New York Attorney General Publishes Guide to Avoid “Key Mistakes” Regarding Online Tracking Technologies
On July 30, 2024, New York Attorney General Letitia James announced website privacy guides for New York consumers and businesses. The guides, a business-focused Business Guide to Website Privacy Controls and a consumer-focused Consumer Guide to Tracking on the Web, are available on the Office of the New York State Attorney General’s (the “OAG’s”) website. The Business Guide to Website Privacy Controls is instructive for businesses operating websites available in the state. The OAG’s announcement is made amid increasing regulatory scrutiny, including by the FTC, as well as increased litigation centered on the use of online tracking technologies.
Attorney General James emphasized that even though New York state does not have a comprehensive privacy law that governs when and how New York consumers may be tracked online, New York’s existing consumer protection laws prohibiting deceptive acts and practices (“UDAP laws”) are applicable to website online tracking activities.
The announcement follows a months-long assessment by the OAG of the use of third-party “tags,” described by the OAG as “snippets of code inserted into a webpage that direct a visitor’s browser to connect to a third-party service.” The OAG found that many e-commerce websites deployed consumer-facing privacy controls that did not work as described.
Key Takeaways from OAG Guidance:
- Issues Highlighted by the Guidance:
- Use of Consent- and Tag-Management Tools: The guidance discusses the use of consent- and tag-management tools and encourages businesses to ensure they do not leave tags uncategorized/miscategorized; misconfigure such tools (such as not properly passing opt-out signals); or leave out hardcoded tags into a website from such tool’s scope.
- Privacy Settings: The guidance encourages businesses not to rely on any particular tag’s privacy settings, as many of the settings may be set up to work by default only in states with comprehensive privacy laws.
- Understanding Tags: The guidance states that, before deploying a new tag, a business should understand what data it collects and how that data may be used.
- Cookieless Tracking: The Guidance also emphasizes disclosure of any non-cookie based sharing of data.
- Identifying and Preventing Issues: OAG recommends certain processes to aid the implementation and governance of tracking technologies, including:
- Designation of a qualified individual (or individuals) with appropriate training to implement and manage website tracking technologies.
- Investigating a new tag or tool before deploying it to understand its use and the business’ obligations.
- Appropriately configuring and testing a tag before deploying it.
- Regularly reviewing the use of tags and tools.
- The Guidance includes a reminder to ensure the accuracy of privacy statement disclosures, as well as in cookie pop-up or preference management language.
- It also provides reminders about “dark pattern” risks, with guidance around giving equivalent options equal weight and presentation.
While the OAG’s guidance does not necessarily break new ground, it reframes existing best practices as “key mistakes” to avoid, suggesting that the OAG may regard some of these issues to fall within its enforcement authority under existing UDAP laws. In light of the increased regulatory and litigation risks, companies can keep this guidance in mind as they review their digital development processes.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.