Last week, the New Jersey Attorney General announced it had entered into a settlement with Dataium, a Tennessee-based data analytics company that primarily serves the auto industry. The settlement, by administrative Consent Order, concerns Dataium’s analytics services, in particular its alleged tracking and analysis of consumers’ online viewing habits — generally, about cars and car shopping. While the Consent Order contains no explicit allegation that Dataium violated any specific state law, it does allege that the company failed to provide sufficient notice and choice to consumers in certain ways.
The first such allegation is that during several “internal trials,” Dataium engaged in “history sniffing” on 181,000 users visits to a variety of websites regarding cars. (Presumably, a smaller number of actual unique users were involved). History sniffing is a way to collect data about the websites a user has visited without (as is more commonly the practice) doing so directly through the website itself. History sniffing is based around technology in certain browsers, particularly older versions, that causes stored links to change color once a user has visited them. A history sniffer simply compares the colors of the links in a user’s history folder to a master set of target links, with a color mismatch thus indicating that a particular site has been visited. (Users can avoid this simply by clearing their browser history.)
Dataium asserted that the “sniffed” data assets were never monetized or used for marketing, or combined with personal information. Nonetheless, the New Jersey AG asserted in the Consent Order that Dataium was required but failed to “adequately disclose that [it] collected consumer browsing activities on other websites” — an assertion that Dataium likewise denied.
Second, and apparently distinct from the “history sniffing” allegations, the New Jersey AG alleged that Dataium impermissibly sold to data broker Acxiom files on 400,000 consumers, containing personal information linked to consumer preferences inferred from online browsing activities, e.g., what vehicle a consumer might prefer to buy, and when a user was first seen online shopping for cars. The AG alleged that this data was transferred “without the knowledge or express consent of the consumers” — underscoring the generally accepted principle (e.g., in the NAI Code of Conduct and other industry codes) that heightened notice requirements apply to the merger of personal information with online-derived data. While privacy-sensitive standards do exist for de-identifying and/or hashing personal information to tailor ads and link data, it does not appear those measures were taken in this case.
Going forward, the Consent Order requires that Dataium take the following measures:
- Explicitly disclose how it collects data, and provide a consumer opt-out;
- Obtain “express consent” and provide an opt-out method prior to selling or transferring consumer information tied to a unique user identifier;
- Implement a “Privacy Program” and prepare a “Privacy Assessment Report;” and
- Provide $99,000.00 to the AG as costs — a larger sum of $301,000 being suspended upon Dataium’s demonstrated compliance.
The settlement marks another in a recent line of high profile privacy cases by the New Jersey AG, with other recent settlements involving issues of data and app privacy and COPPA violations.
Dataium first came under public scrutiny when a December 2012 Wall Street Journal article reported on Dataium’s platform and how it was “able to tie online shopping data to people’s names, according to its public statements.” See J. Valentino-DeVries, “They Know What You’re Shopping For,” (WSJ “What They Know” series, Dec. 7, 2012). This practice, as reported, would have thus potentially violated the spirit of the NAI Code of Conduct and similar DMA Guidelines, generally proscribing the merger of OBA data with PII. As in numerous other cases regarding data privacy over these past several years, this media scrutiny led to deeper scrutiny by public officials.