The New York Office of Attorney General (OAG) recently published guidance for website privacy controls. Although New York does not have a comprehensive privacy law, business’ privacy-related practices and statements may be subject to New York’s consumer protection laws, which generally prohibit businesses from engaging in deceptive acts and practices. Accordingly, the OAG noted that “statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.”
Specifically, the OAG stated that representations about privacy controls must be accurate and not misleading, and companies should ensure that privacy controls work properly and as described. The OAG also cautioned against implying that visitors can opt into the use of cookies and similar technologies if that is not the case. As an example, the OAG stated that banners with “Accept Cookies” or “Accept All” buttons, accompanied by text stating that clicking the button means “you agree” to the use of cookies, may convey that cookies will be used only if the consumer clicks the button. The OAG explained its view that this language could be misleading if cookies are deployed regardless of whether the consumer clicks the button, such as at the moment that the consumer lands on the website.
Additionally, the OAG encouraged companies to ensure their website user interface is not misleading and explained that a website with intuitive controls is less likely to implicate New York’s consumer protection laws. For example, the OAG cited concerns about a consent management tool that required users to click one button to disable certain cookies and a separate, easy to overlook button to “Save Settings.”
The OAG also provided a list of “mistakes to avoid” when deploying tags and other similar technologies. The OAG’s recommendations are summarized below:
- Uncategorized or miscategorized tags and cookies: Ensure that tags and cookies are properly categorized so that privacy controls actually turn off the technologies described by the relevant control.
- Misconfigured tools: If using both a consent-management and a tag-management tool, ensure that that the consent-management tool is properly passing opt-out signals to the tag-management tool.
- Hardcoded tags: Avoid hardcoding tags into the website since consent-management tools may not be able to disable them.
- Tag Privacy Settings: Confirm that tag privacy settings are available in New York, as many widely used tags only enable privacy settings in states with comprehensive privacy laws.
- Incomplete understanding of tag data collection and use: Be sure to understand what data each tag collects and how that data may be used or shared.
- Cookieless technology: Ensure that privacy controls do not mislead consumers regardless of whether their data is shared by cookies or other methods.
The OAG also provided “Dos and Don’ts” for providing effective disclosures and steps companies could take to identify and prevent problems with these technologies. The OAG encouraged companies to use plain, clear language, label buttons clearly, make interfaces accessible, and give equivalent options equal weights (e.g., make “Accept” and “Decline” buttons the same size and color). The OAG encouraged companies to avoid using large blocks of text consumers won’t read, ambiguous buttons, complicated language, and confusing interfaces.
The OAG also said that companies should not de-emphasize options to decline the use of tags and cookies and should not make it harder to decline the use than to allow it. Additionally, the OAG recommended that companies designate qualified individuals to implement and manage cookies and similar technologies, investigate the types of data that new tags will collect, and test to ensure that tags and tools operate as intended.