Federal Communications Commission DA 16-242 Before the Federal Communications Commission Washington, DC 20554 In the Matter of Cellco Partnership, d/b/a Verizon Wireless ) ) ) ) ) File No.: EB-TCD-14-00017601 Acct. No.: 201632170005 FRN: 0003735230 ORDER Adopted: March 7, 2016 Released: March 7, 2016 By the Chief, Enforcement Bureau: 1. The Enforcement Bureau (Bureau) of the Federal Communications Commission has entered into a Consent Decree to resolve its investigation into whether Cellco Partnership, d/b/a Verizon Wireless (Verizon Wireless or Company) failed to disclose to consumers that it was inserting Unique Identifier Headers (UIDH) into consumers’ Internet traffic over its wireless network. Verizon Wireless’s targeted advertising programs (Verizon Selects and Relevant Mobile Advertising (RMA)) associate UIDH with Verizon Wireless customer proprietary information as well as other customer demographic and interest information to create profiles in order to serve targeted advertisements. 2. In December 2014, the Bureau began an investigation into Verizon Wireless after news stories raised privacy concerns with its use of UIDH and the Commission received related consumer complaints. The investigation sought to determine Verizon Wireless’s compliance with Section 222 of the Communications Act of 1934, as amended (Act)1, and Section 8.3 of the Commission’s rules (Open Internet Transparency Rule).2 3. Section 222 of the Act imposes a duty on carriers to protect their customers’ proprietary information and use such information only for authorized purposes.3 It also expressly prohibits carriers that obtain proprietary information from other carriers for the provision of telecommunications services to use such information for any other purpose.4 The Commission’s Open Internet Transparency Rule requires every fixed and mobile broadband Internet access service provider to “publicly disclose accurate information regarding the network management practices, performance, and commercial terms of its broadband Internet access services sufficient for consumers to make informed choices regarding use of such services and for content, application, service, and device providers to develop, market, and maintain Internet offerings.”5 4. The Bureau’s investigation found that although Verizon Wireless began inserting UIDH into consumers’ Internet traffic as early as December 2012, the Company did not disclose this practice until October 2014. It was not until March 2015—over two years later—that Verizon Wireless updated 1 47 U.S.C. § 222. 2 47 CFR § 8.3. 3 See 47 U.S.C. § 222. 4 Id. at § 222(b). 5 47 CFR § 8.3; FCC Enforcement Advisory; Open Internet Transparency Rule; Broadband Providers Must Disclose Accurate Information to Protect Consumers, Public Notice, 29 FCC Rcd 8606 (EB 2014). Federal Communications Commission DA 16-242 its privacy policy to include information about UIDH. The Bureau’s investigation also found that at least one of Verizon Wireless’s advertising partners used UIDH for unauthorized purposes to circumvent consumers’ privacy choices by restoring deleted cookies. In addition, the Bureau’s investigation found that Verizon Wireless inserted UIDH into the Internet traffic made from mobile device lines, including enterprise, government, and Mobile Virtual Network Operator (MVNO) lines, which were ineligible to participate in Verizon Wireless’s targeted advertising programs. 5. To settle this matter, Verizon Wireless will pay a fine of $1,350,000 and implement a compliance plan that requires it to obtain customer opt-in consent prior to sharing a customer’s UIDH with a third party to deliver targeted advertising. With respect to sharing UIDH internally within Verizon Communications Inc. and its subsidiaries,6 it must obtain either opt-in or opt-out consent from its customers. Verizon Wireless will also generate customer UIDH using methods that comply with reasonable and accepted security standards. 6. Verizon Wireless cooperated with the Bureau’s investigation. During the pendency of the Bureau’s investigation, Verizon Wireless updated its customer-facing documents, including its privacy policy, to disclose UIDH to consumers and also provided consumers—for the first time—with a choice to opt out of UIDH in March 2015. Given Verizon Wireless’s updates concerning UIDH, the compliance plan also requires Verizon Wireless to maintain its current practices of: (1) removing UIDH from enterprise, government, and MVNO lines within a reasonable period after activation and in those cases not use such UIDH for any purpose; (2) allowing customers who opt in to sharing UIDH to subsequently opt out at any time, and (3) disclosing Verizon Wireless practices and use of UIDH in its privacy policies and FAQs and update them as appropriate. 7. In addition, Verizon Wireless will appoint a Compliance Officer that will be responsible for ensuring that Verizon Wireless complies with the terms of the Consent Decree. The Compliance Officer or the managers reporting to the Compliance Officer must be privacy certified. Verizon Wireless must report any noncompliance with the terms of the Consent Decree and file regular compliance reports during the three-year term of the compliance plan. If during the pendency of the Compliance Plan, the Commission adopts a rule regarding customer opt-in and opt-out consent in connection with the subject matter of the Consent Decree, such rule will supersede the related terms of the Consent Decree. 