On March 7, 2016, the Enforcement Bureau of the Federal Communications Commission (FCC) entered into a Consent Decree with Verizon Wireless relating to the company’s use of Unique Identifier Headers (UIDH) for targeted advertising purposes. UIDH are commonly referred to as “supercookies” because they cannot be deleted. This concludes the FCC’s investigation into whether Verizon Wireless failed to adequately protect customer proprietary information and failed to disclose information regarding its use of UIDH, in violation of the FCC’s 2010 Open Internet Transparency Rule and Section 222 of the Communications Act. Under the terms of the Consent Decree, Verizon Wireless must (among other things) pay a $1.35 million fine, designate a Compliance Officer who is privacy certified, obtain opt-in consent before sharing a customer’s UIDH with a third party for targeted advertising and allow customers to opt-out, employ “reasonable and accepted security standards” when generating UIDH, disclose its use of UIDH in privacy policies and FAQs, and ensure that other Verizon entities who receive UIDH from the company likewise comply with the terms of the Consent Decree (and Verizon Wireless may only share UIDH with other Verizon entities with either opt-in or opt-out consent).
Verizon Wireless began using UIDH in 2012, and the company’s tracking practices were called into question by journalists and privacy advocates in 2014. The FCC launched its investigation in December 2014, and the U.S. Senate Committee on Commerce, Science, and Transportation issued a letter to Verizon Wireless in January 2015 expressing concern about the practices of one of the company’s advertising partners who used UIDH for unauthorized purposes by restoring cookies that users had deleted. Verizon Wireless updated its privacy policy last year to allow customers to opt-out of UIDH.
This is not the FCC’s first enforcement action relating to consumer privacy and data security, but it is a sign of the agency’s increasing interest in online privacy matters. Last year, the FCC’s Enforcement Bureau entered into a $25 million Consent Decree with AT&T after data breaches at call centers in Mexico, Columbia, and the Philippines resulted in the unauthorized disclosure of sensitive personal information and Customer Proprietary Network Information for approximately 280,000 U.S. customers. The landscape will continue to evolve as the FCC considers more privacy regulations for broadband providers.