• by Wendy Davis  @wendyndavis, September 5, 2017

In a defeat for ad company Turn, a federal appellate panel on Tuesday revived a privacy lawsuit centering on allegations that the company used "zombie" cookies for tracking.

Several years ago, Turn allegedly tracked Verizon wireless users via "headers" -- 50-character alphanumeric strings -- that Verizon injected into all unencrypted mobile traffic. Those headers enabled ad companies to compile profiles of users and serve them targeted ads. The headers, also known as “zombie” cookies, or "supercookies," allow ad companies to recreate cookies that users delete.

Turn, which recently settled Federal Trade Commission charges related to the headers, also was sued in federal court by Verizon customers Anthony Henson and William Cintron, who sought to bring a class-action.

The company argued that the matter should be sent to arbitration on the grounds that the consumers' allegations were closely connected to their agreements with Verizon. Those subscriber agreements call for arbitration of all disputes.

U.S. District Court Judge Jeffrey White in the Northern District of California agreed with Turn. He sent the case to arbitration last year, ruling that questions raised by the matter "concern substantially interdependent and concerted conduct" between Turn and Verizon.

A three-judge panel of the 9th Circuit Court of Appeals reversed that decision, ruling that Turn wasn't entitled to benefit from Verizon's arbitration agreement with customers.

"Henson does not allege Verizon colluded with Turn. On the contrary, Henson alleges that 'Turn conducted its practices in secret' and acted without Verizon’s knowledge, consent, or approval," the judges wrote. "We also reject Turn’s argument that Henson’s claims are based on Turn and Verizon’s interdependent and concerted conduct because Turn engaged in the challenged conduct in partnership with Verizon."

Verizon used the headers for ad targeting between 2012 and 2015. The wireless carrier originally didn't let its subscribers opt out of the header insertions, but faced with pressure from lawmakers, Verizon revised its policies in 2015 to allow opt-outs. The company later narrowed the program by saying it would only send the header to Verizon companies, including AOL.

When the program first came to light, Verizon said that outside ad networks weren't likely to draw on the headers in order to compile profiles of Web users. But in January of 2015, researcher Jonathan Mayer reported that Turn was using Verizon's headers to collect data and send targeted ads to mobile users who delete their cookies.

Turn initially acknowledged that it used the headers for ad targeting and defended the practice, stating that the company uses the “most stable identifier” possible. Several days later, Turn said it had re-evaluated and would stop using Verizon's headers to target ads.

Last year, the Federal Communications Commission fined Verizon $1.35 million for using the headers to track mobile customers' Web activity for ad-targeting purposes. The FCC's investigation focused on whether Verizon violated the Communications Act's privacy provisions -- which require carriers to protect customers' "proprietary information" -- and whether the company violated a 2010 net neutrality rule requiring disclosure of broadband management practices. The FCC also extracted a promise from Verizon to obtain subscribers' opt-in consent before sharing tracking headers with a third party for targeted ad purposes.