Aug 132024

New York Attorney General Publishes Guide to Avoid “Key Mistakes” Regarding Online Tracking Technologies

Colleen Theresa Brown, Mitchell Noordyke and Sasha Hondagneu-Messner
, , , ,

On July 30, 2024, New York Attorney General Letitia James announced website privacy guides for New York consumers and businesses. The guides, a business-focused Business Guide to Website Privacy Controls and a consumer-focused Consumer Guide to Tracking on the Web, are available on the Office of the New York State Attorney General’s (the “OAG’s”) website. The Business Guide to Website Privacy Controls is instructive for businesses operating websites available in the state. The OAG’s announcement is made amid increasing regulatory scrutiny, including by the FTC, as well as increased litigation centered on the use of online tracking technologies.

Attorney General James emphasized that even though New York state does not have a comprehensive privacy law that governs when and how New York consumers may be tracked online, New York’s existing consumer protection laws prohibiting deceptive acts and practices (“UDAP laws”) are applicable to website online tracking activities.

The announcement follows a months-long assessment by the OAG of the use of third-party “tags,” described by the OAG as “snippets of code inserted into a webpage that direct a visitor’s browser to connect to a third-party service.” The OAG found that many e-commerce websites deployed consumer-facing privacy controls that did not work as described.

Key Takeaways from OAG Guidance:

  • Issues Highlighted by the Guidance:
    • Use of Consent- and Tag-Management Tools: The guidance discusses the use of consent- and tag-management tools and encourages businesses to ensure they do not leave tags uncategorized/miscategorized; misconfigure such tools (such as not properly passing opt-out signals); or leave out hardcoded tags into a website from such tool’s scope.
    • Privacy Settings: The guidance encourages businesses not to rely on any particular tag’s privacy settings, as many of the settings may be set up to work by default only in states with comprehensive privacy laws.
    • Understanding Tags: The guidance states that, before deploying a new tag, a business should understand what data it collects and how that data may be used.
    • Cookieless Tracking: The Guidance also emphasizes disclosure of any non-cookie based sharing of data.
  • Identifying and Preventing Issues: OAG recommends certain processes to aid the implementation and governance of tracking technologies, including:
    • Designation of a qualified individual (or individuals) with appropriate training to implement and manage website tracking technologies.
    • Investigating a new tag or tool before deploying it to understand its use and the business’ obligations.
    • Appropriately configuring and testing a tag before deploying it.
    • Regularly reviewing the use of tags and tools.
    • The Guidance includes a reminder to ensure the accuracy of privacy statement disclosures, as well as in cookie pop-up or preference management language.
    • It also provides reminders about “dark pattern” risks, with guidance around giving equivalent options equal weight and presentation.

While the OAG’s guidance does not necessarily break new ground, it reframes existing best practices as “key mistakes” to avoid, suggesting that the OAG may regard some of these issues to fall within its enforcement authority under existing UDAP laws.  In light of the increased regulatory and litigation risks, companies can keep this guidance in mind as they review their digital development processes.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Mitchell Noordyke

Chicago

mnoordyke@sidley.com

Sasha Hondagneu-Messner

New York

shondagneumessner@sidley.com

You might also like
EU Governments Sign-off Proposed Reforms to GDPR Procedural Rules and Council Reaches Common Member States’ Position

On 24 May 2024, the Council of the European Union (the “Council”) released new details of a proposed reform of the General Data Protection Regulation’s (“GDPR”) procedural rules, which representatives of EU national governments approved on 29 May 2024. On 13 June 2024, the Council issued a press release detailing its agreed common Member States’ position that maintains the general thrust of the original proposed reforms, but which seeks to: (i) introduce clearer timelines; (ii) improve efficiency of cooperation; and (iii) provide an early resolution mechanism.

Artificial Intelligence Tops Agenda for Global Competition Authorities: EU, UK, and U.S. Issue Joint Statement

On July 23, 2024, the competition authorities of the EU, the UK, and the U.S. issued a joint statement on competition in generative artificial intelligence (AI) foundation models and AI products (Joint Statement). Since the emergence of generative AI, each of the authorities has been individually ramping up its work in order to understand better the potential risks to competition that AI may pose. The Joint Statement may herald a more joined-up global approach with respect to scrutiny of competition in AI.

A New Wave of Class Actions: The Genetic Information Privacy Act

Largely dormant for the last 25 years, Illinois’ Genetic Information Privacy Act (GIPA) has been sharing the limelight recently with its sibling, the Biometric Information Privacy Act. (BIPA). GIPA includes a number of restrictions related to the use and disclosure of genetic testing and genetic information, and it provides a private right of action and permits recovery of steep statutory damages. In 2023 alone, over 50 GIPA complaints were filed, and new suits continue to be filed in 2024. In this article, published on AML Law.com, Sidley lawyers Kathleen Carlson, Lawrence Fogel, and Colleen Brown explore some of GIPA’s emerging issues and unanswered questions.