On March 7, 2016, the Enforcement Bureau of the Federal Communications Commission (FCC) entered into a Consent Decree with Verizon Wireless relating to the company’s use of Unique Identifier Headers (UIDH) for targeted advertising purposes. UIDH are commonly referred to as “supercookies” because they cannot be deleted. This concludes the FCC’s investigation into whether Verizon Wireless failed to adequately protect customer proprietary information and failed to disclose information regarding its use of UIDH, in violation of the FCC’s 2010 Open Internet Transparency Rule and Section 222 of the Communications Act. Under the terms of the Consent Decree, Verizon Wireless must (among other things) pay a $1.35 million fine, designate a Compliance Officer who is privacy certified, obtain opt-in consent before sharing a customer’s UIDH with a third party for targeted advertising and allow customers to opt-out, employ “reasonable and accepted security standards” when generating UIDH, disclose its use of UIDH in privacy policies and FAQs, and ensure that other Verizon entities who receive UIDH from the company likewise comply with the terms of the Consent Decree (and Verizon Wireless may only share UIDH with other Verizon entities with either opt-in or opt-out consent).
This is not the FCC’s first enforcement action relating to consumer privacy and data security, but it is a sign of the agency’s increasing interest in online privacy matters. Last year, the FCC’s Enforcement Bureau entered into a $25 million Consent Decree with AT&T after data breaches at call centers in Mexico, Columbia, and the Philippines resulted in the unauthorized disclosure of sensitive personal information and Customer Proprietary Network Information for approximately 280,000 U.S. customers. The landscape will continue to evolve as the FCC considers more privacy regulations for broadband providers.