On July 15, 2024, the Office of the New York State Attorney General (OAG) published website privacy control guidance focused on cookies and other tracking technologies. The guidance identifies common deficiencies and recommendations to avoid enforcement. Companies should pay attention because it signals that the OAG intends to enforce online cookie practices even absent a comprehensive state privacy law.
In Depth
COMMON DEFICIENCIES
The OAG describes common deficiencies that risk unfair and deceptive practices (UDAP) claims, which the OAG identified after investigating several popular websites. Examples include:
- Miscategorized tags and cookies: Companies risk UDAP claims when they incorrectly categorize cookies (e.g., miscategorizing cookies as “essential” or failing to categorize cookies at all because that often means consumer choices are not honored fully).
- Misconfigured cookie consent tools: Companies risk UDAP claims when misconfigured privacy tools fail to honor consumer cookie choices.
- Misconfigured cookie settings: Companies risk UDAP claims when they mistakenly assume that “limited data use” features that some cookie providers offer are implemented nationwide when they are only actually available in states with comprehensive privacy laws. Using “hardcoded” tags that evade privacy tools also risks UDAP claims.
- Non-cookie tracking technologies: Companies risk UDAP claims when privacy tools cannot block non-cookie tracking technologies, such as server-to-server and digital fingerprinting.
OAG RECOMMENDATIONS TO MITIGATE ENFORCEMENT RISKS
To mitigate these risks, the OAG recommends:
- Implementing detailed policies, procedures and processes, including:
- Designating someone to manage tracking technologies generally.
- Investigating each cookie’s data collection, use and sharing.
- Configuring and categorizing new and changed tags and tools properly.
- Testing tags and tools regularly to ensure they honor consumer choices.
- Ensuring tracking technology representations are accurate and straightforward.
- Avoiding “weighted” cookie acceptance language that drives consumers to select less privacy-protective settings.