Last month New York’s OAG published business guidance for website privacy controls. No, you did not miss New York passing a Consumer Data Privacy Law. So how are they regulating website privacy controls you ask, very simple, through the state’s consumer protection laws.
This comes down to a straightforward concept of saying what you are going to do and then doing what you said. That’s it, that’s the takeaway. And this is exactly where businesses, according to the NY OAG, are getting tripped up. But not to worry, the OAG provided a ton of helpful guidance around how to identify and prevent issues and some great do’ and don’ts.
One of the big issues identified is that the businesses, whether the consumer resides in a state with consumer data privacy laws or not, are holding out to consumers that they have a choice around their privacy. What the investigation uncovered is that the privacy controls were either not operating as described to consumers or not registering consumer’s choices. If your business practices and policies are not complying with what you told the consumer would happen then you are opening yourself up to the potential risk of violating consumer protection laws with deceptive acts and practices.
During the investigation of more than 12 popular websites, they found that mistakes around consent management tools and uncategorized tags are where most of these companies got caught up. Below is a list of common missteps discovered during the investigation by the state ‘s OAG with the use of tags and tracking technologies.
- Misconfigured Tools
- Hardcoded Tags
- Tag Privacy Settings
- Incomplete Understanding of Tag Data Collection and Use
- Cookieless Tracking
New York provided the following guidance below around identifying and preventing issues in connection with tracking technologies.
- Designate: Designate a qualified individual (or individuals) to be responsible for implementing and managing website-tracking technologies. These individuals should have appropriate training, including on your business’s tracking technologies and policies.
- Investigate: Before deploying a new tag or tool, or changing how an existing tag or tool is used, take appropriate steps to identify the types of data that will be collected and how the data will be used and shared. In some cases, this may require asking the developer of the tag or tool to provide information that is not publicly available.
- Configure: When deploying a new tag or tool, or changing how your business uses a tag or tool, ensure that it is appropriately categorized and configured.
- Test: Conduct appropriate testing to ensure that tags and tools are operating as intended. Test both on a regular basis and when your business has made changes that affect how website visitors are tracked. Automated scanning tools can help but be sure that you understand the types of issues that these tools can and cannot identify.
- Review: Conduct reviews on a regular basis to ensure tags and tools are properly configured. The scope of any review will depend on the tags and tools your website uses. In most cases, reviews should ensure that tags are properly categorized in a consent-management tool and that any tag-management tool is properly synced.
Ways to make sure you are complying with New York’s consumer protection laws (and most likely every other state out there).
- Ensure statements about privacy controls are accurate
- Avoid language that creates a misleading impression
- Ensure the user interface is not misleading
In looking at this list of ways to comply they seem like very easy controls to put in place. A simple way to strengthen your business practices is to make sure everyone who needs to be involved with website or marketing changes has a seat at the table and an understanding of the changes that are being made and why, such as legal and compliance, marketing, UX, and IT. I know this can get clunky and take time but may help mitigate potential troubles in the long run, and troubles may come with fines and penalties. Another way you can help avoid falling into deceptive acts or dark patterns is to put your consumer hat on, if you were an average consumer using the website what would be your expectations and is there any room for confusion with the consumer’s use or experience with your website?
Read the full guidance for Website Privacy Controls HERE.