In a defeat for ad company Turn, a
federal appellate panel on Tuesday revived a privacy lawsuit centering on allegations that the company used "zombie" cookies for tracking.
Several years ago, Turn allegedly tracked Verizon
wireless users via "headers" -- 50-character alphanumeric strings -- that Verizon injected into all unencrypted mobile traffic. Those headers enabled ad companies to compile profiles of users and
serve them targeted ads. The headers, also known as “zombie” cookies, or "supercookies," allow ad companies to recreate cookies that users delete.
Turn, which recently settled Federal Trade Commission charges related to the headers, also was sued
in federal court by Verizon customers Anthony Henson and William Cintron, who sought to bring a class-action.
The company argued that the matter should be sent to arbitration on the grounds
that the consumers' allegations were closely connected to their agreements with Verizon. Those subscriber agreements call for arbitration of all disputes.
U.S. District Court Judge Jeffrey
White in the Northern District of California agreed with Turn. He sent the case to arbitration last year, ruling that questions raised by the matter "concern substantially interdependent and concerted
conduct" between Turn and Verizon.
A three-judge panel of the 9th Circuit Court of Appeals reversed that decision, ruling that Turn wasn't entitled to benefit from Verizon's arbitration
agreement with customers.
"Henson does not allege Verizon colluded with Turn. On the contrary, Henson alleges that 'Turn conducted its practices in secret' and acted without Verizon’s
knowledge, consent, or approval," the judges wrote. "We also reject Turn’s argument that Henson’s claims are based on Turn and Verizon’s interdependent and concerted conduct because
Turn engaged in the challenged conduct in partnership with Verizon."
Verizon used the headers for ad targeting between 2012 and 2015. The wireless carrier originally didn't let its subscribers
opt out of the header insertions, but faced with pressure from lawmakers, Verizon revised its policies in 2015 to allow opt-outs. The company later narrowed the program by saying it would only send
the header to Verizon companies, including AOL.
When the program first came to light, Verizon said that outside ad networks weren't likely to draw on the headers in order to compile profiles
of Web users. But in January of 2015, researcher Jonathan Mayer reported
that Turn was using Verizon's headers to collect data and send targeted ads to mobile users who delete their cookies.
Turn initially acknowledged that it used the headers for ad targeting and
defended the practice, stating that the company uses the “most stable identifier” possible. Several days later, Turn said it had re-evaluated and would stop using Verizon's headers to
target ads.
Last year, the Federal Communications Commission fined Verizon $1.35 million for using the headers to track mobile customers' Web activity for ad-targeting purposes. The FCC's
investigation focused on whether Verizon violated the Communications Act's privacy provisions -- which require carriers to protect customers' "proprietary information" -- and whether the company
violated a 2010 net neutrality rule requiring disclosure of broadband management practices. The FCC also extracted a promise from Verizon to obtain subscribers' opt-in consent before sharing tracking
headers with a third party for targeted ad purposes.