Privacy & Information Security Law Blog

On July 30, 2024, New York Attorney General (“AG”) Letitia James announced the Office of the AG’s (“OAG”) publication of two privacy guides, one for businesses and one for consumers, both focused on the use of website tracking technologies. The OAG developed the guides after a recent OAG review of popular websites revealed “privacy controls that were effectively broken,” where individuals tried to disable tracking technologies but the websites continued to track them and serve targeted advertising.

The Consumer Guide to Tracking on the Web explains how web trackers work and provides advice to individuals on how to protect themselves from unwanted tracking technologies, including how to interact with cookie banners (pop-ups), and using browser controls, ad blockers, plugins or disabling browser-based tracking. 

The Business Guide to Website Privacy Controls (“Business Guide”) identifies common areas of noncompliance and mistakes made by companies in deploying tracking technologies. The guide notes that, while the U.S. does not have a comprehensive approach to regulating online tracking, consumer protection laws require notices to individuals about tracking to be accurate, and privacy controls to work. Key mistakes identified in the OAG’s recent review include:

• Uncategorized or miscategorized tags and cookies, which cause consent management tools to become ineffective (uncategorized tags were the leading cause of broken privacy controls);
• Misconfigured tools, such as tag management tools that were not properly integrated with consent management tools;
• Hardcoded tags, which consent management tools could not control;
• Tag privacy settings, such as “restricted data processing” or “limited data use,” which have been enabled only in certain states with comprehensive privacy laws;
• Incomplete understanding of tag data collection and use; and
• Cookieless tracking.

The Business Guide provides advice on how to identify and prevent tracking related issues, such as assigning responsibility over web tracking within the business, and vetting and testing tracking technology. The guide stresses the importance of compliance with New York consumer protection law: “the representations a business makes about tracking – whether express or implied – must be truthful and not misleading.” The guide’s “Dos and Don’ts” for privacy-related disclosures and controls offer practical and familiar advice about avoiding dark patterns and legalese. 

The consumer and business guides on web tracking demonstrate that the New York AG’s office is taking the issue of cookies and tracking technology seriously, and indicate that the OAG intends to enforce against violations of consumer protection laws in the absence of U.S or New York comprehensive privacy legislation.