8. After reviewing the terms of the Consent Decree and evaluating the facts before us, we find that the public interest would be served by adopting the Consent Decree and terminating the referenced investigation regarding Verizon Wireless’s compliance with Section 222 of the Act and Section 8.3 of the Commission’s rules.7 9. In the absence of material new evidence relating to this matter, we do not set for hearing the question of Verizon Wireless’s basic qualifications to hold or obtain any Commission license or authorization.8 10. Accordingly, IT IS ORDERED that, pursuant to Section 4(i) of the Act9 and the authority delegated by Sections 0.111 and 0.311 of the Commission’s rules,10 the attached Consent Decree IS ADOPTED and its terms incorporated by reference. 11. IT IS FURTHER ORDERED that the above-captioned matter IS TERMINATED. 6 As defined in paragraph 2(q) of the Consent Decree. 7 47 U.S.C. § 222; 47 CFR 8.3. 8 See 47 CFR § 1.93(b). 9 47 U.S.C. § 154(i). 10 47 CFR §§ 0.111, 0.311. 2 Federal Communications Commission DA 16-242 12. IT IS FURTHER ORDERED that a copy of this Order and Consent Decree shall be sent by first class mail and certified mail, return receipt requested, to Tamara Preiss, Vice President, Federal Regulatory Affairs, Cellco Partnership, d/b/a Verizon Wireless, 1300 I Street, NW, Washington, DC 20005, and to Christopher M. Miller, Vice President and Assistant General Counsel, Federal Regulatory Affairs, Cellco Partnership, d/b/a Verizon Wireless, 1300 I Street, NW, Washington, DC 20005. FEDERAL COMMUNICATIONS COMMISSION Travis LeBlanc Chief Enforcement Bureau 3 Federal Communications Commission DA 16-242 Before the Federal Communications Commission Washington, DC 20554 In the Matter of Cellco Partnership, d/b/a Verizon Wireless ) ) ) ) ) File No.: EB-TCD-14-00017601 Acct. No.: 201632170005 FRN: 0003735230 CONSENT DECREE 1. The Enforcement Bureau of the Federal Communications Commission and Cellco Partnership, d/b/a Verizon Wireless (Verizon Wireless), by their authorized representatives, hereby enter into this Consent Decree for the purpose of terminating the Enforcement Bureau’s investigation into whether Verizon Wireless violated Section 222 of the Communications Act of 1934, as amended,1 and Section 8.3 of the Commission’s rules2 in connection with its insertion of Unique Identifier Headers (UIDH) into consumers’ Hypertext Transfer Protocol (HTTP) requests made over its wireless network. I. DEFINITIONS 2. For the purposes of this Consent Decree, the following definitions3 shall apply: (a) “Act” means the Communications Act of 1934, as amended.4 (b) “Adopting Order” means an order of the Bureau adopting the terms of this Consent Decree, without change, addition, deletion, or modification. (c) “Commission” and “FCC” mean the Federal Communications Commission and all of its bureaus and offices. (d) “Communications Laws” means collectively, the Act, the Rules, and the published and promulgated orders and decisions of the Commission to which Verizon Wireless is subject by virtue of its business activities. (e) “Compliance Plan” means the compliance obligations, program, and procedures described in this Consent Decree at paragraph 18. (f) “Effective Date” means the date by which both the Bureau and Verizon Wireless have signed the Consent Decree. (g) “HTTP” means Hypertext Transfer Protocol, an application protocol for distributed, collaborative, hypermedia systems. HTTP is a method of conveying textual or multimedia data through the Internet. It defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. (h) “Investigation” means the investigation commenced by the Bureau under File No. EB-TCD-14-00017601 regarding Verizon Wireless’s compliance with the Transparency Rule and Section 222 of the Act. 1 47 U.S.C. § 222. 2 47 CFR § 8.3. 3 The Definitions in this Consent Decree do not affect any other Commission order or proceeding. 4 47 U.S.C. § 151 et seq. Federal Communications Commission DA 16-242 (i) “LOI” means the Letter of Inquiry issued by the Bureau to Verizon Wireless on December 4, 2014 in connection with the Investigation. (j) “Operating Procedures” means the standard internal operating procedures and compliance policies established by Verizon Wireless to implement the Compliance Plan. (k) “Parties” means Verizon Wireless and the Bureau, each of which is a “Party.” (l) “Person” shall have the meaning set out in 47 U.S.C. § 153(39). (m) “Rules” means the Commission’s regulations found in Title 47 of the Code of Federal Regulations. (n) “Third Party” means any Person that is not Verizon. (o) “Transparency Rule” means Section 8.3 of the Rules, requiring disclosures by broadband Internet access service providers of accurate information with respect to the network management practices, performance, and commercial terms of their broadband Internet access services sufficient for consumers to make informed choices regarding such services. (p) “UIDH” means Unique Identifier Header, a unique character string of letters, symbols, and numbers that Verizon Wireless inserts to deliver targeted advertising into address header information that accompanies customers’ HTTP requests transmitted over the Verizon Wireless network. For purposes of this Consent Decree, UIDH also means similar device-specific identifiers that Verizon Wireless may develop to