Skip to main content

NJ Attorney General Settles with PulsePoint for $1 Million

Written by Amy Malone

Digital marketing company, PulsePoint  entered into a Consent Order with the New Jersey Attorney General and agreed to pay $1 million, following an investigation of claims that PulsePoint bypassed privacy setting of Apple’s Safari browser to allow tracking of consumer activity.

Last year, Google settled similar claims with the Federal Trade Commission for $22.5 million (see our blog post here).  The allegations against PulsePoint mirror those that the FTC brought against the search engine giant:  the NJ AG's complaint alleged that PulsePoint placed cookies on Apple Safari web browsers without the knowledge or consent of New Jersey consumers.  PulsePoint allegedly did this by bypassing privacy settings that were chosen by Safari users.  The Safari settings allow users to select between “always” accepting cookies, “never” accepting cookies, or accepting cookies only from “sites I visit-block cookies from third parties and advertisers.”

According to the complaint, PulsePoint circumvented the user settings by using a form that made the Safari browser act as if the user had clicked on the advertisement, when in fact the user had not.   Once the form was sent, the Safari browser allowed PulsePoint to set their cookies on the browser, even when the user had opted to block cookies.

This activity occurred between June 2009 and February 2012 and in the press release, the state claims that PulsePoint may have placed up to 215 million targeted ads on the browsers of New Jersey consumers.

The $1 million settlement includes (1) a civil penalty of $556,196.96, (2) reimbursement of the state’s attorneys’ fees in the amount of $32,048.00, (3) reimbursement of the state’s investigative costs in the amount of $1,755.04, (4) a payment of $150,000.00 to be used in the state’s discretion for the promotion of consumer privacy programs and (5) a payment of $250,000.00 to be used by the state for in-kind advertising services.

PulsePoint also agreed to, among other things; implement numerous privacy controls and procedures to protect the privacy and confidentiality of consumer information.   PulsePoint agreed to not override or change a consumer’s browser settings without her affirmative consent.  And, PulsePoint must provide information on its website explaining what information it collects and how it uses that information.

The future may be a difficult one for PulsePoint as more attorneys general may engage in their own investigations.

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.