Verizon Settlement May Signal FCC Broadband Privacy Stance

The Telecommunications Law Resource Center is the most comprehensive reference and news platform for communications law, covering broadcasting, cable, broadband, telephony and wireless;...

By Lydia Beyoud

March 7 — A $1.35 million settlement between Verizon Wireless and the Federal Communications Commission to resolve the agency's investigation into the company's use of unique identifier headers, known as “supercookies,” could signal an agency preference for giving consumers more control over how their online data is shared by broadband providers.

Verizon failed to notify consumers of its use of supercookies to track customers and build unique consumer profiles that it shared with third parties, the FCC said in a March 7 consent decree. Sometimes dubbed “zombie” cookies by privacy advocates because of the difficulty to detect and delete them, the action signals that the use of supercookies is under heightened scrutiny by the agency, which is preparing to issue new broadband privacy rules.

Verizon did not initially notify or allow customers to opt out of its practice of inserting the headers into customers' Internet traffic, the FCC said.

The announcement comes just weeks before the FCC is expected to unveil controversial new proposed rules on consumer privacy for broadband ISPs at its March 31 meeting .

As part of the consent decree, Verizon agreed to the higher hurdle of getting customer consent, known as “opt-in,” before sharing consumer data with third parties. The industry standard of “opt-out,” where companies share data unless customers expressly say they don't want it to be shared, will remain in place for sharing information internally and with companies in which Verizon has a controlling interest.

That last category includes AOL Inc . The June 2015 acquisition of the media company allowed Verizon to leverage AOL's mobile ad technology to send targeted ads to mobile devices, including the use of supercookies, though their use dates back to 2012, according to the consent decree.

Verizon updated its consumer privacy policy to include the practice of inserting unique “ID tags” into consumers' mobile Internet traffic and provided opt-out procedures in March 2015, after the agency investigation began December 2014 following a public outcry over privacy concerns, the FCC said.

“Verizon gives customers choices about how we use their data, and we work hard to provide customers with clear, complete information to help them make decisions about our services,” a Verizon spokeswoman told Bloomberg BNA via e-mail.

“Over the past year, we have made several changes to our advertising programs that have provided consumers with even more options. Today’s settlement with the FCC recognizes that. We will continue to give customers the information they need to decide what programs and services are right for them,” the spokeswoman said.

The FCC Enforcement Bureau's investigation found that at least one of Verizon's third-party partners used the headers for unauthorized purposes to circumvent consumers' privacy choices by restoring deleted cookies, the agency said.

Privacy Rules Context

The consent decree provides some insights into how the FCC is inclined to balance what does—and doesn't—trigger opt-in obligations for ISPs, Robert Cattanach, a partner at Dorsey & Whitney LLP in Washington said in an e-mailed statement.

The settlement provides further guidance into the kind of activities the FCC thinks merit enforcement, Cattanach said. “Supercookies are obviously a sensitive and developing area,” and represent another foray by the FCC into the privacy space, he added.

Such policy developments come at a sensitive time as the industry awaits proposed rules that could lay out baseline practices for how consumer data is used by broadband providers under Section 222 of the Communications Act of 1934.

Section 222 of the Act imposes a duty on carriers to protect their customers’ proprietary information and use such information only for authorized purposes. Though the FCC said in its 2015 Open Internet order that the privacy rules under that section would apply to reclassified broadband ISPs, it held off on detailing exactly how until it could determine how to adapt the telephone-centric provision to the Internet age.

More opt-in provisions for broadband Internet access service customers are likely to be among the provisions in those proposed rules, Harold Feld, senior vice president for consumer interest group Public Knowledge, told Bloomberg BNA.

“I certainly think that is a question that will be raised” in the rulemaking procedure, Feld said. “Looking at this we can see that the FCC is clearly looking at ‘are there going to be situations where opt-in, rather than opt-out, is appropriate',” he said.

The agency indicated in its enforcement action that when it comes to sharing consumer information with third parties, which can increase the likelihood that things will be used in ways that weren't declared under the privacy policy, the FCC is looking at opt-in as being more suitable than opt-out, Feld said.

The settlement tips the agency's hand on its broadband policy stance, George Foote, also a partner at Dorsey & Whitney in Washington, told Bloomberg BNA via e-mail. “The FCC claims it already has statutory authority to block use of consumer data like Verizon used, but it wants to fold the application of that authority into its ongoing regulation of broadband privacy,” he said.

The FCC brought its action not only under Section 222 but also under the transparency rules of the 2010 Open Internet order, the only part of earlier net neutrality rules not to be struck down by a federal court in 2014. Since then, the agency has relied on the 2010 transparency provision to levy a record $100 million proposed fine against AT&T Inc. for allegedly misleading customers about data caps on unlimited mobile data plans.

Public Knowledge and other consumer groups continue to lobby the FCC to implement tight controls on how ISPs can monetize the consumer data they collect, most recently in a March 7 letter. Broadband providers have countered that rules similar to the light-touch regulatory regime traditionally used by the Federal Trade Commission would be a better mechanism for protecting consumers and enabling innovation online.

An agency spokesman declined to comment on what impact the settlement might have on the forthcoming proposed privacy rules, but did say FCC Chairman Tom Wheeler “has indicated that he is moving forward with an industry-wide proposal to ensure consumers have greater choice, transparency, and security very shortly.”

To contact the reporter on this story: Lydia Beyoud in Washington at lbeyoud@bna.com

To contact the editor responsible for this story: Keith Perine in Washington at kperine@bna.com

For More Information

Text of the FCC settlement order is at https://apps.fcc.gov/edocs_public/attachmatch/DA-16-242A1.pdf.

Text of the consumer interest groups' letter is at http://src.bna.com/c7b.