Verizon crossed a line by collecting information about its customers' online behavior without their permission, according to a Federal Communications Commission investigation.

Verizon has been using small files known as "cookies" to track its wireless customers' behavior since late 2012. The use of cookies for ad targeting is common, but Verizon took the practice a step further by inserting cookies into its all its customers' unencrypted Internet traffic, allowing it to learn how customers used mobile apps and websites outside of Verizon's control. These cookies, first reported by nonprofit journalism outfit ProPublica, would reappear even if users cleared them from their web browsers, earning them the nickname "zombie cookie" or "supercookie." Third party advertisers were even able to use the cookies to track consumer behavior, according ot ProPublica.

Verizon announced last year that it would restrict the use of the cookies to Verizon-owned websites and select companies that Verizon says it works with to provide services. It also allowed users to opt out. But the actions were too late to save it from the FCC investigation.

Now Verizon must pay a fine of $1.35 million as part of a settlement with the FCC. That's just a slap on the wrist for a company like Verizon, which reported $34.3 billion in revenue last quarter. More significantly, the company will have to notify customers about the cookies and give customers the chance to opt in before it can actually use the data it collects.

Full Disclosure

Verizon's zombie cookies ran afoul of the FCC's Open Internet Transparency Rule, adopted in 2010, which states that carriers can only use customers' personal information for authorized purposes. "The Bureau’s investigation found that Verizon Wireless began inserting [cookies] into consumer Internet traffic as early as December 2012, but failed to disclose this practice until October 2014," the FCC's statement says. Verizon did not immediately respond to our request for comment.

Despite the leniency of the settlement, privacy groups are hailing it as a victory. "Today’s FCC action puts all broadband providers on notice that they can no longer hide behind vague disclosures about ‘information collection,’ or refuse to give their subscribers real choices when it comes to sharing customer information," said Harold Feld of the advocacy group Public Knowledge.

"This sets a positive precedent against insidious, hidden online tracking, which is occuring across the globe," said Peter Micek of the organization Access Now, which offers an online tool for detecting zombie cookies and other trackers. "We expect regulators worldwide, from the European Union to India, to follow the FCC’s lead, and for other telcos to take notice."