In mid-July the New York Attorney General’s office published a Guide for Website Privacy Controls in which the office identifies “mistakes we found businesses making when deploying tracking technologies.” The guidance acknowledges that New York lacks a consumer data privacy law that regulates online tracking technologies, but takes the position that “New York’s consumer data protection laws . . . , which prohibit businesses from engaging in deceptive acts and practices, effectively require that websites’ representations concerning consumer privacy be truthful and not misleading.” According to the Attorney General, this “means that statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.”

In the below article, we provide a brief overview of the guidance and some key takeaways.

Background

According to the Attorney General’s office, over the course of several months, the office analyzed cookie activity on a “variety of websites” and ultimately notified thirteen websites that the office had identified issues with their cookie tracking activity. The office represented that all of the websites thereafter resolved the issues.

“Key Mistakes”

The guidance identifies the following six “key mistakes” that companies “often make” when deploying tags and tracking technologies:

1. Uncategorized or miscategorized tags and cookies result in consent-management tools (e.g., OneTrust) not being configured properly (e.g., the user toggles off marketing cookies but some cookies are not disabled because the consent-management tool is not properly configured).
2. Consent-management tools and tag-management tools are misconfigured and do not work together properly resulting in cookies not being disabled in response to an opt-out.
3. The use of hardcoded tags that do not respond to consent-management tools.
4. Misunderstanding of how services such as Meta’s limited data use work in states that have not enacted comprehensive data privacy laws.
5. Incomplete understanding of tag data collection and use.
6. The use of cookieless tracking technologies that pass data to advertising companies outside the control of consent-management tools.

“Key Issues”

The guidance also identifies the following three “key issues to look out for” to comply with New York’s consumer protection laws:

1. Ensure statements about privacy controls are accurate, including in cookie-pop ups and privacy notices.
2. Avoid language that creates a misleading impression. Here, the office specifically calls out websites that deploy cookies as soon as a visitor reaches the website but give the impression that the user has to accept cookies for them to be deployed (e.g., by using a cookie pop-up that states that a user has to “accept” cookies).
3. Ensure the user interface is not misleading. Here, the office focuses on making sure that cookie-management tools do not use confusing interfaces (i.e., dark patterns).

Recommendations

Finally, the guidance offers a list of “dos” and “don’ts” for privacy-related disclosures and controls. Included on the list of four “dos” the office suggests that consumers should be provided with separate “accept” and “decline” buttons “that are equal in size, color, and emphasis.” Included on the list of six “don’ts” the office states that websites should not use ambiguous buttons. The office states that, for example, “consumers may think clicking ‘X’ in the corner of a cookie banner means they are rejecting cookies.”

Key Takeaways

The New York Attorney General’s guidance is yet another example of the ever-growing complexity of properly deploying consent-management tools and cookie pop-ups. In addition to the New York guidance, companies need to take into account, as applicable, requirements in state consumer data privacy laws and regulations, the use of tools and pop-ups to mitigate risk of privacy litigation claims such as California Invasion of Privacy Act lawsuits, and international requirements. The fact that the New York Attorney General has chosen to issue guidance in the absence of a state consumer data privacy law or rulemaking process only further complicates compliance.

[View source.]