New York Attorney General Letitia James has announced the launch of two comprehensive privacy guides: the Business Guide to Website Privacy Controls and the Consumer Guide to Tracking on the Web. Per the Attorney General’s office, the Business Guide will “help businesses better protect visitors to their websites by identifying common mistakes made when deploying tracking technologies, processes they can use to help identify and prevent issues, and guidance for ensuring they comply with New York law.” Although New York does not yet have a comprehensive privacy law, the Attorney General states that businesses’ privacy-related practices are nevertheless subject to New York’s broader consumer protection laws.

The Office of the Attorney General (“OAG”) investigated third-party tags and privacy controls on a variety of websites over several months. It found that thirteen “high-traffic websites,” defined as largely well-known e-commerce sites selling consumer products, such as apparel, books, and tickets to live events, had privacy controls that did not work as described. The improper trackers included marketing or advertising tags that remained active even after visitors tried to disable them using the site’s privacy controls. Per the OAG, the companies were alerted as to the issues and resolved them. The OAG created a list of “mistakes to avoid” when deploying tags or other tracking technologies:

  • Uncharacterized or mischaracterized tags and cookies. Many websites now use consent-management tools to implement privacy controls. The tools allow the categorization of tags or cookies (for example, as “strictly necessary,” “performance,” “analytics,” and “marketing” cookies) and permit users to disable specific categories. However, seven of the thirteen sites identified had at least one tag that was not properly characterized. A mischaracterized tag would not respond to a user’s control choices, often remaining active despite the user’s selection. 
  • Misconfigured tools. In addition to consent-management tools, many businesses also use tag-management tools. The OAG’s investigation found that some consent-management tools were not properly passing opt-out signals to the tag-management tools. This again meant user choice was ignored, with marketing cookies firing despite a user opt-out. 
  • Hardcoded Tags. Some of the websites investigated had “hardcoded” tags, which did not respond to the site’s privacy controls. 
  • Tag Privacy Settings. Several widely used tags offer settings that website operators can configure to limit how information collected is used. For example, the Meta tag offers a “limited data use” setting which it says provides businesses with more control over how data is used. Google offers a similar setting choice. The OAG’s investigation found that many of these features were enabled only in states with comprehensive privacy laws that regulate online tracking, such as California, Connecticut, and Colorado. Businesses were erroneously relying on the features, despite their inoperability in New York. 
  • Incomplete understanding of tag data collection and use. Businesses should fully understand what data is collected by each deployed tag and how it may be used or shared. 
  • Cookieless tracking. Even companies that do not use third-party tracking tools may have issues if they share information about website visitors directly with advertising companies. 

The OAG set out a list of processes businesses could use to help identify and prevent problems including designating a qualified individual for implementing and managing tracking technologies, investigating the type of data collected by specific tags or tools, properly configuring tags, testing the functionality of tags, and conducting regular reviews to ensure that tags and tools are properly configured.

Takeaways

This guidance from the OAG continues a trend we have seen of regulators implementing privacy obligations, despite a lack of specific laws. When privacy controls do not work as described, regulators in virtually any state with unfair trade practices laws may be able to bring claims against companies that deploy these technologies. This also demonstrates the risk of providing privacy options solely to consumers in states with comprehensive privacy laws. The practices described by the also OAG demonstrate likely violations of laws of the states with comprehensive privacy laws. And, this trend is not just found in privacy, as federal regulatory agencies announced they would regulate AI technology in line with existing laws, including privacy and anti-discrimination frameworks. 

Despite the lack of a comprehensive privacy law, companies operating in New York should be aware that privacy issues are a top priority for the Attorney General’s office. It is likely that attorneys generals in other jurisdictions are similarly conducting investigations based on existing consumer protection laws. Companies should carefully analyze their business practices and technology deployment to determine potential adverse impacts on consumers.