On July 15, 2024, the Office of the New York State Attorney General (OAG) announced new guidance regarding the use of cookies, tags, and other online user information tracking tools. Although New York does not yet have a comprehensive set of state privacy laws, the OAG has indicated that based on a recent investigation, existing online privacy practices may run afoul of existing New York consumer protection laws.
The OAG’s guidance accompanied findings from the OAG’s investigation into the privacy tools maintained by major websites. These tools mostly involved personalized identifiers that help websites recognize visitors from one website to the next, commonly referred to as “cookies” and “tags,” as well as the privacy disclosure maintained by these websites.
More than a dozen “popular websites” were found out of compliance with New York consumer protection laws. Some of the recurring issues included:
- Uncategorized or Miscategorized Tags and Cookies: Many websites used a “consent management tool” to enable certain categories of tags or cookies (such as those related to marketing) to be turned off, while other categories (such as those related to fraud detection and analytics) would remain on regardless of the visitor’s consent choices. Based on OAG’s investigation, a number of websites miscategorized certain tags, and thus, those tags would remain active even if a website visitor opted to “turn off” certain categories.
- Misconfigured Tools: Many websites were found to have “tag-management tools” that were not cooperating correctly with the website’s “consent management tools.” As a result, when a website visitor disabled website cookies using the site’s “tag-management tools,” marketing tags regulated by the website’s separate “consent management tools” might still apply.
- Hardcoded Tags: Some websites had tags that were hardcoded directly into the website. Thus, regardless of what consent management tool options were selected by a website visitor, these tags would remain active.
- Tag Privacy Settings: Some websites used “limited data use” tools that limit the ways information collected by certain tools is used. However, these tools only apply to states with comprehensive privacy laws like California, Colorado and Connecticut. In states like New York without comprehensive privacy laws, these tools do not limit data use. According to OAG’s investigation, some companies had mistakenly assumed these limitations would apply to all states and had relied on them nationwide.
- Incomplete Understanding of Tag Data Collection and Use: Some businesses are not aware of the extent of what data tags collect and how that data may be used.
- Cookieless Tracking: Some websites did not use cookies or tags and instead directly captured visitor information and passed it along to advertising companies. The OAG reiterated that regardless of the tool used, websites should respect users’ privacy choices.
Suggestions from OAG to Identify and Prevent Issues with Tags and Cookies
- Designate: Designate a qualified individual to be responsible for implementing and managing website-tracking technologies.
- Investigate: Before deploying a new tag or tool, identify the types of data that will be collected and how the data will be used and shared, even if this means asking the developer of the tag or tool to provide information that is not publicly available about that tool.
- Configure: When deploying a new tag or tool, ensure that it is appropriately categorized and configured.
- Test & Review: Conduct regular testing to ensure that tags and tools are operating as intended, without relying solely on automated testing tools.
- Review: Conduct regular reviews to ensure tags and tools are properly configured, including ensuring that tags are properly categorized in a consent-management tool and that any tag-management tool is properly synced.
Suggestions from OAG to Ensure Privacy Disclosures Comply with New York Law
The OAG reiterates that any disclosures made by a business about its user tracking must be truthful and not misleading in order to comply with consumer protection laws.
In particular, the OAG points to popups on websites with buttons labeled “Accept Cookies,” or “Accept All” next to language stating that clicking those buttons means the user agrees to the use of cookies, which could convey to the user the mistaken impression that cookies will only be used if the user clicks “Accept,” rather than being used from the moment the user visits the site.
Similarly, the OAG emphasizes that any interfaces website visitors may use to change privacy settings should be user-friendly and not designed to obscure necessary tools to finalize the visitor’s selection (such as hiding a required “save” button.)
The full OAG guidance can be reviewed here.
