The Federal Trade Commission has finalized a settlement with ad company Turn over allegations that it deceived consumers by tracking them for ad purposes after they took steps to avoid data collection.
The settlement prohibits Turn from misrepresenting its online data-gathering practices, and requires the company to offer an effective opt-out mechanism. Turn also agreed to put a link on its home page to information about data collection and targeted advertising.
The company didn't admit to wrongdoing as part of the deal.
The agency said today that it received letters from two commenters, both of whom appeared to have said that Turn should have been subjected to additional sanctions. The FTC told both people that it lacks authority to obtain civil penalties the first time that companies allegedly engage in deceptive or unfair practices.
"We believe the prohibition against misrepresentations about the privacy of covered information, the required disclosure and Opt-Out mechanism, and the requirement that Turn honor mobile operating system controls, will deter future violations," the FTC said in a written response to one of the commenters. "While the Commission does not have authority to obtain civil penalties for an initial violation under Section 5 of the FTC Act, once the order becomes final Turn will risk civil penalties of up to $40,654 per violation per day."
The deal stems from Turn's prior use of a controversial "supercookie" technology. From 2013 through early 2015, the company allegedly tracked Verizon wireless users via headers -- 50-character alphanumeric strings, called X-UIDHs -- that Verizon injected into all unencrypted mobile traffic.
Those headers enabled ad companies to compile profiles of users and serve them targeted ads. The X-UIDHs also are known as “zombie” cookies, or "supercookies," because they allow ad companies to recreate cookies that users delete.
But according to the FTC, the opt-out cookie only applied to mobile browsers, and didn't block targeted ads on mobile apps.
In January of 2015, researcher Jonathan Mayer reported that Turn drew on Verizon's headers to collect data and send targeted ads to mobile users who delete their cookies.
Turn initially acknowledged Mayer's report, and defended use of the tracking headers. “At Turn, we always use the most stable identifier available to inform our bidding and campaign execution,” Max Ochoa, Turn's former general counsel and chief privacy officer, said in a blog post. “In the case of Verizon devices, we use the non-cookie UIDH identifier.”
He added that clearing cookies “is not a widely recognized method of reliably expressing an opt-out preference."
Several days later, the company changed its position and stopped using the tracking headers.
Last year, the Federal Communications Commission fined Verizon $1.35 million to settle an investigation surrounding the headers. That investigation focused on whether Verizon violated the Communications Act's privacy provisions -- which require carriers to protect customers' "proprietary information" -- and whether the company violated a 2010 net neutrality rule requiring disclosure of broadband management practices.