NO CONSUMER DATA PRIVACY LAW, NO PROBLEM, OR IS IT: New York issues Business Guidance on Website Consumer Privacy Control Practices
Friday, August 9, 2024
Website Consumer Privacy Control
Print Mail Download info_icon_img/>i

Last month New York’s OAG published business guidance for website privacy controls. No, you did not miss New York passing a Consumer Data Privacy Law. So how are they regulating website privacy controls you ask, very simple, through the state’s consumer protection laws.

This comes down to a straightforward concept of saying what you are going to do and then doing what you said. That’s it, that’s the takeaway. And this is exactly where businesses, according to the NY OAG, are getting tripped up. But not to worry, the OAG provided a ton of helpful guidance around how to identify and prevent issues and some great do’ and don’ts.

One of the big issues identified is that the businesses, whether the consumer resides in a state with consumer data privacy laws or not, are holding out to consumers that they have a choice around their privacy. What the investigation uncovered is that the privacy controls were either not operating as described to consumers or not registering consumer’s choices. If your business practices and policies are not complying with what you told the consumer would happen then you are opening yourself up to the potential risk of violating consumer protection laws with deceptive acts and practices.

During the investigation of more than 12 popular websites, they found that mistakes around consent management tools and uncategorized tags are where most of these companies got caught up. Below is a list of common missteps discovered during the investigation by the state ‘s OAG with the use of tags and tracking technologies.

  • Misconfigured Tools
  • Hardcoded Tags
  • Tag Privacy Settings
  • Incomplete Understanding of Tag Data Collection and Use
  • Cookieless Tracking

New York provided the following guidance below around identifying and preventing issues in connection with tracking technologies.

  • Designate: Designate a qualified individual (or individuals) to be responsible for implementing and managing website-tracking technologies. These individuals should have appropriate training, including on your business’s tracking technologies and policies.
  • Investigate: Before deploying a new tag or tool, or changing how an existing tag or tool is used, take appropriate steps to identify the types of data that will be collected and how the data will be used and shared. In some cases, this may require asking the developer of the tag or tool to provide information that is not publicly available.
  • Configure: When deploying a new tag or tool, or changing how your business uses a tag or tool, ensure that it is appropriately categorized and configured.
  • Test: Conduct appropriate testing to ensure that tags and tools are operating as intended. Test both on a regular basis and when your business has made changes that affect how website visitors are tracked. Automated scanning tools can help but be sure that you understand the types of issues that these tools can and cannot identify.
  • Review: Conduct reviews on a regular basis to ensure tags and tools are properly configured. The scope of any review will depend on the tags and tools your website uses. In most cases, reviews should ensure that tags are properly categorized in a consent-management tool and that any tag-management tool is properly synced.

Ways to make sure you are complying with New York’s consumer protection laws (and most likely every other state out there).

  • Ensure statements about privacy controls are accurate
  • Avoid language that creates a misleading impression
  • Ensure the user interface is not misleading

In looking at this list of ways to comply they seem like very easy controls to put in place. A simple way to strengthen your business practices is to make sure everyone who needs to be involved with website or marketing changes has a seat at the table and an understanding of the changes that are being made and why, such as legal and compliance, marketing, UX, and IT. I know this can get clunky and take time but may help mitigate potential troubles in the long run, and troubles may come with fines and penalties. Another way you can help avoid falling into deceptive acts or dark patterns is to put your consumer hat on, if you were an average consumer using the website what would be your expectations and is there any room for confusion with the consumer’s use or experience with your website?

Read the full guidance for Website Privacy Controls HERE.

© 2024 Troutman Amin, LLP

Current Public Notices

Current Legal Analysis

More from Troutman Amin, LLP

INTRIGUE: Five9 Just Acquired Acqueon and The Czar Has Questions
by: Eric J. Troutman
NONDISCHARGEABLE?: Diana Mey Argues ~$1.5MM TCPA Default Judgment Against Individual Cannot be Discharged in Bankruptcy–is She Right?
by: Eric J. Troutman
TCPAWORLD AFTERDARK: Can I Have Money?
by: Eric J. Troutman
GRIM: Court Compels TCPA Defendant to Produce Class Data from LiveVox as Greenwald Wins Again
by: Eric J. Troutman
QUESTION OF FACT?: Court Refuses to Enforce Arbitration Against TCPA Plaintiff Who Denied Visiting LowerMyBills.com
by: Eric J. Troutman
“CLASS DISCOVERY IS EXPENSIVE AND RESOURCE INTENSIVE”: Court Limits Discovery in TCPA Class Action And It Makes All The Sense in the World
by: Eric J. Troutman
LITIGATION AFTER DEATH: Does TCPA Claim Survive Death of Plaintiff? District Court in Florida Holds “Yes.”
by: Eric J. Troutman
STUCK: Fuego Leads is Going Nowhere in TCPA Class Action After Allegedly Authorizing Infinix Media, LLC to Make Robocalls into Virginia
by: Eric J. Troutman

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins