New York Attorney General Issues Cookie Guidance and Enforcement Warnings
Friday, August 16, 2024
NY Cookie Guidance
Print Mail Download info_icon_img/>i

On July 15, 2024, the Office of the New York State Attorney General (OAG) published website privacy control guidance focused on cookies and other tracking technologies. The guidance identifies common deficiencies and recommendations to avoid enforcement. Companies should pay attention because it signals that the OAG intends to enforce online cookie practices even absent a comprehensive state privacy law.

In Depth

COMMON DEFICIENCIES

The OAG describes common deficiencies that risk unfair and deceptive practices (UDAP) claims, which the OAG identified after investigating several popular websites. Examples include:

  1. Miscategorized tags and cookies: Companies risk UDAP claims when they incorrectly categorize cookies (e.g., miscategorizing cookies as “essential” or failing to categorize cookies at all because that often means consumer choices are not honored fully).
  2. Misconfigured cookie consent tools: Companies risk UDAP claims when misconfigured privacy tools fail to honor consumer cookie choices.
  3. Misconfigured cookie settings: Companies risk UDAP claims when they mistakenly assume that “limited data use” features that some cookie providers offer are implemented nationwide when they are only actually available in states with comprehensive privacy laws. Using “hardcoded” tags that evade privacy tools also risks UDAP claims.
  4. Non-cookie tracking technologies: Companies risk UDAP claims when privacy tools cannot block non-cookie tracking technologies, such as server-to-server and digital fingerprinting.

OAG RECOMMENDATIONS TO MITIGATE ENFORCEMENT RISKS

To mitigate these risks, the OAG recommends:

  • Implementing detailed policies, procedures and processes, including:
    • Designating someone to manage tracking technologies generally.
    • Investigating each cookie’s data collection, use and sharing.
    • Configuring and categorizing new and changed tags and tools properly.
    • Testing tags and tools regularly to ensure they honor consumer choices.
  • Ensuring tracking technology representations are accurate and straightforward.
  • Avoiding “weighted” cookie acceptance language that drives consumers to select less privacy-protective settings.
© 2024 McDermott Will & Emery

Current Public Notices

Current Legal Analysis

More from McDermott Will & Emery

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins