PulsePoint, based in New York City, placed unauthorized “cookies” – small packages of data – on Apple, Inc.’s Safari web browsers, even though the users’ privacy settings were set to specifically block cookies from third-party advertisers. The unauthorized cookies may have enabled third-party advertisers to target consumers with ads based on their online activities.
Acting Attorney General Hoffman noted that the unauthorized cookies enabled the company to place as many as 215 million targeted ads on web browsers used by New Jersey consumers, between June 2009 and February 2012.
“PulsePoint circumvented privacy settings designed to protect consumers,” Acting Attorney General Hoffman said. “This settlement puts online advertisers on notice that they must respect consumers’ privacy settings, or end up paying far more in penalties than any violations would generate in ad revenue.”
The $1 million settlement, announced today, resolves the Division’s investigation into PulsePoint’s conduct. The settlement amount includes a $566,200 civil penalty, and $33,800 reimbursement for the State’s attorneys’ fees and investigative costs. It also includes a $150,000 payment to be used at the Attorney General’s sole discretion for privacy protection programs – such as the purchase of high-tech investigative tools, and the ability to retain technologists and other experts to assist in investigations.
The remaining $250,000 will consist of in-kind advertising services that PulsePoint will provide to the Division of Consumer Affairs. The Division will use the ads to further its mission to protect the public from fraud, and for other public interest purposes.
The settlement agreement also requires PulsePoint to ensure that, going forward, it protects the privacy and confidentiality of consumer information it obtains, by implementing a series of privacy controls and procedures. Among other things, the company has agreed to hire an independent third party to provide regular privacy assessment reports to the Division of Consumer Affairs, for the next five years.
The settlement also requires PulsePoint to provide detailed information on its website about the types of information it collects about consumers, and how that information is used. The website also must include instructions on how consumers can manage any cookies PulsePoint may place on their computers; and how consumers can restrict, limit, opt out of, or otherwise control the information PulsePoint may collect about them.
Finally, the agreement requires PulsePoint to maintain systems that will instruct Safari web browsers to expire any cookies placed by PulsePoint prior to the settlement’s effective date.
“This action is part of the Division of Consumer Affairs’ commitment to protect the privacy of consumers in an increasingly complex and sophisticated digital world,” Eric T. Kanefsky, Director of the Division of Consumer Affairs, said. “Online advertising is a multibillion-dollar business that is always seeking new and innovative ways to target consumers with ads that will entice them to visit retailers’ sites and make purchases. We are here to remind advertisers and web developers that all advertising activities must respect the rights of consumers, and respect the law.”
PulsePoint was formed in September 2011, through the merger of two companies known as ContextWeb, Inc. and Datran Media Corp. PulsePoint operates an advertising exchange in which it enters into agreements with web publishers to sell advertising space on their websites. It also contracts with advertisers to place their ads on the publishers’ websites.
In the settlement announced today, PulsePoint acknowledged that it engaged in this practice until February 2012, and stopped only after independent researchers verified, as published in a Wall Street Journal expose, that other companies engaged in similar practices. The company represents in the State settlement that its current directors and officers were unaware of the practice until that time. PulsePoint entered into the settlement agreement without any admission that its practices violated New Jersey’s Consumer Fraud Act.
Acting Attorney General Hoffman noted that the $1 million settlement with PulsePoint reflects the company’s practices as they affected New Jersey consumers. He also noted that the settlement will be used, in part, to enhance the State’s ability to investigate and prosecute online violations of privacy.
Investigator Aziza Salikhov, of the Division of Consumer Affairs' Cyber Fraud Unit, led this investigation. Deputy Attorneys General Jah-Juin Ho, Glenn Graham, Edward Mullins, Joan Karn, and Assistant Attorney General Brian McDonough, within the Division of Law, represented the State in this matter.
The action against PulsePoint follows a June 2012 action in which the Division of Consumer Affairs sued a mobile app developer under the Children’s Online Privacy Protection Act. As a result, the company agreed to stop collecting and transmitting the personal data of children without notifying parents and obtaining parental consent.
The Division in March 2013 released a Cyber Security Handbook, available free of charge online, with information on protecting everything that is potentially exposed to the Internet. This includes computers, smartphones, and other devices; personal information and privacy; and consumers' own personal safety as well as that of their families. The covered topics include "phishing" and "social engineering" – common strategies by which computer criminals seek to convince victims to unwittingly open themselves up to identity theft; protection against malware; protecting one's personal information when using web browsers and mobile devices; and awareness about online predators and cyber bullying.
Follow the Division of Consumer Affairs on Facebook, and check our online calendar of upcoming Consumer Outreach events.