards and regulations," the company stated. "This agreement will have no impact on the work we do for our clients or our ability to compete in the market."
The company didn't admit to wrongdoing as part of the settlement.
Verizon originally predicted that ad networks weren't likely to draw on the headers in order to compile profiles of Web users. But in January of 2015, researcher Jonathan Mayer reported that Turn drew on Verizon's headers to collect data and send targeted ads to mobile users who delete their cookies.
Turn initially acknowledged Mayer's report, and defended use of the tracking headers. “At Turn, we always use the most stable identifier available to inform our bidding and campaign execution,” Max Ochoa, Turn's former general counsel and chief privacy officer, said in a blog post. “In the case of Verizon devices, we use the non-cookie UIDH identifier.”
He added that clearing cookies “is not a widely recognized method of reliably expressing an opt-out preference."
Several days later, the company changed its position and stopped using the tracking headers.
But, according to the FTC, the opt-out cookie only applied to mobile browsers, and didn't block targeted ads on mobile apps.
Earlier this year, the Federal Communications Commission fined Verizon $1.35 million to settle an investigation surrounding the headers. That investigation focused on whether Verizon violated the Communications Act's privacy provisions -- which require carriers to protect customers' "proprietary information" -- and whether the company violated a 2010 net neutrality rule requiring disclosure of broadband management practices.