We all know that nobody reads Terms of Service on anybody’s website, or User Agreements when downloading an app. We have just come to accept that there’s probably bad stuff in there that we won’t want but it’s the price we have to pay.

I say enough!

It’s time to become an opt-in world.

Want to track where I go on-line? Ask me first. And ask me nicely. Without my permission, you shouldn’t be able to invade my privacy.

Beware Zombie Cookies!

Have you heard about the “zombie cookie” case? There have been various cases filed over the years, including one by the government that resulted in a$1.35 million fine for failing to get consent before releasing the data. Verizon admits using the so-called “zombie cookies” — actually called UIDH headers — for two years prior to disclosing that fact.

Here’s the latest: William Cintron and Anthony Henson are suing an ad company called Turn as leads in a class action suit. The two claim they deleted the cookies on their phones so their online activity couldn’t be tracked. At least that’s what they thought. The lawsuit alleges Turn violated consumer protection laws against deceptive practices by using this UIDH header data to not only track their movements, but recreate what they purposely deleted.

Zombie cookies of a different kind

Verizon, their carrier, had been using UIDH headers in its mobile traffic,which they gave permission to Turn to use for ads.

These UIDH headers are what’s being called “supercookies” or “zombie cookies.” They are composed of character strings. It allows the companies to put together user profiles and — you guessed it — serve them targeted ads. But it gets worse. Not only does it create the profile but it can — wait for it — allow ad companies to recreate cookies that are deleted. And, in case you’re wondering, you can’t delete supercookies.

So… even if you opt-out, it won’t let you because you’re only opting out of non-UIDH targeted ads.

And if you thought you were clear by opting out of targeted ads by using the systems put in place by the Digital Advertising Alliance or Network Advertising Initiative, forget it. As soon as you clear the cookies, you also delete the opt-out cookies that the two collectives installed to block targeted ads.

In the case, the two say that Verizon’s subscriber agreement — wow, somebody actually read one — does not allow for zombie cookies for advertising purposes. And it certainly didn’t allow for the stuff they deleted to be re-created and used anyway.

“Verizon disclosing the use of UIDHs is hardly the same as Turn disclosing that it will repopulate deleted history and cookies on a user’s device.” —  Anthony Henson and William Cintron court papers via MediaPost

Turn says it no longer uses the headers for ad targeting. Verizon now has to obtain customers’ opt-in consent before sharing UIDH with third parties.

“Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they’re doing online.” —  FCC Enforcement Bureau Chief Travis LeBlanc when levying the fines against Verizon.

I agree. It’s time for an opt-in world. It’s only common courtesy.