insert into header information transmitted over the Verizon Wireless network and used for similar targeted advertising purposes in the future. (q) “Verizon” means Verizon Communications Inc.; a direct or indirect wholly-owned subsidiary of Verizon Communications Inc.; or an entity that is (i) majority-owned directly or indirectly by Verizon Communications Inc. and (ii) controlled by Verizon Communications Inc., a direct or indirect wholly-owned subsidiary of Verizon Communications Inc., or an entity that is majority-owned directly or indirectly by Verizon Communications Inc. (r) “Verizon Wireless,” means Cellco Partnership, d/b/a Verizon Wireless. II. BACKGROUND 3. Verizon Communications Inc. is a holding company that owns operating subsidiaries that provide a range of communications services in the United States and select foreign countries.5 Its whollyowned subsidiary, Verizon Wireless, provides retail and wholesale wireless voice and data services to customers. 4. Verizon Wireless began testing a targeted advertising service in October 2012 and began offering the service to its subscribers in December 2012.6 Verizon Wireless operates two advertising programs that use the UIDH: Relevant Mobile Advertising (RMA) and Verizon Selects.7 Verizon 5 Verizon Communications, Inc., Form 10Q (filed Jan. 30, 2014), available at http://eol.edgarexplorer.com/EFX_dll/EdgarPro.dll?FetchFilingHTML1?SessionID=PS9F6Dh7j89S2HD&ID=1026 5052. 6 Letter from Avery Gardiner, Assistant General Counsel, Verizon Legal, to David Valdez, Deputy Chief, Telecommunications Consumers Division, FCC Enforcement Bureau, at 15 (Apr. 23, 2015) (on file in EB-TCD-1400017601). 7 Id. 2 Federal Communications Commission DA 16-242 Wireless began offering the RMA program in 2012 and Verizon Selects in 2014. According to Verizon Wireless, the difference between the two programs relates to the type of information Verizon Wireless uses about its customers to target advertisements.8 5. Verizon Selects uses a variety of customer information to develop profiles of participating customers in order to deliver targeted advertising to those customers. Verizon Wireless asserts that its program Verizon Selects uses the following customer information: (a) addresses of websites visited; (b) device location; (c) apps and device features used; (d) postal and e-mail addresses; (e) information about Verizon Wireless products and services usage, including customer proprietary network information (CPNI);9 and (f) demographic and interest information provided by third parties, such as gender, age range, and interests (e.g. sports fan, frequent diner, or pet owner).10 Since the launch of Verizon Selects in 2014, in order for Verizon Wireless subscribers to participate in Verizon Selects, subscribers must affirmatively opt into the program through, among other means, their online accounts or by following links provided in the Verizon Wireless privacy policy.11 6. According to Verizon Wireless, the RMA program also uses various customer information to deliver targeted advertising to customers who participate in RMA. Verizon Wireless asserts that RMA uses the following customer information: (a) postal and e-mail addresses; (b) certain information about Verizon Wireless products and services, such as device type; and (c) demographic and interest categories that Verizon Wireless obtains from other companies, such as gender, age range, and interests.12 Customers receive notice of RMA upon activation of service and are given the opportunity to opt out, but eligible Verizon Wireless subscribers are otherwise automatically enrolled in the RMA program.13 Since the launch of RMA in 2012, subscribers may opt-out of RMA through, among other means, their online accounts or by following links provided in Verizon Wireless’s privacy policy.14 8 See id. at 1-2. Verizon Wireless uses certain customer information to identify and deliver ads, along with their ad partners, to Verizon Wireless subscribers on their mobile devices. For example, in 2014, 1-800-FLOWERS worked with Verizon Wireless to serve Valentine’s Day ads to male Android users, aged 25-44, with household incomes higher than $75,000. See Precision Market Insights Case Study on 1-800-FLOWERS, Precision Market Insights, available at http://industryindex.com/uploads/case_studies/a129cc1a168e4fe7d6996ce7c71c818ed27e59f9.pdf (last visited Feb. 8, 2016). 9 See 47 U.S.C. § 222(h)(1) (the term ‘‘customer proprietary network information’’ means (a) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (b) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier). 10 See Verizon Selects FAQs, Verizon Wireless, available at http://www.verizonwireless.com/support/verizonselects-faqs/ (last visited Feb. 3, 2016). 11 See Verizon Wireless Privacy Policy, Verizon Wireless webpage, available at http://www.verizon.com/about/privacy/policy/ (last visited Mar. 31, 2015); see also Verizon Selects FAQs, Verizon Wireless, available at http://www.verizonwireless.com/support/mobile-ads-faqs/ (last visited Feb. 2, 2016). 12 See Relevant Mobile Advertising FAQs, Verizon Wireless, available at http://www.verizonwireless.com/support/mobile-ads-faqs/ (last visited Feb. 3, 2016). 13 Id. 14 See Verizon Privacy Policy, Verizon Wireless webpage, available at http://www.verizon.com/about/privacy/policy/ (last visited Mar. 31, 2015); see also Relevant Mobile Advertising FAQs, Verizon Wireless Webpage, available at http://www.verizonwireless.com/support/mobile-ads-faqs/ (last visited Feb. 2, 2016). 