New York Attorney General Letitia James recently released guidance for businesses and consumers about website tracking technologies. The consumer guide provided examples of common cookies, tracking technologies, and how consumers can manage both. The business guide lists steps the AG expects companies to take to avoid misleading or deceiving consumers in violation of New York’s deceptive trade practices law.
The guides include concerns the AG’s office had with websites’ use of tracking tools. Included in these were mis-categorizing tracking tools in such a way that consumers’ choices might not get honored. For example, labeling a cookie as essential -even if it is not. This resulted, the AG noted, in not letting a consumer opt out of it through a cookie preference tool. Another concern was offering tracking choices to all visitors, but then only honoring the choices from consumers in certain geographic locations (California or Connecticut for example). Also of concern to the AG was using tracking tools over which consumers could not exercise choices through common third-party management tools.
In each of the above scenarios, the AG alleged that these practices would be misleading or deceptive. The business guide suggests several strategies it expects companies to take:
- Designate someone with appropriate training to oversee tracking technologies
- Investigate data collection processes of new tech and tools carefully
- Configure tags and tools properly and test them to ensure they respect consumer choices
- Offer cookies and other tools to consumers in an accurate, clear manner to avoid misleading or confusing consumers.
- Avoid language that might lead consumers to accept a less privacy-protective option
- Pay attention to the design of the website and how choices are offered to avoid dark patterns, also a topic of concern for regulators
- Review tools, tags, cookies on a regular basis to understand how they operate and what data they collect.
Theses guides are part of ongoing consumer protection efforts from the NY AG’s office. In April 2023, the AG’s Office released a data security guide to help businesses protect consumer information. This followed the release of a business guide for credential stuffing attacks. While there is no comprehensive state privacy law in New York, this guide indicates that the AG plans to enforce online cookie practices.
Putting it into Practice: The guide gives companies insight into what AG expects from companies who are engaging in online tracking. It also gives a perspective to companies as they review their cookie programs of what the NY AG might consider deceptive or misleading in this space.