Turning The Page? Turn Settles With FTC On Use Of Verizon Zombie Cookies

Turn is settling with the Federal Trade Commission for its part in the Verizon zombie cookie debacle.

It’s been nearly two years since it was first revealed that the demand-side platform was using Verizon’s unique identifier header (UIDH) for tracking purposes even if a user had opted out of being tracked.

On Tuesday, the FTC issued its decision, which bars Turn from “misrepresenting the extent of its online tracking or the ability of users to limit or control the company’s use of their data.”

“Turn tracked millions of consumers online and through mobile apps, even if they had taken steps to block or limit tracking,” stated Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “The FTC’s order will ensure the company honors consumers’ privacy choices.”

The FTC settlement, in which Turn did not admit to any guilt or wrongdoing, calls for the company to provide an effective opt-out for consumers who don’t want their data used for targeted advertising purposes.

Turn is also required to place a prominent hyperlink on its home page that takes consumers to a disclosure with an explanation of what information the company collects and how it’s used for targeted advertising.

Back in January 2015, Federal Communications Commission CTO Jonathan Mayer, who was a researcher at Stanford University at the time, noticed that Verizon’s UIDH could be used to enable advertisers and other third parties to track users on their mobile devices by injecting code into web traffic. The cookie appeared to persist despite a user opting out, hence the name “zombie cookie.”

At the time, Turn’s then-chief privacy officer and general counsel, Max Ochoa (who left the company in January 2016 for a general counsel post at Westfield Retail Solutions), told AdExchanger that the issue was a simple coding error.

“The way our system was codified, it looked like Turn wasn’t remembering the opt-out, so to Mr. Mayer, it looked like we were doing two things wrong: that we weren’t respecting his cleared cookie and that we weren’t preserving his choice not to receive tailored advertising,” Ochoa said. “In fact, we were preserving that choice, but on our server. We were not delivering ads against those cookies, but [outside sources] couldn’t confirm it.”

Regardless, the FTC decided to pursue the matter. In its administrative complaint, the commission alleged that Turn’s privacy policy guaranteed a consumer’s ability to block targeted ads by using their browser settings to block or limit cookies, but that the company actually used the Verizon UIDH to track users after they’d exercised that choice.

Turn declined to comment on the settlement, pointing instead to a blog post in which its current chief privacy officer and general counsel, John Wolf Konstant, noted that the company had terminated its partnership with Verizon in early 2015, at which time it ceased using Verizon’s header identifier.

“After a nearly 2-year process and extended negotiations, we look forward to avoiding further distraction and expense so that we can continue to serve our customers,” Konstant wrote.

After the initial fallout and a deluge of negative media coverage back in January 2015, Verizon gave users the ability to opt out of its persistent tracking mechanism, which was not previously possible.

In March of this year, the FCC settled with Verizon over its use of supercookies. Verizon agreed to pay regulators a $1.4 million fine.

None of these actions, however, address the complexity of opting out. No matter how clear or transparent a single ad tech company’s privacy policy is, with no such thing as a universal opt-out, it’s still up to consumers to maintain their preferences and manage their privacy across an undeniably convoluted permissions landscape.

It’s hard to imagine the average consumer taking the time to wade through the consumer opt-out and choices page on the Network Advertising Initiative’s site.

As Mayer put it to AdExchanger in a previous interview: “Opt-out cookies remain a distraction – we know they’re difficult to use and a poor technical design. The best privacy option, for now, is to block advertisements, which is unfortunate.”

This post was syndicated from Ad Exchanger.