3 Federal Communications Commission DA 16-242 7. In connection with both the Verizon Selects and RMA programs, Verizon Wireless inserts UIDH into the HTTP requests made by eligible mobile wireless subscribers and transmitted over the Verizon Wireless network.15 As early as December 2012, Verizon Wireless began inserting UIDH into HTTP Internet traffic transmitted over Verizon Wireless’s network. 8. In November 2014, several news stories raised privacy concerns with Verizon Wireless’s use of UIDH and the Commission received related complaints.16 On December 4, 2014, the Bureau issued the LOI to Verizon Wireless directing it to provide information regarding the insertion of UIDH into consumers’ HTTP requests made over Verizon Wireless’s network.17 Specifically, the Investigation sought to determine Verizon Wireless’s compliance with the Open Internet Transparency Rule and Section 222 of the Act. The Transparency Rule requires BIAS providers, including wireless mobile broadband providers, to disclose accurate information regarding their mobile broadband Internet access services sufficient for consumers to make informed choices regarding such services.18 Under Section 222 of the Act, a telecommunications carrier has a duty to protect its customers’ proprietary information and any “telecommunications carrier that receives or obtains proprietary information from another carrier for purposes of providing any telecommunications service shall use such information only for such purpose, and shall not use such information for its own marketing efforts.”19 Verizon Wireless submitted an initial response to the LOI on January 13, 2015,20 provided supplemental responses and other submissions, and engaged in several discussions with the Bureau related to the Investigation. 9. Although Verizon Wireless began inserting UIDH into subscribers’ HTTP Internet traffic as early as December 2012, and described its advertising programs in its privacy policy and elsewhere, Verizon Wireless did not specifically disclose the presence of UIDH and its uses until October 2014.21 At 15 See Letter from Avery Gardiner, Assistant General Counsel, Verizon Legal, to Richard A. Hindman, Chief, Telecommunications Consumers Division, FCC Enforcement Bureau at 4, 6-7 (Jan. 13, 2015) (Verizon Jan. 13th Initial LOI Response) (on file in EB-TCD-14-00017601). Most Verizon Wireless consumer and small business accounts are eligible to be included in the RMA program. Government, enterprise, Mobile Virtual Network Operator subscribers’ lines are not eligible. A Mobile Virtual Network Operator is a wireless communications provider that does not own the wireless network infrastructure over which it provides services to its subscribers. 16 See Craig Timberg, Verizon, AT&T Track Their Users with ‘Supercookies,’ Washington Post, November 3, 2014, available at http://www.washingtonpost.com/business/technology/verizon-atandt-tracking-their-users-with-supercookies/2014/11/03/7bbbf382-6395-11e4-bb14-4cfea1e742d5_story.html; see also Jacob Hoffman-Andrews, Verizon Injecting Perma-Cookies to Track Mobile Customers, By-Passing Privacy Controls, Electronic Frontier Foundation, November 3, 2014, available at https://www.eff.org/deeplinks/2014/11/verizon-x-uidh. 17 Letter from Richard A. Hindman, Chief, Telecommunications Consumers Division, FCC Enforcement Bureau, to Tamara Preiss, Vice President, Federal Regulatory Affairs, Verizon, and Christopher M. Miller, Vice President & Associate General Counsel, Verizon (Dec. 4, 2014) (on file in EB-TCD-14-00017601). 18 See 47 CFR § 8.3; see also FCC Enforcement Advisory; Open Internet Transparency Rule; Broadband Providers Must Disclose Accurate Information to Protect Consumers, Public Notice, 29 FCC Rcd 8606 (EB 2014) (BIAS providers, such as mobile wireless providers that offer data plans for Internet access for smartphones, are subject to Section 8.3 of the Rules). The events covered by the Investigation occurred prior to the effective date of the enhancements to the Transparency Rule adopted in the Commission’s 2015 Open Internet Order. See Protecting and Promoting the Open Internet, Report and Order on Remand, Declaratory Ruling, and Order, 30 FCC Rcd 5601 (2015) (2015 Open Internet Order). 19 See 47 U.S.C. § 222(b). 20 See supra note 15. 21 See Verizon Jan. 13th Initial LOI Response at 8, Letter from Avery Gardiner, Assistant General Counsel, Verizon Legal, to Richard A. Hindman, Chief, Telecommunications Consumers Division, FCC Enforcement Bureau (May 18, 2015) (on file in EB-TCD-14-00017601) (Verizon May 18th Supplemental LOI Response); see also UIDH (continued….) 