On July 30, 2024, New York Attorney General Letitia James announced the launch of two privacy guides on the Office of the Attorney General (OAG) website: a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web.
The Business Guide is intended to help businesses better protect visitors to their websites by identifying common mistakes the OAG’s office believe businesses make when deploying tracking technologies, processes they can use to help identify and prevent issues, and guidance for ensuring they comply with New York law. The Consumer Guide is intended to assist New Yorkers by offering tips they can use to protect their privacy when browsing the web, including how to safeguard against unwanted online tracking.
The OAG issued the guides following a review that purportedly uncovered unwanted tracking on more than a dozen popular websites, collectively serving more than 75 million visitors per month.
“When New Yorkers visit websites, they deserve to have the peace of mind that they won’t be tracked without their knowledge, and won’t have their personal information sold to advertisers,” said Attorney General lawyer James. “All too often, visiting a webpage or making a simple search will result in countless ads popping up on unrelated websites and social media. When visitors opt out of tracking, businesses have an obligation to protect their visitors’ personal information, and consumers deserve to know this obligation is being fulfilled. These new guides that my team launched will help protect New Yorkers’ privacy and make websites safer places to visit.”
While many websites provide visitors with information about the tracking that takes place and controls to manage that tracking, not all businesses have taken appropriate steps to ensure their disclosures are accurate and their privacy controls work as described, according to the OAG. “Most tracking on the internet relies on cookies, which are small text files created by a web browser when visiting a website. Cookies often contain an identifier unique to a user’s device which helps websites and other online services recognize the user as they click from one webpage to the next. Cookies can also be used by advertising companies to track the websites a user visits, the buttons a user clicks, and the searches a user runs, and then be used to serve highly targeted ads to that person.”
To help businesses better protect New Yorkers and comply with New York consumer protection laws, Attorney General James has launched a Business Guide to Website Privacy Controls. This new guide identifies common mistakes that businesses make and includes steps that can be taken to identify and prevent issues. The Business Guide also provides information to help businesses comply with relevant New York laws, including ensuring that the representations made about tracking, whether express or implied, are truthful and not misleading.
The Business Guide provides areas where businesses have run into trouble and tips for avoiding these issues. It identifies numerous “unfair and deceptive practice” investigation and enforcement avoidance issues that should be considered by those that operate on the Internet, including those pertaining to: (i) uncategorized or miscategorized tags and cookies; (ii) misconfigured consent-management tools; (iii) hardcoded tags; (iv) tag privacy setting; (v) incomplete understanding of tag data collection and use; (vi) cookieless tracking; (vii) identification and prevention of problems when deploying tacking technologies; (viii) ensuring privacy controls and disclosures comply with New York law; and (ix) providing effective disclosures and easy-to-use controls, including “do’s” and “don’ts”. The Business Guide also enumerates various mistakes that marketers make when using website tracking technologies.
In addition to a guide for businesses, Attorney General James launched a guide to help New Yorkers understand how to better protect themselves from unwanted tracking online. The OAG’s Consumer Guide to Tracking explains how website visitors are tracked, what cookie pop-ups do, and to what extent websites’ privacy controls can be relied on to protect users’ privacy.
The Consumer Guide discusses that on many websites, tracking cookies are created as soon as the first webpage loads, often before consumers have a chance to opt out. The Consumer Guide covers, for example, how websites track online activity, what a cookie pop-up is, how consumers can use cookie pop-ups and how consumers can limit online tracking. Attorney General James wants New Yorkers to appreciate that using a website’s privacy controls to opt out will not delete cookies that already exist on a consumer’s computer, including those created before a webpage visitor had the chance to opt out. “This means consumers can be tracked and targeted by personalized ads even if they seemingly opted out.”
The online privacy guides released by Attorney General James are part of OAG’s ongoing work to protect New York consumers and help businesses enhance their privacy and data security.
Attorney General James also recently issued a consumer alert to raise awareness about free credit monitoring and identity theft protection services available for millions of consumers impacted by the Change Healthcare data breach.
In March 2024, Attorney General James led a bipartisan coalition of 41 attorneys general in sending a letter to Meta Platforms, Inc. (Meta) addressing the purported recent rise of Facebook and Instagram account takeovers by scammers and frauds. In April 2023, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices. In January 2022, Attorney General James released a business guide for credential stuffing attacks that detailed how businesses could protect themselves and consumers.