Under the terms of a settlement agreement announced Monday, Verizon must pay a $1.35 million fine and will only be able to use the tracking mechanism when users connect to Verizon's corporate family of services unless the company gets customers' opt-in consent. Broader use could leave customers' Web habits visible to outsiders.
“Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they’re doing online,” said FCC Enforcement Bureau Chief Travis LeBlanc, in a press release.
“Verizon gives customers choices about how we use their data, and we work hard to provide customers with clear, complete information to help them make decisions about our services," Verizon said in a statement about the settlement. "Over the past year, we have made several changes to our advertising programs that have provided consumers with even more options. "
Verizon began putting a unique string of characters into customers' web browsing in 2012 to help target its advertising program. The practice came to the public's attention in late 2014, when it received criticism from privacy advocates who called the code a "supercookie" because the it was almost impossible for users to avoid.
The privacy advocates warned then that other companies, or even intelligence agencies, could leverage the super cookies to track wherever people went online. Verizon downplayed that concern at the time, with a spokesperson saying that the code "wouldn’t be able to be used for that."
But last January, researcher Jonathan Mayer revealed evidence that others could hijack the supercookie for their own purposes: An online advertising company called Turn was using the codes to help follow people around online, he said. Turn used the supercookie to "respawn" its traditional cookies -- even if users took steps to protect their privacy by removing the cookies.
Turn said it would stop and Verizon started offering a way for customers to opt-out of having the supercookie attached to their web traffic. But the FCC had already launched an investigation of Verizon's use of supercookies in December of 2014 -- and later brought Mayer on board as the chief technologist for the agency's enforcement arm.
While the Federal Trade Commission is often thought of as the government's primary privacy watch dog, the FCC's power to police online privacy got a major boost last year. As a quirk of how the agency moved to enforce network neutrality rules, broadband providers will be subject to new privacy scrutiny. The FCC is in the process of coming up with a version of its privacy rules that apply to broadband Internet providers, which are expected soon.
And now the Verizon supercookie action, along with a series of fines levied against companies that suffered data breaches, suggest that the agency is already being more aggressive on the privacy front.
This story has been updated with comment from Verizon received after initial publication.