On Monday, the Federal Communications Commission announced that it would be issuing a $1.35 million fine to Verizon Wireless, after it found the company responsible for collecting information about its customers without their knowledge or consent. Verizon Wireless’ new agreement with the FCC will protect consumer privacy and choice, ensuring that Verizon Wireless customers have the opportunity to consent to having their data shared with third parties.
Verizon Wireless had been using “supercookies” to track customer data, and it neglected or chose not to disclose this usage to the FCC. According to Ars Technica, this violated a net neutrality rule requiring such disclosure. Additionally, Verizon Wireless’ actions violated customer data privacy requirements laid out in Section 222 of the Communications Act.
So, what is this “supercookie” Verizon Wireless was using, exactly? And why should we care?
“Supercookies,” known officially as unique identifier headers [UIDH], are short-term serial numbers used by corporations to track customer data for advertising purposes. According to Jacob Hoffman-Andrews, a technologist with the Electronic Frontier Foundation, these cookies can be read by any web server one visits used to build individual profiles of internet habits. These cookies are hard to detect, and even harder to get rid of.
These cookies go by many names, and none are particularly flattering. Hoffman-Andrews called it the “perma-cookie,” due to the level of difficulty required to remove it. According to ProPublica, an online advertising clearinghouse called Turn called them “zombie cookies,” because they “re-spawned” if a customer deleted the cookie. After ProPublica profiled the difficulty of opting out or removing the “zombie cookie” earlier last year, the clearinghouse announced it would stop using it to track data.
Verizon Wireless began using “supercookies” to track its customers’ data in December 2012. Understandably, customers who didn’t want their information logged by corporate computers sought to opt out of the tracking. However, Verizon Wireless customers had to wait until March 2015 for the ability to opt out, and this was only after several U.S. senators raised concerns.
Verizon Wireless has agreed to a three year plan with the FCC that will address concerns about data tracking. Under the agreement, Verizon Wireless will now be required to notify consumers about its advertising programs, and it will need to obtain customers’ opt-in consent before sharing data from the “supercookies” with third parties. Additionally, it will need to obtain customers’ opt-in or opt-out consent before sharing UIDH internally with its corporate affiliates.
Companies have been expanding their usage of these types of tracking cookies due to an increasing demand for personalized advertising data. Advertising data is becoming increasingly important to companies like Verizon, and this is underscored by the recent expansion of telecommunications companies into the realm of content. When Verizon announced its $4.4 billion plan to purchase AOL, Inc. last year, it not only stood to gain more customers. It was targeting, among other things, access to AOL’s large marketing and advertising base, which is substantially driven by the content AOL generates.
Verizon Wireless is not the first company to find itself in hot water over privacy issues. Last year, the FCC proposed fining AT&T $100 million for throttling customers with unlimited data plans without their knowledge. AT&T is contesting this fine.
The FCC is planning to address consumer and corporate concerns about privacy when it unveils new proposals for broadband protections in the coming weeks.
Bryan Dewan is an intern at ThinkProgress.