Organizations across the spectrum rely heavily on website tracking technologies to understand user behavior, enhance customer experience, and drive growth. The convenience and insights these technologies offer come with a caveat, however: They can land your organization in hot water if not managed in careful compliance with fast-evolving law.

Recent history is rife with litigation and regulatory actions targeting organizations that employ website tracking technologies like session replay, cookies, and pixels. When used without proper care and consideration, these tools expose organizations to substantial litigation and regulatory risk.

Hundreds of lawsuits were filed over the past few years alleging the use of various website tracking technologies violates wiretap and video privacy laws and constitutes a tortious invasion of privacy.

Website tracking technologies have also garnered regulatory attention from state and federal regulators, including, recently, the Office of the New York State Attorney General (OAG), which has published guidance titled “Website Privacy Controls: A Guide For Business” (the “Guide”). 

The Guide notes that the impetus for its creation was that:

Unfortunately, not all businesses have taken appropriate steps to ensure that their disclosures are accurate and that privacy controls work as described. An investigation by the Office of the New York State Attorney General (OAG) identified more than a dozen popular websites, together serving tens of millions of visitors each month, with privacy controls that were effectively broken. Visitors to these websites who attempted to disable tracking technologies would nevertheless continue to be tracked. The OAG also encountered websites with privacy controls and disclosures that were confusing and even potentially misleading.

The Guide highlights common mistakes the OAG identified through its investigation, including:

• Uncategorized or miscategorized tags and cookies;
• Misconfigured tools that allow tracking even when a consumer has tried to disable;
• Hardcoded tags that have not been configured to work with the sites’ privacy controls; and
• Cookieless tracking, using forms of tracking that may be outside the scope of the site’s consent-management tool.

To mitigate the risk these mistakes pose, the Guide recommends:

• Designating a qualified individual to oversee the implementation and management of website tracking;
• Taking appropriate steps to identify the types of data that will be collected and how the data will be used and shared;
• Conducting reviews regularly to ensure tags and tools are properly configured;
• Ensuring privacy controls are accurate; and
• Avoiding misleading language in privacy disclosures.

Website tracking technologies are here to stay and can provide enormous value to the organizations that utilize them. It has become clear, however, that such organizations must maintain thoughtful controls to manage the associated risks. Regulators and the plaintiffs’ bar are homed in on website privacy compliance and, unlike in many other areas of compliance, non-compliance is public—i.e., anyone can visit your site, review your privacy disclosures (or lack thereof), check what features your site offers that may involve the automatic collection of data, and even run scans to determine what tracking technologies are in use on your site. Organizations that don’t take proactive steps to ensure their websites are compliant therefore become “low-hanging fruit” for claims and enforcement actions.