FTC Settles Epic History Sniffing Case
The FTC has announced a settlement with a global digital marketing company that bars the company from engaging in a practice known as “history sniffing” and to destroy all data collected through use of the technique.
The FTC settlement order bars the company, Epic Marketplace Inc., and Epic Media Group LLC, from continuing to use history sniffing technology, which allows online operators to “sniff” a browser to see what sites consumers have visited in the past. The FTC complaint alleged that Epic secretly and illegally gathered data from millions of consumers about their interest in sensitive medical and financial issues ranging from fertility and incontinence to debt relief and personal bankruptcy.
Epic Marketplace Inc. is a advertising network present on 45,000 websites. Consumers who visited any of the network’s sites received a cookie, which stored information about their online practices, including sites they visited and the ads they viewed. The cookies allowed Epic to serve consumers ads targeted to their interests. So far so good.
Browser history sniffing works by taking advantage of the part of the HTML code that allows sites to display links a user has previously visited by changing colors. History sniffers exploit this functionality. In Epic’s case, the company examined the browser history for more than 54,000 of URLs that the site has no intention of delivering to the user. Further, history sniffing bypasses most measures available to limit or prevent online tracking, such as deleting cookies. The technique also allows advertisers to detect consumers’ visits to websites outside their own advertising network, data not normally available through use of standard cookie-based technologies. Not so good.
The FTC complaint alleged that Epic was engaged in online behavioral advertising by tracking consumers’ online activities. The goal was to deliver targeted advertising specific to each user’s interests, based on their browser use. The company’s privacy policy claimed that it was tracking user visits to sites within its own network. However, Epic additionally gathered data from other sites beyond its own advertising network, obtaining users’ browsing histories from their browsers in order to deliver advertisements.
The Commission found that Epic’s failure to disclose this practice in its privacy policies violated Section 5 of the FTC Act, which prohibits deceptive or unfair consumer acts and practices. Epic misled consumers because the privacy policy on the company’s website detailed tracking techniques that Epic used in its advertising network but failed to disclose the use of history sniffing. According to the FTC, it was the lack of transparency by failure to disclose that was a deceptive practice under the FTC Act, not the actual practice of “sniffing”.
The FTC’s settlement agreement and consent order bars Epic from misrepresenting how it maintains consumer privacy and bars misrepresentations about the extent to which software code on a webpage determines whether a user has previously visited a website. In addition, Epic was required to stop history sniffing and to delete and destroy all information collected using history sniffing. It also bars misrepresentations about the extent to which they maintain the privacy or confidentiality of data from or about a particular consumer, computer or device, including misrepresenting how that data is collected, used, disclosed or shared.
The settlement is the FTC’s first action against browser history sniffing. Interestingly, the focus is really not about the actual practice of sniffing at all. While the FTC is advocating for the consumers by encouraging advertisers to build trust with increased transparency and privacy policy disclosure, they did not address the legality of this technique that is the consumers themselves are not only unaware when they have been “sniffed”, they also do not have any access to the “sniffer’s” privacy policy (which the consumer does not even know exists), that allows the user to give consent for this collection and use of their information.
It is possible that in the future, the FTC may take steps to require advertising networks engaging in browser fingerprinting and inherently deceptive practices such as history sniffing to track users across different sites to disclose this practice to users. The Epic case has certainly spawned interest and discussions on the unethical behavior of those who engage in the practice. It also in increases the pressure on the ad industry to self regulate.
Jim Brock, CEO of PrivacyChoice, a company that monitors developments in the world of online tracking, said that the exposure of Epic’s practice could be a watershed moment for the online advertising industry’s self-regulation plans. He said, “The success of self-regulation depends on how situations like this are handled.”
The emphasis on transparency continues to be at the forefront of FTC investigations in regards to behavioral advertising. The risk of law enforcement scrutiny can be greatly reduced by viewing the FTC’s settlement with as Epic as a warning to practicing self regulation, clear privacy and disclosure policies and easily accessible opt-out features.
© 2013 CLIClaw.com
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.
