New York Publishes Privacy Controls Guidance Website

New York has not passed a comprehensive data privacy law like many other states. However, the Empire State does have consumer protection laws that require businesses to accurately disclose how cookies, tags, and other online tracking technologies track website visitor data. Websites must also provide controls that allow visitors to manage what information is tracked.

The Office of the New York State Attorney General (OAG) published a privacy controls guidance website to help businesses understand how to meet privacy requirements under the state’s consumer protection laws.

A Quick Lesson on Cookies and Tags

Cookies are small text files a web browser creates when someone visits a website. Typically, they contain a unique identifier that helps websites recognize a visitor as they click from one webpage to the next. Cookies power shopping carts on e-commerce sites, allow visitors to remain logged in to their accounts for days or weeks, and store visitor preferences.

Tags are snippets of code inserted into a webpage that direct a visitor’s browser to connect to a third-party service. The third party typically responds by sending a unique identifier the browser saves in a cookie. When the browser later encounters a tag from the same third party on another webpage, the browser retrieves the cookie and sends the identifier back to the third party, allowing it to recognize the visitor.

Attorney General Investigation

The OAG conducted a several-month-long investigation to ensure websites provide functioning privacy controls and sufficient information about the use of tracking technology. During their investigation, the OAG found that 13 high-traffic e-commerce websites had privacy controls that did not work as described.

The OAG claims that marketing or advertising tags on these websites remained active after visitors attempted to disable them using the site’s privacy controls. With the tags still enabled, visitors continued to be tracked after opting out.

Common Privacy Control and Tracking Technology Mistakes

In its privacy controls guidance, the OAG identified these common mistakes businesses make when using web tracking technology that were found in its investigation.

Uncategorized or miscategorized tags and cookies

Websites typically use consent-management software to implement privacy controls. This allows categories of tags or cookies to be toggled on or off. Tags must be properly categorized for this type of software to work.

Misconfigured tools

Many websites utilize tag-management software and consent-management software, but the tools must be configured correctly to work together. The OAG investigation found several websites where the consent-management tool was not properly passing opt-out signals to the tag-management tool. This results in tag-management tools still allowing marketing tags to trigger after website visitors disable marketing cookies. If your website is relying upon one or multiple tag managers, the cookie preference center likely needs to be implemented with the tag manager. We recommend checking with your website and digital teams to ensure the tool is operating as expected.

Hardcoded Tags

Some of the websites found in the investigation had tags that were hardcoded into the website instead of configured to work with the privacy controls. Consent-management tools were not able to control the hardcoded tags, causing them to fire every time certain pages loaded.

Tag Privacy Settings

Commonly used tags offer configuration settings that limit how the information collected by tags is used. Examples include Meta’s limited data use option and Google’s restricted data processing feature. Unfortunately, these features may only be enabled in states with a data privacy law. In states without privacy laws, tag providers may not stop collecting and using visitors’ data when website operators have enabled these features. The OAG says several companies it contacted mistakenly believed their tag privacy settings were limiting data collection.

Complying with New York Consumer Protection Laws

The OAG’s privacy controls guidance identifies the following actions to better ensure a business’s privacy controls and disclosures comply with New York’s consumer protection laws:

• The information you provide to your website visitors (cookie pop-ups, privacy notices, privacy control configurations, etc.) must be accurate. For your different privacy statements to remain accurate, you need to assess that your privacy controls are working correctly and as described.
• Avoid language that misleads website visitors. An example provided by the OAG is cookie pop-ups that imply that visitors could opt in to tracking. A pop-up with a button labeled “Accept Cookies” that also states clicking the button means “you agree” to the use of cookies can give visitors the impression that cookies will be used only if the button is clicked. This is misleading if cookies are deployed the moment visitors reach the website without first obtaining consent.
• Design your privacy buttons and other interfaces to create processes that are easy for visitors to follow to completion. Avoid any “save” or any other buttons or links that are confusing or easy to miss.

At CompliancePoint, we have a team that can ensure your website has all the necessary elements to comply with all applicable data privacy and consumer protection laws. Contact us at connect@compliancepoint.com to learn more about our suite of privacy services.