FTC cracks down on Zombie Cookies that track your online behavior even after you opt-out

The Federal Trade Commission has finalized a settlement with Turn over its use of Supercookies (also called Zombie Cookies). The FTC has accused Turn of deception by tracking consumers for ads even after people tried to opt out.  While not admitting any wrongdoing, the settlement will prohibit Turn from misrepresenting what it does in gathering data and provide a stronger, easier opt-out.

They also are required to provide stronger disclaimers and explanations of their practices.

The FTC believes the action it has taken will prevent further problems.  While the FTC said it doesn’t have the authority to assess fines for a first-time violation, it can now keep an eye on Turn.  Further violations can lead to substantial penalties – more than $40k per day for each violation.  Given the number of consumers Turn touches, such penalties could add up to million (if not billions).  I’d say that’s a pretty good incentive not to cross the line again.

“The Commission does not have authority to obtain civil penalties for an initial violation under Section 5 of the FTC Act. However, once the order becomes final, Turn will risk civil penalties of up to $40,654 per violation per day (as provided by Section 5(l) of the FTC Act, 45 U.S.C. § 45(l), as adjusted by 16 C.F.R. § 1.98(c)). The prospect of paying civil penalties will provide Turn with an incentive to comply with the order. Accordingly, we believe the order provisions, along with the risk of substantial civil penalties for violating the order, appropriately address the conduct at issue. We also believe that the Commission bringing this action against Turn will deter other companies from engaging in similar conduct.” – FTC

Turn had been charged with using the so-called supercookies (also called Zombie cookies) found in header data from Verizon.  The headers are 50-character alphanumeric strings.  The data lets ad companies develop a profile of users to serve ads.  They’re called zombies because even if users delete cookies, they can rebuild them.

RELATED:  When did we become an opt-out world?  I think it’s time for an opt-in requirement

Consumers that wanted to opt out of target ads were told that they could do so.  That prevented ad cookies from tracking their online movements, but didn’t opt them out of the use of the header data and didn’t block targeted ads on mobile.

Verizon had used header data to collect data and send targeted ads since 2012, but didn’t let consumers know about the practice until 2014.  In 2015, it changed policies saying publicly that it would not provide header data to third-parties.  In 2016, The FTC fined Verizon $1.35 million as part of a settlement negotiation during an investigation into whether Verizon had violated privacy provisions of the Communication Act.