wyrick.com

Cookie Cutter: NY AG Announces Cookie Scrutiny with Business Guide to Website Privacy Controls

Website privacy controls—in the form of banners and pop-ups asking visitors to agree to, or reject, a website’s use of cookies, pixels, and similar technologies used to track their behavior—are becoming ubiquitous. In the United States, companies often use these tools to comply with state comprehensive privacy laws that require them to give consumers the right to opt out of the sale of personal data, and the use or disclosure of that data for targeted advertising.

Not all states have these laws (yet), though. It thus came as somewhat of a surprise when, last week, New York’s Office of the Attorney General (OAG) launched a Business Guide to Website Privacy Controls that offers businesses “guidance for complying with New York law,” with respect to the use of website tracking technologies and privacy controls. According to the Guide, its publication follows an investigation by OAG that identified “more than a dozen popular websites, together serving tens of millions of visitors each month, with privacy controls that were effectively broken,” as well as websites with privacy controls and disclosures that were “confusing and even potentially misleading.” All of which is odd given that, as the Guide itself acknowledges, “New York has yet to enact a comprehensive privacy law that specifically regulates when and how New York consumers can be tracked online.”

While the full Guide is worth a read for any business that provides (or is considering providing) website privacy controls, this post discusses some particularly notable takeaways.

Misleading or Broken Website Privacy Controls Can Lead to AG Enforcement, Even Without a Comprehensive Consumer Privacy Law

In states with comprehensive consumer privacy laws, attorneys general can bring, and have brought, actions against businesses whose websites have misleading or ineffective website tracking disclosures or controls, on the ground that those operators failed to comply with those laws’ notice and opt-out requirements (see, e.g., the California AG’s action against Sephora for alleged violations of the CCPA).

Lacking a comprehensive New York state privacy law in to rely on, the OAG asserts in its guide that the state’s consumer protection laws, which prohibit businesses from engaging in deceptive acts and practices, “effectively require that websites’ representations concerning consumer privacy be truthful and not misleading.” As a result, according to OAG, “statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.”

OAG’s assertion that broad consumer protection laws prohibiting deceptive trade practices apply to websites’ tracking and privacy controls shows that the office doesn’t view the state’s lack of a comprehensive privacy law as a barrier to policing business’ online privacy practices.

Misleading Impressions Can Be as Bad as Explicit Misrepresentations

In the Guide, OAG asserts that both express representations about a website’s tracking practices and user choice, such as might appear in a cookie banner or privacy notice, and implicit representations, such as might be made through the presentation of website privacy controls, must be accurate. The Guide outlines examples of problematic language or design choices that “create a misleading impression” and could be actionable under New York’s consumer protection law. Among the most notable:

  • presenting a button labeled “Accept Cookies” or “Accept All” in a cookie banner or pop-up in a way that suggestions cookies will be used only if the button is clicked, but deploying cookies before that button is clicked;
  • presenting user interfaces that are confusing or ambiguous, such as by de-emphasizing the steps necessary to decline tracking through the size, color, and placement of relevant text or toggles; and
  • using ambiguous buttons that users may think are meant to reject cookies but don’t, such as an “X” in the corner of a cookie banner that just closes the banner without changing how cookies are used.

The Guide advises that instead of these practices, websites should use “intuitive controls” that are “less likely to implicate New York’s consumer protection laws.”

Proper Implementation and Configuration of Privacy Controls is Critical

The Guide discusses several implementation and configuration mistakes that OAG encountered in its investigation that can break website privacy controls and cause a website’s representations about tracking to be deceptive or misleading.

The “leading cause” of broken privacy controls, the OAG found, was uncategorized or miscategorized tags and cookies. As the Guide explains, most websites implement privacy controls using a type of software known as a consent-management tool. Those tools allow different categories of tags and cookies to be disabled but depend on the operator accurately categorizing the tags and cookies it uses. Failing to do so—such as a by mistakenly categorizing advertising cookies as being for fraud detection or analytics—will result in the tool failing to properly restrict tracking in response to a user’s choices.

Other common issues identified by the OAG include:

  • misconfigured consent management tools that don’t properly communicate with other elements of the website, such as the tag-management tool, to give effect to users’ tracking preferences;
  • hardcoded tags that aren’t configured to work with a site’s privacy controls;
  • misplaced reliance on privacy settings offered by third-party tag providers that only work in states with comprehensive privacy laws;
  • inaccurate or incomplete understanding of how tags and cookies collect, use, and share data; and
  • use of cookieless tracking that falls outside the control of a consent-management tool.

These issues make clear that legal teams need to work with web teams to carefully review, configure, test, and monitor the implementation of website privacy controls.

* * * *

If you would like help reviewing your website’s tracking practices or privacy controls in light of the OAG Guide, please contact any member of the Wyrick Robbins Privacy and Data Security Team.