• by Wendy Davis  @wendyndavis, April 21, 2017

The Federal Trade Commission has finalized a settlement with ad company Turn over allegations that it deceived consumers by tracking them for ad purposes after they took steps to avoid data collection.

The settlement prohibits Turn from misrepresenting its online data-gathering practices, and requires the company to offer an effective opt-out mechanism. Turn also agreed to put a link on its home page to information about data collection and targeted advertising.

The company didn't admit to wrongdoing as part of the deal.

The agency said today that it received letters from two commenters, both of whom appeared to have said that Turn should have been subjected to additional sanctions. The FTC told both people that it lacks authority to obtain civil penalties the first time that companies allegedly engage in deceptive or unfair practices.

"We believe the prohibition against misrepresentations about the privacy of covered information, the required disclosure and Opt-Out mechanism, and the requirement that Turn honor mobile operating system controls, will deter future violations," the FTC said in a written response to one of the commenters. "While the Commission does not have authority to obtain civil penalties for an initial violation under Section 5 of the FTC Act, once the order becomes final Turn will risk civil penalties of up to $40,654 per violation per day."

The deal stems from Turn's prior use of a controversial "supercookie" technology. From 2013 through early 2015, the company allegedly tracked Verizon wireless users via headers -- 50-character alphanumeric strings, called X-UIDHs -- that Verizon injected into all unencrypted mobile traffic.

Those headers enabled ad companies to compile profiles of users and serve them targeted ads. The X-UIDHs also are known as “zombie” cookies, or "supercookies," because they allow ad companies to recreate cookies that users delete.

The FTC alleged in its complaint that Turn misled consumers by implying in its privacy policy that users could control online tracking by refusing to accept cookies. Until April of 2015, Turn's privacy policy didn't mention its use of tracking headers, according to the FTC. Instead, the company said it used cookies for tracking, and that people could control whether their browsers accepted cookies.

The FTC also alleged that Turn incorrectly stated in its privacy policy that they could opt out of receiving tailored ads by clicking on an opt-out link. Turn said that clicking on that link would result in users receiving an opt-out cookie that "tells our servers not to deliver tailored, anonymous ads to you that deliver high value to the sites and apps you love."

But according to the FTC, the opt-out cookie only applied to mobile browsers, and didn't block targeted ads on mobile apps.

Verizon has used the X-UIDHs for ad targeting since 2012, but didn't disclose their existence in its privacy policy until late 2014. Initially, Verizon didn't let its subscribers opt out of the header insertions. But in 2015, faced with pressure from lawmakers, Verizon revised its policies to allow opt-outs. The company later narrowed the program by saying it would only send the header to Verizon companies, including AOL.

In January of 2015, researcher Jonathan Mayer reported that Turn drew on Verizon's headers to collect data and send targeted ads to mobile users who delete their cookies.

Turn initially acknowledged Mayer's report, and defended use of the tracking headers. “At Turn, we always use the most stable identifier available to inform our bidding and campaign execution,” Max Ochoa, Turn's former general counsel and chief privacy officer, said in a blog post. “In the case of Verizon devices, we use the non-cookie UIDH identifier.”

He added that clearing cookies “is not a widely recognized method of reliably expressing an opt-out preference."

Several days later, the company changed its position and stopped using the tracking headers.

Last year, the Federal Communications Commission fined Verizon $1.35 million to settle an investigation surrounding the headers. That investigation focused on whether Verizon violated the Communications Act's privacy provisions -- which require carriers to protect customers' "proprietary information" -- and whether the company violated a 2010 net neutrality rule requiring disclosure of broadband management practices.