4 Federal Communications Commission DA 16-242 that time, Verizon Wireless made the disclosure in its UIDH “Frequently Asked Questions” (FAQs) section of its website.22 In late March 2015, Verizon Wireless updated its privacy policy to include a disclosure regarding UIDH.23 10. As part of its original FAQs addressing the UIDH, Verizon Wireless said that “[i]t is unlikely that sites and ad entities will attempt to build customer profiles for online advertising or any other purpose using the UIDH.”24 News reports in January 2015, identified a Verizon Wireless advertising partner that, according to those news reports, used UIDH for unauthorized purposes.25 Specifically, according to the news reports, this advertising partner restored its cookie IDs that users cleared from their browsers by associating them with Verizon Wireless UIDHs.26 In February 2015, Verizon Wireless acknowledged those news articles raising concerns about the advertising partner’s use of UIDH for purposes outside of Verizon Wireless’s advertising programs in its UIDH FAQs.27 It also stated that it “will work with other partners to ensure that their use of UIDH is consistent with the purposes intended.”28 11. During the course of the Investigation, Verizon Wireless updated its customer-facing documents. On March 31, 2015, Verizon Wireless updated its privacy policy to specifically disclose the presence of UIDH and provided a related opt-out capability for its subscribers.29 Further, Verizon Wireless updated its UIDH FAQ disclosures to describe, among other things, what UIDH is and how it is used, and the UIDH opt-out choices available to subscribers.30 Verizon Wireless also updated its RMA and Verizon Selects FAQs to describe what customer information is used and for what purposes, choices (Continued from previous page) FAQs, Verizon Wireless, available at http://www.verizonwireless.com/support/unique-identifier-header-faqs/ (last visited Jan. 16, 2015). 22 See Verizon May 18th Supplemental LOI Response; see also UIDH FAQs, Verizon Wireless, available at http://www.verizonwireless.com/support/unique-identifier-header-faqs/ (last visited Jan. 16, 2015). Verizon Wireless subscribers can access links to the related FAQs located in Verizon Wireless’s Privacy Policy. 23 See Verizon Privacy Policy, Verizon Wireless, available at http://www.verizon.com/about/privacy/policy/ (last visited Mar. 31, 2015). 24 See UIDH FAQs, Verizon Wireless, available at http://www.verizonwireless.com/support/unique-identifierheader-faqs/ (last visited Jan. 16, 2015). 25 See Julia Angwin and Mike Tigas, Zombie Cookie: The Tracking Cookie That You Can’t Kill, Propublica, January 14, 2015, available at https://www.propublica.org/article/zombie-cookie-the-tracking-cookie-that-you-cant-kill; see also UIDH FAQs, Verizon Wireless, available at http;//www.verizonwireless.com/support/unique-identifier-headerfaqs/ (last visited Feb. 1, 2015); Letter from Avery Gardiner, Assistant General Counsel, Verizon Legal, to Richard A. Hindman, Chief, Telecommunications Consumers Division, FCC Enforcement Bureau, at 4 (Feb. 12, 2015) (on file in EB-TCD-14-00017601). 26 See Zombie Cookie ID to be Suspended Pending Re-evaluation, Turn, Inc., available at http://www.turn.com/blog/zombie-cookie-id-to-be-suspended-pending-re-evaluation (last visited on Feb. 1, 2015). 27 See UIDH FAQs, Verizon Wireless, available at http;//www.verizonwireless.com/support/unique-identifierheader-faqs/ (last visited Feb. 1, 2015). 28 See id. 29 See Verizon Wireless Privacy Policy, Verizon Wireless, available at http://www.verizon.com/about/privacy/policy/ (last visited Mar. 31, 2015); see also UIDH FAQs, Verizon Wireless, available at http://www.verizonwireless.com/support/unique-identifier-header-faqs/ (last visited Apr. 6, 2015). 30 See UIDH FAQs, Verizon Wireless, available at http://www.verizonwireless.com/support/unique-identifierheader-faqs/ (last visited Feb. 2, 2016). 5 Federal Communications Commission DA 16-242 customers can make about the use of their data, and who has access to customer data.31 On March 31, 2015, Verizon Wireless modified its systems to stop inserting the UIDH after a customer opts out of the RMA program unless that customer has chosen to participate in Verizon Selects. In addition, following Verizon’s acquisition of AOL,32 Verizon announced a combination of the Verizon Wireless and AOL advertising programs and committed to transmit UIDH only to entities that are on a pre-approved “white list.”33 12. The Parties negotiated the following terms and conditions of settlement and hereby enter into this Consent Decree as provided below. III. TERMS OF AGREEMENT 13. Adopting Order. The provisions of this Consent Decree shall be incorporated by the Bureau in an Adopting Order. This Consent Decree specifically addresses UIDH as it relates to Verizon Wireless’s advertising programs. This Consent Decree does not impose obligations on Verizon Selects or other Verizon Wireless advertising programs that require prior customer opt-in approval.34 14. Jurisdiction. For the purposes of this Consent Decree, including any subsequent enforcement of its terms, Verizon Wireless agrees that the Bureau has jurisdiction over it and the matters contained in this Consent Decree and has the authority to enter into and adopt this Consent Decree. 15. Effective Date; Violations. The Parties agree that this Consent Decree shall become effective on the Effective Date. As of the Effective Date, the Parties agree that this Consent Decree shall have the same force and effect as any other order of the Commission. 