The Attorney General of New York has published two new websites (one for businesses, one for consumers) relating to privacy choices online. These sites are a clue to the AG's state of mind, which appears to be centered on enforcement. Although New York does not have a comprehensive state privacy law, the website for businesses makes clear that existing consumer protection laws require accurate and truthful disclosures about privacy practices.
WHY IT MATTERS
The publication of these "how to" guides may signal that the AG will be working to pursue website tracking practices that run afoul of the state's consumer protection laws. The sites follow an internal investigation into general privacy issues online.
In the words of the AG:
These laws, which prohibit businesses from engaging in deceptive acts and practices, effectively require that websites' representations concerning consumer privacy be truthful and not misleading. This means that statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.
The website outlines several ways in which websites can cause privacy issues for the site owner, including via misconfigured or incorrectly used tags, not appropriately using the "limited data" options offered by providers such as Meta and Google when deploying their tags, using opt-out buttons that inaccurately convey privacy choices, or failing to honor consumer opt-out choices.
The website also offers some best practices:
- use plain, clear language
- label buttons to clearly convey what they do
- make the interface accessible. For example, a visitor should be able to use their keyboard to tab to the privacy controls
- give equivalent options equal weight. For example, if consumers can agree to tracking with a single click, let them decline with a single click. An opt-in model could have a tracking pop-up that provides "Accept" and "Decline" buttons that are equal in size, color, and emphasis
It is meaningful for the AG to have taken up privacy in so public a manner. We must presume that this initiative is important to the AG's office and that enforcement resources are being allocated to it. ALL companies that use pixels, tags, cookies, and other trackers on their sites would do well to review their privacy choices and disclosures. Even without a dedicated privacy law in play, the headache of a consumer complaint or AG investigation into compliance could be expensive and distracting.
While many websites provide visitors with information about the tracking that takes place and controls to manage that tracking, not all businesses have taken appropriate steps to ensure their disclosures are accurate and their privacy controls work as described. Most tracking on the internet relies on cookies, which are small text files created by a web browser when visiting a website. Cookies often contain an identifier unique to a user's device which helps websites and other online services recognize the user as they click from one webpage to the next. Cookies can also be used by advertising companies to track the websites a user visits, the buttons a user clicks, and the searches a user runs, and then be used to serve highly targeted ads to that person.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.