California-based digital-advertising company Turn has agreed to settle Federal Trade Commission charges that it deceived customers when it used persistent identifiers to track them online and on their mobile apps, even when those customers opted out, according to an FTC press release. 

In the FTC's complaint, the regulatory agency alleges Turn told Verizon Wireless customers they could block targeted advertising via their web browsers by blocking or limiting cookies, but then used unique, un-deletable identifiers — called UIDH — to track and identify users even after they'd indicated their choice not to be tracked. In addition, the FTC alleged, even though Turn said the opt-out applied more broadly when triggered, it actually only applied to mobile browsers and not to tailored ads on mobile apps. 

In a 2015 ProPublica article, which called UIDH "the tracking cookie that you can't kill," then-Turn CPO Max Ochoa said the company was "trying to use the most persistent identifier that we can in order to do what we do."

But it's since changed its stance.

The use of UIDH has been under fire for a while now. The Federal Communications Commission started investigating in December 2014 and then came down hard on the Verizon program earlier this year — settling with the company for $1.3M after bringing an enforcement action under Section 222 of the Communications Act and the FCC's 2010 Open Internet Order. The FCC settlement required Verizon to notify consumers about its use of UIDH and get opt-in or opt-out consent before sharing the unique identifiers with third parties, as well as opt-in or opt-out for any sharing within Verizon internally.

FTC staff attorney Jamie Hine said while there's been much focus during the Turn investigation and subsequent settlement on the Verizon program itself, that's misdirected. Even before the settlement, agreed FTC Policy Director Justin Brookman, Verizon had dramatically revised its program so it couldn't be used in ways that might be seen as deceptive to consumers.

"There was no ill intent, and frankly, the way they architected it, there shouldn't have been any issue, at least from a Section 5 [of the FTC Act] point of view," Hine said. "There are advertisers buying data from third parties all the time, and this was a similar program. There was arguably a legitimate use of the UIDH."

Turn went wrong, Hine said, because, while participating in Verizon's program, the company ostensibly realized at some point that the UIDH header was more powerful than regular cookies, which can accidentally get deleted, etc. And it used UIDH knowing it was more persistent, but without explaining that to its consumers. 

"The persistence of the UIDH is what Turn used in a way, we argued, that was deceptive to consumer." —Jamie Hine, FTC

"The persistence of the UIDH is what Turn used in a way, we argued, that was deceptive to consumers," he said. 

"What we thought in this case is Turn did cross the line," said Brookman. "In this case, they were using what is a fairly novel way to keep data on people in a way that did directly contradict what they were saying [in their privacy policy]." 

The proposed consent order says Turn can't misrepresent the way its tracks users, has to "provide an effective opt-out" for consumers who don't want to receive targeted advertising based on the data collected on them, and has to "place a prominent hyperlink on its home page" that takes consumers right to an explanation of what Turn's collecting on them and what of that is used for targeted ads. 

Current Turn CPO John Wolf Konstant, CIPP/US, noted in a blog post about the settlement that there's been no admission of guilt or wrongdoing and said the company takes its "obligations regarding consumer privacy very seriously. ... The settlement validates the steps we took early in 2015, when Turn terminated the partnership and ceased using the Verizon Wireless identifier."

Konstant also noted Turn's longstanding relationships with self-regulatory groups and membership in the Network Advertising Initiative. Leigh Freund, president and CEO at NAI, said the lesson here regards accurate disclosures. That gets tougher as new technologies get deployed, sure. But the FTC has said repeatedly, and all along, "what you said, you must do. The opt-outs have to be effective and honored across the platforms that you've disclosed." 

Turn won't face trouble from the self-regulatory group, however, Freund said, because the NAI's mobile code wasn't in effect at the time Turn's practices were discovered. 

"If Turn had done that, and whomever had written the opt-out language had taken the time to make sure with the engineers that the language would be correct and accurate, Turn wouldn't have found itself in the position that it did." —Susan Lyon-Hintze, Hintze Law

For its part, NAI is in the process of developing a new opt-out tool that should help companies disclose to consumers when they're using non-cookie-based tracking technologies as well as honor consumer choices about those technologies across devices. 

For companies aiming to stay out of the kind of trouble Turn found itself in, Brookman's solution is pretty straight-forward: Be transparent. 

"If you're doing something like this that might be contrary to expectations, there's more of an obligation to tell people about it," he said. Help consumers make good decisions by telling them what you're doing. 

Susan Lyon-Hintze, CIPP/US, of Hintze Law said the case highlights the importance of having a good privacy lawyer or a privacy pro who sits down and takes the time to understand both the privacy controls in place and the representations of those controls.

"You don't have to be an engineer to understand the technology," Hintze said, "you just need to sit down with the engineer and ask lots of questions. I think if Turn had done that, and whomever had written the opt-out language had taken the time to make sure with the engineers that the language would be correct and accurate, Turn wouldn't have found itself in the position that it did."  

Photo credit: eli.pousson via photopin cc