On July 30, 2024, the New York Attorney General Letitia James announced she had completed an investigation into the tracking technology practices of popular websites, and used this to create website privacy guides on online tracking for New York businesses and consumers. These consist of a “Business Guide” and a “Consumer Guide.” The Business Guide is directed to companies providing services to New York consumers, and explains how businesses can identify and prevent common issues when implementing cookies and other online tracking technologies. It also provides guidance on complying with New York law concerning online tracking. The Consumer Guide is directed to New York consumers, and explains how consumers can protect their privacy by limiting online tracking.

The release of the guides follows an investigation during which the Office of the New York State Attorney General (the “OAG”) found that certain websites failed to implement effective privacy controls for online tracking, potentially in violation of New York’s consumer protection laws.

The Business Guide provides important guidelines of which any company that uses tracking technologies on its website should be aware. This post briefly summarizes the OAG’s investigation, and the salient requirements that the OAG’s publications are requiring companies to be aware of going forward.

Investigation into Online Tracking

Third-party tags are snippets of code that are added to websites to facilitate the collection of information about an individual (or their device) when they visit a website. While tags have a number of use cases, the focus of the OAG’s investigation were third party tags used for digital advertising or analytics. When integrated into a website, these tags can connect to third-party advertising or analytics services, and send information about website visitors to the third parties providing these services. In doing so, the tags may help businesses advertise their products or services on third-party websites to individuals who have visited the businesses’ websites. For example, if an individual visits an online shoe website that has implemented third-party advertising tags, the tags may transmit data about that individual to the shoe website’s advertising partners. Then, when the individual navigates elsewhere on the web, they may see ads for shoes on unrelated websites – like online newspapers, sports sites, or others – that work with the advertising partner.

Early this year, the OAG launched an investigation into third-party tags and online privacy controls. While the OAG did not announce how many websites it investigated, it ultimately found that 13 popular websites (mostly e-commerce sites) failed to disable marketing or advertising tags after website visitors opted out of certain online tracking using the websites’ privacy controls. The OAG asked the businesses that operated the websites to investigate and fix the issues, and all of them complied.

The Business Guide suggests that the basis for the OAG’s investigation was New York’s “consumer protection laws … which prohibit businesses from engaging in deceptive acts and practices.” New York has not enacted a comprehensive privacy law, and the US does not have a federal online tracking law. Accordingly, the OAG indicates that it can rely on its existing unfair and deceptive trade practices authority to investigate, and potentially enforce against, online tracking practices.  The OAG’s Business Guide states that improper implementation of third-party advertising or analytics tags into a website may be an unfair or deceptive trade practice subject to the OAG’s enforcement jurisdiction.  (We note that the OAG takes the position solely under New York’s consumer-protection statutes, and that attorneys general of other states have not yet published similar positions.)

Importantly, this would mean that OAG’s position is not that third-party advertising and analytics tags are prohibited without a consumer’s prior opt-in. Instead, as the OAG states in its Business Guide, “statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.”

To help businesses, the OAG’s investigation revealed common mistakes that businesses make when deploying online tracking technologies that, according to the OAG, can make the tag deployment potentially unfair or deceptive under New York law. These practices included the following:

• Incorrectly categorizing or failing to categorize or configure tags. Cookie management tools that businesses commonly use to provide consumers with cookie controls typically scan the business’s site, identify all cookies in use, then enable the business to “categorize” the tags. Tags can be categorized as, e.g. “essential” (i.e. the site breaks if it is disabled), “functional” (certain features may not work if the cookie is disabled), or also as “analytics” or “advertising.” The OAG indicated it may be unfair or deceptive to take a cookie that belongs in the “advertising” category, and categorize it as something else – like “functional” or “essential.”
• Incorrectly configuring consent-management and tag-management tools. Many companies use a cookie consent management tool to enable website users to provide their cookie preferences. The OAG noted that consent management tools do not themselves turn cookies “off” – instead, the cookie management tool must pass the user’s preferences to another application, the website tag manager, to actually execute the user’s preferences. As the OAG states in the Business Guide, “[o]ur investigation found several websites where the consent-management tool was not properly passing opt-out signals to the tag-management tool,” meaning that even though users thought they had turned cookies off, “the tag-management tools still allowed marketing tags to fire.”
• Hard-coding tags. Many websites use website tag managers to deploy their tags, since tag managers make it easier to add and remove tags, and to set up rules for when tags do and do not deploy. But tags can also be “hard-coded” – i.e. inserted directly into a website’s HTML code. If this occurs, a cookie consent manager or a tag manager may not be able to manage the hard-coded tags, and such tags may thus continue to “fire” even after a user has attempted to opt-out.
• Inaccurately representing what the consumer’s exercise of privacy choices will accomplish. Per the OAG, a business’s privacy controls should work as described in its cookie notice or privacy policy. Businesses should avoid misleading language and interfaces. The Business Guide explains that a cookie pop-up that provides website visitors with a button to “Accept Cookies” or “Accept All” may convey to website visitors that cookies will not be used unless the “Accept” button is clicked. This would mean an “Accept All” button could be misleading if the cookies are automatically deployed when the website visitors reach the website irrespective of whether they click “Accept”.

The OAG also found additional practices that may be unfair or deceptive, such as not fully understanding what data a tag collects and how it uses and shares such data, and failing to consider tracking technologies other than website tags when making representations to consumers about their privacy choices. We are happy to provide further detail upon request.

Identifying and Preventing Common Online Tracking Mistakes

The Business Guide provides the following processes that businesses can implement to identify and prevent common mistakes that businesses make with online tracking:

• Designate a qualified individual who is familiar with and trained on the business’s online tracking technologies and policies to be responsible for implementing and managing such technologies.
• Develop an “intake” process for adding new cookies, pixels, or tags to a website. When deploying new tags or tools or changing the way the business uses existing tags or tools (such as collecting new categories of information), properly configure and categorize such tags and tools so that, for instance, advertising tags are disabled at a website visitor’s request to opt out of online advertising. Investigate the types of data that will be collected and how the data will be used and shared before deploying new online tracking technologies or making any changes to previously used technologies.
• Conduct regular testing to make sure consumer representations about privacy choices remain accurate. This includes appropriate testing on new tags and tools and when making changes to existing tags or tools to ensure that they operate as intended. Businesses that use automated scanning tools should understand the types of issues that the scanning tools may not be able to identify and implement a process to check for those issues.
• Regularly assess whether tags and tools are properly configured, including reviewing whether tags are accurately categorized in a consent-management tool and whether tag-management tools are properly synced to consent-management tools.

In addition to the specific practices the OAG highlights above, the Business Guide provides several general recommendations for privacy-related disclosures and controls. Businesses should use plain and clear language, accurately and clearly label buttons, and provide an accessible interface to enable persons with disabilities to exercise their privacy rights. Businesses should not use large blocks of text or complicated language that consumers are unlikely to understand or read, or use ambiguous, confusing or misleading buttons and interfaces, such as placing an “X” in the corner of a cookie banner which may incorrectly suggest that consumers can reject cookies by clicking it.

Alston & Bird is closely following adtech-related regulation and enforcement trends throughout the US and abroad.

[View source.]