Regulators in states without omnibus state privacy laws, like New York, are staking their claim over privacy regulation and enforcement. After months of investigating the deployment of tracking technologies and privacy controls on various websites, the New York State Attorney General (“NY AG”) published its guidance, Website Privacy Controls: A Guide for Business. The NY AG also published a companion guidance for consumers, A Consumer Guide to Web Tracking, which provides a high-level overview of how websites track consumers and what steps consumers can take to protect their privacy. Stay tuned for potential enforcement actions and big-figure settlements. Will New York follow Texas in this regard?
NY AG Investigation and Findings
Tracking technologies, like cookies and tags (i.e., pixels), are utilized by businesses to collect and assess information regarding how individuals interact with the business’ website or mobile app. While tracking technologies can provide valuable insights for businesses, they also raise privacy concerns regarding data collection, selling, sharing, creation of detailed profiles about individuals that are used for targeted advertising, cross-site tracking that leads to a comprehensive understanding of an individual’s interests and behavior without the individual’s knowledge or consent, and more. The Federal Trade Commission (“FTC”) is attempting Section 5 Magnuson-Moss rulemaking on this, which they call surveillance capitalism.
The bottom line is:
“As of the publication of this guide, New York has yet to enact a comprehensive privacy law that specifically regulates when and how New York consumers can be tracked online. However, businesses’ privacy-related practices and statements are subject to New York’s consumer protection laws. These laws, which prohibit businesses from engaging in deceptive acts and practices, effectively require that websites’ representations concerning consumer privacy be truthful and not misleading. This means that statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.”
In other words, states can and will use their consumer protection laws to prosecute deception by omission and false and deceptive statements regarding tracking. For example, a business’s data practices, including how it uses and gives notice of tracking technologies and data practices, are subject to New York’s consumer protection laws, including the state’s General Business Law § 349, under which the NY AG may seek, among other things, civil penalties of up to $5,000 per violation. Although the NY AG did not allude to its unfairness authority, the FTC has been pushing this regarding sensitive data collection and sharing, including by tracking technologies, so don’t be surprised to see that shoe drop.
Getting under the hood and into the weeds:
The NY AG investigated at least 13 high-traffic e-commerce websites offering consumer products (e.g., apparel, books, tickets) that were cumulatively visited by at least 75 million consumers in March 2024. The investigation found that the websites “had privacy controls that did not work as described” including as follows:
- Tracking technologies remained active even after website visitors tried to disable them using the website’s privacy controls.
- Website users’ consent preferences were improperly applied because businesses failed to properly categorize or left uncategorized tracking technologies. Consent management tools are software solutions that help businesses manage website users’ consent concerning data collection and processing. The tools may not automatically recognize a tracking technology as part of a category (e.g., essential, advertising, analytics), so businesses should review and categorize each tracking technology that is deployed on its website. If the tracking technologies are not properly categorized or are left uncategorized, then a consent preference setting may not be properly applied to a particular tracking technology.
- Websites are using consent management tools and tag management tools that are improperly configured. Some websites use a combination of a consent management tool to manage website users’ consent preferences and a tag management tool to manage and deploy marketing tags. However, when the tools are not properly configured to work together, a website user’s consent preferences (i.e., opt-in or opt-out) would not properly pass from the consent management tool to the tag management tool, and consequently, the tag management tool would continue to deploy (or not deploy) marketing cookies despite the website user’s consent preference setting.
- Improper reliance on Meta’s Limited Data Use (“LDU”) and Google’s Restricted Data Processing (“RDP”) tracking technology settings. Meta and Google each offer settings for some of their advertising products which, when enabled, would prompt the Meta or Google ad product to act as a service provider in applicable jurisdictions. The most current version of Google’s U.S. State Privacy Laws Addendum only applies in California, Virginia, Colorado, Connecticut, and Utah, and clarified in an FAQ that “starting July 1, 2023, Google will no longer act as [businesses’] service provider (in California) . . . for cross-context behavioral advertising.” Meta’s State-Specific Terms only apply in California, Colorado, Connecticut, Florida, Oregon, Texas, Utah, and Virginia. The NY AG found that businesses were improperly relying on the LDU and RDP settings in non-covered jurisdictions, like New York, to limit data collection regarding consumers.
As of the date of this post, the NY AG has alerted the businesses that owned the websites with defective privacy controls and all have cured the issues that were flagged by the NY AG.
NY AG’s Recommendations
Based on the findings of its investigation, the NY AG makes the following recommendations to businesses that process data regarding New Yorkers:
- Conduct appropriate due diligence of tracking technologies and privacy controls by: (i) designating an individual (or team) with the appropriate skillset and training resources to implement and manage deployment initiatives; (ii) know what data is collected by each tracking technology or privacy control, and how the data will be used and shared; (iii) properly categorize tracking technologies and properly configure your consent management tool and tag management tool; and (iv) test (at deployment and regularly thereafter) your tracking technologies and privacy controls to ensure they are working.
- Ensure privacy-related disclosures comply with New York consumer protection laws, including General Business Law § 349. Businesses must ensure that representations regarding a business’s data practices (including with respect to tracking technologies), whether express or implied, are accurate and not misleading by, for example:
- Not representing that the website honors the consumer’s consent preference settings if the website’s privacy controls are not properly configured to do so.
- Avoiding large blocks of text that website users are unlikely to read.Using complicated language.Using confusing interfaces. Examples of a confusing interface may include, color schemes that adversely impact the visibility of prompts required to exercise choice (e.g., “save” button), or cookie banners with ambiguous buttons.
- Not de-emphasizing options to decline tracking or complicating how a website user may decline tracking.
Conclusion
Taking the above together, the NY AG’s recent privacy guidance for businesses indicates the NY AG is exploring ways to utilize its authority under state consumer protection laws in the absence of a comprehensive state privacy law to enforce against businesses for privacy-related infractions. The study illustrates what we see all too often (not with our clients, of course!) – amateurish configuration of consent management platforms, sloppy privacy notice drafting, dark patterns, and the lack of meaningful data governance, which would include cookie management and assessments of all new data practices. Our key micro takeaway – audit your tracking and targeting practices and remediate to be consistent with not only the 20 state consumer privacy laws, and the handful of state online privacy laws, but also federal and state consumer protection laws. On the macro level, keep maturing your data governance program and implement privacy-by-design so problems like this never make it to market.