16. Termination of Investigation. In express reliance on the covenants and representations in this Consent Decree and to avoid further expenditure of public resources, the Bureau agrees to terminate the Investigation. In consideration for the termination of the Investigation, Verizon Wireless agrees to the terms, conditions, and procedures contained herein. The Bureau further agrees that, in the absence of new material evidence, it will not use the facts developed in the Investigation through the Effective Date, or the existence of this Consent Decree, to institute any new proceeding, formal or informal, or take any action against Verizon Wireless concerning the matters that were the subject of the Investigation. The Bureau also agrees that, in the absence of new material evidence, it will not use the facts developed in the Investigation through the Effective Date, or the existence of this Consent Decree, to institute any proceeding, formal or informal, or to set for hearing the question of Verizon Wireless’s basic qualifications to be a Commission licensee or hold Commission licenses or authorizations.35 31 See Relevant Mobile Advertising FAQs, Verizon Wireless, available at http://www.verizonwireless.com/support/mobile-ads-faqs/ (last visited Feb. 2, 2016); see also Verizon Selects FAQs, Verizon Wireless, available at http://www.verizonwireless.com/support/mobile-ads-faqs/ (last visited Feb. 2, 2016). 32 On June 23, 2015, Verizon announced it had closed its acquisition of AOL. See Tom DiChristopher, Verizon Closes AOL Acquisition, CNBC, June 23, 2015, available at http://www.cnbc.com/2015/06/23/verizon-closes-aolacquisition.html. AOL is an American multinational mass media corporation that develops, grows, and invests in brands and websites such as The Huffington Post, TechCrunch, and Engadget. The company's business spans digital distribution of content, products, and services, which it offers to consumers, publishers, and advertisers. See AOL, Inc., Wikipedia, available at https://en.wikipedia.org/wiki/AOL (last visited Feb. 8, 2016). 33 See Karen Zacharia, What Verizon Privacy Updates Really Mean, Verizon Wireless, Oct. 7, 2015, available at http://www.verizon.com/about/news/what-verizons-privacy-updates-really-mean. A white list is a list of people or organizations that have been approved to receive special consideration or privileges. See White List, The Free Dictionary, available at http://www.thefreedictionary.com/whitelist (last visited Feb. 11, 2016). 34 See 47 U.S.C. 222(c)(1). 35 See 47 CFR 1.93(b). 6 Federal Communications Commission DA 16-242 17. Compliance Officer. Within thirty (30) calendar days after the Effective Date, Verizon Wireless shall designate a senior corporate manager with the requisite corporate and organizational authority to serve as a Compliance Officer and to discharge the duties set forth below. The person designated as the Compliance Officer shall be responsible for developing, implementing, and administering the Compliance Plan and ensuring that Verizon Wireless complies with the terms and conditions of the Compliance Plan and this Consent Decree. In addition to the general knowledge of the Communications Laws necessary to discharge his or her duties under this Consent Decree, the Compliance Officer shall have specific knowledge or rely on other individuals with specific knowledge of the information security principles and practices necessary to implement the information security requirements of this Consent Decree, Section 222 of the Act, and the Transparency Rule, before assuming his/her duties. The Compliance Officer or managers reporting to the Compliance Officer with responsibilities related to this Consent Decree shall be privacy certified by an industry certifying organization and keep current through appropriate continuing privacy education courses. 18. Compliance Plan. For purposes of settling the matters set forth herein, Verizon Wireless agrees that it shall implement the following procedures: (a) Opt-In. Verizon Wireless will not share the UIDH of a customer with a Third Party to deliver targeted advertising unless Verizon Wireless obtains prior opt-in consent from that customer. Opt-in consent to participate in the Verizon Selects program satisfies this requirement. (b) Security. Verizon Wireless shall generate the UIDH of a customer using methods that comply with reasonable and accepted security standards. (c) Other Restrictions. Verizon Wireless shall maintain its current practice of (1) removing the UIDH from an ineligible line within a reasonable period after activation and not use these UIDHs for any purpose;36 (2) allowing customers eligible to participate in the RMA program to opt out of having UIDH inserted in their HTTP traffic; (3) allowing customers who opt in pursuant to subsection 18(a) to subsequently opt out at any time, and (4) disclosing Verizon Wireless practices and use of the UIDH in its privacy policies and FAQs and update such disclosures as appropriate. (d) Operating Procedures. Within sixty (60) calendar days of the Effective Date Verizon Wireless shall establish Operating Procedures designed to ensure its compliance with subparagraphs (a) and (c) of this section. In the Operating Procedures, Verizon Wireless shall ensure that if another Verizon entity receives the UIDH from Verizon, that Verizon entity will not share it in a way that Verizon Wireless would be prohibited from doing directly under the terms of this Consent Decree. The Operating Procedures also will reflect that Verizon is permitted to share the UIDH among Verizon entities with either opt-out or opt-in customer consent. 