Header graphic for print
Privacy Law Blog

Learning from the Past: The FTC Bans Undisclosed History Sniffing

Posted in Behavioral Marketing, FTC Enforcement, Online Privacy

It has been said that we must learn from the past to profit by the present. Taking this literally in this digital age of ours, one online advertising company has found this maxim to have some serious privacy implications as evidenced by the FTC order last week banning undisclosed history sniffing practices.

Browser history sniffing is a web tracking technology that has existed for some time. By default on a webpage, unvisited links are displayed in one color and visited links are displayed in another color. History sniffing involves running Javascript code on a Web page to determine whether a user’s browser displays links to specific domains as unvisited or visited. Using this information, the Web site can determine whether the user has been to specific web pages or not in the past, and from that, glean their interests. Users can prevent browser sniffing by simply clearing their browser history.

Epic Marketplace is an advertising network that runs on 45,000 websites. Epic used online behavioral advertising to serve targeted ads to consumers by monitoring user activity on the sites. While its privacy policy stated that it would only collect information about sites visited by users within the advertising network, Epic was allegedly also employing history sniffing technology to gather data on sites visited outside their network including medical and financial sites. This allowed Epic to gauge consumer’s interest in sensitive areas such as fertility, incontinence, bankruptcy, and debt relief . According to the FTC complaint, Epic allegedly assigned each user an interest segment based on the sites they visited and served targeted ads accordingly.

The FTC issued a consent order barring Epic from using history sniffing and required that they destroy data collected using such practices. It also barred the company from misrepresenting how user data is collected, used, disclosed or shared.

So what lesson can businesses take away from browsing Epic’s history? Going forward, they should confirm that the privacy policies on their websites conform to actual practices and effectively communicate the information collected from users, how it is collected and the purposes for which such user data is used. After all, Epic was not faulted for history sniffing in and of itself, but for history sniffing without proper disclosure.