The FTC recently approved a final order settling charges against Epic Marketplace, Inc. (“Epic”), a wholly-owned subsidiary of Epic Media Group, LLC. This action against Epic is another step in the FTC’s continuing efforts to limit the use of online tracking technologies, previously discussed on this blog here and here. In this case, the FTC was especially concerned about the use of history sniffing code on the Internet. This is because it circumvents what the FTC refers to as the most common and widely known method consumers use to prevent online tracking: deleting cookies.
Epic purchases advertising space on thousands of websites, which Epic collectively refers to as the “Epic Marketplace [N]etwork,” and contracts with advertisers to place their ads on those sites. Epic delivers targeted advertising using cookies to track consumers’ online activities, a practice known as online behavioral advertising. In March 2010, Epic merged with Connexus Corporation. According to the Complaint, one of Connexus’ subsidiaries, Traffic Marketplace, engaged in the practice of determining whether a consumer has previously visited a webpage, or “history sniffing.” After the merger with Connexus, Epic included Traffic Marketplace’s history sniffing code in the advertisements it placed on at least 24,000 websites in the Epic Marketplace Network, including such popular sites as cnn.com, papajohns.com, redcross.com and orbitz.com. The history sniffing code allowed Epic to determine whether a consumer had visited any of over 54,000 web domains, including thousands of domains outside of the Epic Marketplace Network. Some of these domains related to sensitive personal issues including fertility, impotence, menopause, incontinence, disability insurance, credit repair, debt relief and personal bankruptcy. Epic used this information for behavioral targeting purposes, assigning consumers into groups such as “Incontinence,” “Arthritis,” “Memory Improvement” and “Pregnancy-Fertility Getting Pregnant.”
The Complaint alleged two specific acts of misconduct. First, that Epic represented it was collecting information only within the Epic Marketplace Network when it was in fact using the history code to collect information outside the Network. Second, it failed to disclose the fact that it was engaging in history sniffing. As a result, consumers could not make an informed decision whether to opt-out. The final order settling these charges places a number of restrictions on Epic’s business practices over the next twenty years. Epic must permanently delete or destroy all the information it already had collected through history sniffing within five days of the date of the order. Going forward, Epic is prohibited from collecting or using any information obtained through the use of history sniffing. Additionally, Epic may not misrepresent in any manner, expressly or implicitly, the extent to which it maintains the privacy or confidentiality of consumer data or the extent to which history sniffing code is used on a website.