Online advertising company Epic Marketplace Inc. and its parent Epic Media Group LLC have agreed to stop using "history sniffing" to review millions of consumers' Internet habits, according to a settlement announced Tuesday with the Federal Trade Commission.
History sniffing allows online operators to test specific sites in an Internet browser to determine if users have visited those sites in the past. Companies can then use that data to better target their ads.
The FTC filed a complaint in December saying Epic put history-sniffing code in advertisements it served to visitors on thousands of websites within the Epic Marketplace network, including cnn.com, papajohns.com and orbitz.com.
The code allowed Epic to determine whether consumers had visited any of over 54,000 domains, including pages relating to sensitive medical and financial issues. Those issues ranged from fertility and incontinence to debt relief and personal bankruptcy.
With the data, Epic was able to determine which sites consumers visited that were outside its network, information it would not have otherwise been able to get, according to the complaint. Epic also misled consumers by not disclosing that it was collecting this information, the FTC said.
Epic is required under the settlement to delete and destroy all data collected using the technology.
The FTC said history sniffing circumvents the most common and widely known method consumers use to prevent online tracking: deleting cookies. Deleting cookies does not prevent a website from querying a consumer's browsing history. Major browser vendors, however, began implementing protections against history sniffing starting in 2010.
Epic's history sniffing came to light in July 2011, when researchers at the Center for Internet and Society at Stanford Law School uncovered the practice, according to the FTC.
The settlement order also bars misrepresentations about the extent to which the companies maintain the privacy or confidentiality of data from or about a particular consumer, computer or device. That includes misrepresentations of how that data is collected, used, disclosed or shared. It also bars misrepresentations about the extent to which software code on a webpage determines whether a user has previously visited a website.
Violations of the order could lead to penalties of up to $16,000 per violation.
Epic could not be reached for comment.