The FTC has long focused on regulating online behavioral advertising, and this case shows how behavioral advertising can easily become overly intrusive and imperil consumer privacy. Under Section 5 of the FTC Act, the agency has the authority to pursue companies that commit unfair or deceptive acts or practices. CDT has previously advocated for FTC enforcement against browser sniffing as a per se deceptive practice. Browser history sniffing works by exploiting the functionality of HTML that allows sites to display links you’ve previously visited as purple instead of blue — any link your site is going to render can get checked against the browser’s history to see if you’ve been there before or not. History sniffers abuse this functionality, by querying browser history for tens of thousands of URLs that the site has no intention of rendering for the user. Such a blatant misuse of a browser’s capabilities certainly seems to be an inherently deceptive means to access a user’s website history contrary to reasonable expectations.
The FTC continues to identify new fact patterns to apply its unfairness and deception enforcement powers more broadly, which is a promising step. We hope that the agency will use the Epic case as a jumping off point for browser sniffing, rather than treating it as the limits of its enforcement powers.