19. Reporting Noncompliance. Verizon Wireless shall report any noncompliance with Section 222(b) of the Act, the Transparency Rule, and with the terms and conditions of this Consent Decree that is more than an anomaly within fifteen (15) calendar days after discovery of such noncompliance. Such reports shall include a detailed explanation of: (i) each instance of noncompliance that is more than an anomaly; (ii) the steps that Verizon Wireless has taken or will take to remedy such 36 Ineligible lines are comprised of government, enterprise, and Mobile Virtual Network Operator lines. If there are any temporary uses of the UIDH following activation of these lines, Verizon Wireless shall eliminate them within 60 days from the Effective Date. If in the future Verizon Wireless desires to include these lines in its programs that use the UIDH, it shall ensure these customers have the same options provided for in this Consent Decree, including the ability to opt in and to opt out. 7 Federal Communications Commission DA 16-242 noncompliance; (iii) the schedule on which such remedial actions will be taken; and (iv) the steps that Verizon Wireless has taken or will take to prevent the recurrence of any such noncompliance. All reports of noncompliance that is more than an anomaly shall be submitted to the Chief, Telecommunications Consumers Division, Enforcement Bureau, Federal Communications Commission, 445 12th Street, SW, Rm. 4C-224, Washington, DC 20554, with a copy submitted electronically to David.Valdez@fcc.gov, Kimbarly.Taylor@fcc.gov, and Melanie.Tiano@fcc.gov. 20. Compliance Reports. Verizon Wireless shall submit Compliance Reports with the Commission ninety (90) calendar days, twelve (12) months, twenty-four (24) months, and thirty-six (36) months after the Effective Date. (a) Each Compliance Report shall include a detailed description of Verizon Wireless’s efforts during the relevant period to comply with Section 222 (b) of the Act, the Transparency Rule, and the terms and conditions of this Consent Decree. (b) Each Compliance Report shall include a certification by the Compliance Officer, as an agent of and on behalf of Verizon Wireless, stating that the Compliance Officer has personal knowledge that Verizon Wireless: (i) has established and implemented the Compliance Plan; (ii) has utilized the Operating Procedures since the implementation of the Compliance Plan; and (iii) is not aware of any instances of noncompliance that is more than an anomaly with the terms and conditions of this Consent Decree, including the reporting obligations set forth in paragraph 19 of this Consent Decree. (c) The Compliance Officer’s certification shall be accompanied by a statement explaining the basis for such certification and must comply with Section 1.16 of the Rules and be subscribed to as true under penalty of perjury in substantially the form set forth therein.37 (d) If the Compliance Officer cannot provide the requisite certification, the Compliance Officer, as an agent of and on behalf of Verizon Wireless, shall provide the Commission with a detailed explanation of the reason(s) why and describe fully: (i) each instance of noncompliance that is more than an anomaly; (ii) the steps that Verizon Wireless has taken or will take to remedy such noncompliance, including the schedule on which the proposed remedial actions will be taken; and (iii) the steps that Verizon Wireless has taken or will take to prevent the recurrence of any such noncompliance, including the schedule on which such preventive action will be taken. (e) All Compliance Reports shall be submitted to the Chief, Telecommunications Consumers Division, Enforcement Bureau, Federal Communications Commission, 445 12th Street, SW, Rm. 4C-224, Washington, DC 20554, with a copy submitted electronically to David.Valdez@fcc.gov, Kimbarly.Taylor@fcc.gov, and Melanie.Tiano@fcc.gov. 21. Termination Date. Unless stated otherwise, the requirements set forth in paragraphs 17 through 20 of this Consent Decree shall expire thirty-six (36) months after the Effective Date. 22. Section 208 Complaints; Subsequent Investigations. Nothing in this Consent Decree shall prevent the Commission or its delegated authority from adjudicating complaints filed pursuant to Section 208 of the Act38 against Verizon Wireless or its affiliates for alleged violations of the Act, or for 37 47 CFR § 1.16. 38 47 U.S.C. § 208. 8 Federal Communications Commission DA 16-242 any other type of alleged misconduct, regardless of when such misconduct took place. The Commission’s adjudication of any such complaint will be based solely on the record developed in that proceeding. Except as expressly provided in this Consent Decree, this Consent Decree shall not prevent the Commission from investigating new evidence of noncompliance by Verizon Wireless with the Communications Laws. 23. Settlement Amount. Verizon Wireless will pay a fine to the United States Treasury in the amount of one million, three hundred fifty thousand dollars ($1,350,000) within thirty (30) calendar days of the Effective Date. Verizon Wireless shall send electronic notification of payment to Johnny.Drake@fcc.gov on the date said payment is made. The payment must be made by check or similar instrument, wire transfer, or credit card, and must include the Account Number and FRN referenced above. Regardless of the form of payment, a completed FCC Form 159 (Remittance Advice) must be submitted.39 When completing the FCC Form 159, enter the Account Number in block number 23A (call sign/other ID) and enter the letters “FORF” in block number 24A (payment type code). Below are additional instructions that should be followed based on the form of payment selected:  Payment by check or money order must be made payable to the order of the Federal Communications Commission. Such payments (along with the completed Form 159) must be mailed to Federal Communications Commission, P.O. Box 979088, St. Louis, MO 631979000, or sent via overnight mail to U.S. Bank – Government Lockbox #979088, SL-MO-C2-GL, 1005 Convention Plaza, St. Louis, MO 63101.  