On December 20, the FTC announced a settlement with digital marketing platform Turn Inc. over claims that the company deceptively tracked users across the Internet for advertising purposes. The announcement highlights the importance of maintaining an accurate privacy policy in a complex digital world and the need for advertisers, agencies, publishers and platforms to understand the legal and business risks posed by the use of cookies, tags, device identifiers and other digital marketing technology.
FTC v. Turn: Keep Your Privacy Promises about Tracking, Retargeting and Opting Out
According to the FTC, Turn participated in a Verizon Wireless (“VZW”) program that allowed Turn and its clients to access demographic information about VZW’s users. As part of that program, VZW uniquely identified each of its users by appending an “X-UIDH header” to every unencrypted web request of its 100+ million users. Turn then synced that header with other identifiers (e.g., cookies and device identifiers), enabling Turn to track and target users for digital advertising even after the consumer had deleted cookies or reset his or her mobile device advertising identifier.
The FTC alleged that Turn’s privacy policy misled consumers in two ways. First, while the policy suggested that consumers could stop Turn from tracking them by limiting or blocking cookies, in fact this did not work because Turn continued to use the X-UIDH headers to track millions of VZW users. Second, while the policy suggested that consumers could use Turn’s opt-out page to disable tailored advertising on mobile applications, in fact the opt-out page worked only for mobile browsers and not applications.
The proposed consent order: (1) prohibits Turn from misrepresenting the extent of its online tracking or the ability of its users to limit or control Turn’s use of their data; (2) requires Turn to provide an effective opt-out mechanism for consumers who do not want to receive targeted advertising; and (3) requires Turn to place a link on its home page that takes users to a disclosure explaining what information Turn collects and uses for targeted advertising.
The Key Takeaways
- Mind Your Tags and Cookies. The FTC and other regulators are paying close attention to the digital advertising space, and are particularly concerned about the use of cookies, device identifiers and other technology to engage in targeted advertising. In addition to this recent action against Turn, both the FTC, in a case involving two mobile app developers, and the New York Attorney General, in an investigation of child-directed websites, recently announced settlements over online tracking practices that were alleged to have violated the Children’s Online Privacy Protection Act. While efforts to pass “Do Not Track” legislation may have stalled indefinitely, the FTC, state regulators and consumer watchdogs are using other tools in their arsenal, including Section 5 of the FTC Act and COPPA, to police what they perceive to be deceptive behavior involving online tracking.
- They Are Watching You Watch Others. The FTC and other regulators are becoming increasingly sophisticated at understanding the complex technology underlying the digital advertising ecosystem. This case demonstrates the “tech prowess” of the FTC, which successfully unraveled Turn’s creation of a “supercookie” through the use of VZW’s X-UIDH header. Not bad, FTC.
- Keep Your Privacy Promises. Perhaps the most important takeaway is that companies must be very careful about what they promise consumers in their privacy policies. Notably, it was not Turn’s use of a supercookie that got the company in trouble, but its misrepresentations in its privacy policy suggesting that users had the ability to disable tracking and retargeting. Given the sophistication of the technology employed by digital advertising platforms, it is critical that advertisers, agencies, publishers and platforms have a detailed understanding of that technology and ensure that their privacy policies accurately reflect the reality of their use of consumer information.