Recently, the Office of the New York State Attorney General (OAG) issued an advisory warning business that website tracking technology may violate New York consumer protection laws, including the state’s Uniform Deceptive Trade Practices Act.
Most websites use “cookies,” third-party trackers like pixels, or other technology to track their visitors. Trackers use a unique identifier for the individual and then tracks that individual as the individual surfs from website to website. This information is then gathered by businesses to assist in targeting advertisements and e-commerce at the individual, as well as fraud prevention and detection.
Often, websites will contain disclosures and privacy controls. The disclosures will inform visitors about what information is tracked and retained by the website. The privacy controls enable a visitor to limit what information is stored, tracked and maintained by the website under certain conditions.
According to the OAG, however, an investigation discovered that many of the disclaimers were confusing or misleading. With respect to privacy controls, the OAG investigation determined that for many websites, the privacy controls did not work as described. According to the OAG, such misleading or confusing website disclaimers and privacy actions may violate New York’s consumer protection laws, notably, the New York’s Uniform Deceptive Trade Practices Act (Act), which prohibits businesses from engaging in deceptive acts and practices.
Under the Act, the OAG or an aggrieved individual can collect actual damages, which can then be trebled up to $10,000, an additional $5,000 fine, and attorneys’ fees and costs. The OAG also can seek injunctive relief to stop the practice.
The OAG’s advisory noted that the State will have a renewed focus to ensure that New York’s consumer protection laws are not violated by online businesses operating in New York. In light of this, business that operate in New York should:
- Ensure that website cookie management tools do not leave uncategorized or miscategorized tags/cookies.
- Ensure that website cookie management tools integrate with the website’s tag management tools; disabling tracking on one tool will disable the other tool.
- Ensure website marketing and advertising tags work as described is the disclaimer. They should not remain active after visitors try to disable them using the websites’ privacy controls.
- Ensure even tags that are hardcoded to the website get deactivated by the cookie management tools when disabled by the visitor.
- Not rely on contract-based restrictions like limited data use or restricted data processing often found in agreements with third parties that maintain websites.
- Before deploying a new tag, understand what data the tag collects and how the data may be used or shared.
- Address non-cookie-based sharing with third parties.
In addition, it is recommended that such businesses:
- Regarding configuration of trackers:
- Designate a qualified individual (or individuals) with appropriate training to be responsible for implementing and managing website-tracking technologies.
- Before deploying a new tag or tool, or changing how an existing tag or tool is used, take appropriate steps (including active due diligence) to identify the types of data collected and how the data will be used and shared.
- When deploying a new tag or tool, or changing use, ensure that it is appropriately categorized and configured.
- Conduct appropriate testing (regularly and following a change) to ensure that tags and tools are operating as intended.
- Conduct reviews on a regular basis to ensure tags and tools are properly configured.
- Regarding disclosure and interface:
- Make sure that the website’s privacy control representations (whether express or implied through privacy controls configuration) are accurate.
- Avoid language that creates a misleading impression of how the website handles tracking. For example, don't say "by clicking accept cookies," if the cookies deploy by default.
- If you can agree with a single-click, you should be able to opt out with single click.
- Make the interface accessible. Allow easy navigation of privacy controls.
- Don't use large blocks of text or complicated language.
- Ensure the user interface is not misleading.
[View source.]