Privacy & Information Security Law Blog

On December 5, 2012, the Federal Trade Commission announced that the online advertising company Epic Marketplace, Inc. (“Epic”) agreed to settle charges that it engaged in “history sniffing” to secretly and illegally collect information about consumers’ interest in sensitive medical and financial issues. History sniffing is the practice of determining whether a consumer has previously visited a webpage by checking how a browser displays a hyperlink. The consent order requires Epic to destroy all data collected from history sniffing and bars Epic from engaging in history sniffing in the future.

According to the FTC’s complaint, Epic is an advertising company that acts as an intermediary between website publishers and advertisers. The complaint describes how Epic collects data on consumers who visit the websites of advertisement publishers (“Epic Marketplace Network”) by setting cookies in consumers’ browsers. Through a merger, Epic acquired Traffic Marketplace, which engaged in history sniffing according to the FTC. Epic continued the practice of history sniffing after this acquisition, collecting consumer information on at least 24,000 webpages within the Epic Marketplace Network. Many of these websites were related to sensitive medical and financial topics, such as fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief and personal bankruptcy. Epic assigned consumers an “interest segment” based on the data it collected, and also used this data for behavioral advertising targeting purposes.

The FTC noted that Epic’s web user privacy policy misrepresented that the advertising company only collected information on consumers’ visits to websites within the Epic Marketplace Network, when in fact it used history sniffing to collect information on visits to websites outside the Epic Marketplace Network as well. The complaint also alleged that Epic failed to disclose to consumers that it engaged in history sniffing. These practices, according to the FTC, constituted deceptive acts or practices in violation of the FTC Act.

The FTC’s settlement agreement and consent order bars Epic from misrepresenting how it maintains consumer privacy and how software code determines whether a user has previously visited a webpage. In addition, Epic was required to stop history sniffing and to delete and destroy all information collected using history sniffing.

Update: On March 19, 2013, the FTC approved the final settlement order with Epic.