Payment by wire transfer must be made to ABA Number 021030004, receiving bank TREAS/NYC, and Account Number 27000001. To complete the wire transfer and ensure appropriate crediting of the wired funds, a completed Form 159 must be faxed to U.S. Bank at (314) 418-4232 on the same business day the wire transfer is initiated.  Payment by credit card must be made by providing the required credit card information on FCC Form 159 and signing and dating the Form 159 to authorize the credit card payment. The completed Form 159 must then be mailed to Federal Communications Commission, P.O. Box 979088, St. Louis, MO 63197-9000, or sent via overnight mail to U.S. Bank – Government Lockbox #979088, SL-MO-C2-GL, 1005 Convention Plaza, St. Louis, MO 63101. Questions regarding payment procedures should be addressed to the Financial Operations Group Help Desk by phone, 1-877-480-3201, or by e-mail, ARINQUIRIES@fcc.gov. 24. Waivers. As of the Effective Date, Verizon Wireless waives any and all rights it may have to seek administrative or judicial reconsideration, review, appeal or stay, or to otherwise challenge or contest the validity of this Consent Decree and the Adopting Order. Verizon Wireless shall retain the right to challenge Commission interpretation of the Consent Decree or any terms contained herein. If either Party (or the United States on behalf of the Commission) brings a judicial action to enforce the terms of the Consent Decree or the Adopting Order, neither Verizon Wireless nor the Commission shall contest the validity of the Consent Decree or the Adopting Order, and Verizon Wireless shall waive any statutory right to a trial de novo. Verizon Wireless hereby agrees to waive any claims it may otherwise have under the Equal Access to Justice Act40 relating to the matters addressed in this Consent Decree. 25. Severability. The Parties agree that if any of the provisions of the Consent Decree shall be held unenforceable by any court of competent jurisdiction, such unenforceability shall not render 39 An FCC Form 159 and detailed instructions for completing the form may be obtained at http://www.fcc.gov/forms#159.pdf. 40 See 5 U.S.C. § 504; 47 CFR §§ 1.1501–1.1530. 9 Federal Communications Commission DA 16-242 unenforceable the entire Consent Decree, but rather the entire Consent Decree shall be construed as if not containing the particular unenforceable provision or provisions, and the rights and obligations of the Parties shall be construed and enforced accordingly. 26. Invalidity. In the event that this Consent Decree in its entirety is rendered invalid by any court of competent jurisdiction, it shall become null and void and may not be used in any manner in any legal proceeding. 27. Subsequent Rule or Order. The Parties agree that if any provision of the Consent Decree is more or less restrictive than any subsequent Rule or order adopted by the Commission (except an order specifically intended to revise the terms of this Consent Decree to which Verizon Wireless does not expressly consent) regarding the same subject matter, including any subsequent Rule or order with respect to opt-in or opt-out, that provision will be superseded by such Rule or order. 28. Successors and Assigns. Verizon Wireless agrees that the provisions of this Consent Decree shall be binding on its successors, assigns, and transferees. 29. Final Settlement. The Parties agree and acknowledge that this Consent Decree shall constitute a final settlement between the Parties with respect to the Investigation. The Parties further agree that this Consent Decree does not constitute either an adjudication on the merits or a factual or legal finding regarding any compliance or noncompliance with the requirements of the Communications Laws. 30. Modifications. This Consent Decree cannot be modified without the advance written consent of both Parties. 31. Paragraph Headings. The headings of the paragraphs in this Consent Decree are inserted for convenience only and are not intended to affect the meaning or interpretation of this Consent Decree. 32. Authorized Representative. Each Party represents and warrants to the other that it has full power and authority to enter into this Consent Decree. Each person signing this Consent Decree on behalf of a Party hereby represents that he or she is fully authorized by the Party to execute this Consent Decree and to bind the Party to its terms and conditions. 10 Federal Communications Commission DA 16-242 33. Counterparts. This Consent Decree may be signed in counterpart (including electronically or by facsimile). Each counterpart, when executed and delivered, shall be an original, and all of the counterparts together shall constitute one and the same fully executed instrument. ________________________________ Travis LeBlanc Chief Enforcement Bureau ________________________________ Date ________________________________ Chris Miller Vice President & Associate General Counsel Cellco Partnership d/b/a Verizon Wireless ________________________________ Date 11