The New York Office of Attorney General (OAG) recently published guidance for website privacy controls. Although New York does not have a comprehensive privacy law, business’ privacy-related practices and statements may be subject to New York’s consumer protection laws, which generally prohibit businesses from engaging in deceptive acts and practices. Accordingly, the OAG noted that “statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.”

Specifically, the OAG stated that representations about privacy controls must be accurate and not misleading, and companies should ensure that privacy controls work properly and as described. The OAG also cautioned against implying that visitors can opt into the use of cookies and similar technologies if that is not the case. As an example, the OAG stated that banners with “Accept Cookies” or “Accept All” buttons, accompanied by text stating that clicking the button means “you agree” to the use of cookies, may convey that cookies will be used only if the consumer clicks the button. The OAG explained its view that this language could be misleading if cookies are deployed regardless of whether the consumer clicks the button, such as at the moment that the consumer lands on the website.

Additionally, the OAG encouraged companies to ensure their website user interface is not misleading and explained that a website with intuitive controls is less likely to implicate New York’s consumer protection laws. For example, the OAG cited concerns about a consent management tool that required users to click one button to disable certain cookies and a separate, easy to overlook button to “Save Settings.”

The OAG also provided a list of “mistakes to avoid” when deploying tags and other similar technologies. The OAG’s recommendations are summarized below:

  1. Uncategorized or miscategorized tags and cookies: Ensure that tags and cookies are properly categorized so that privacy controls actually turn off the technologies described by the relevant control.
  2. Misconfigured tools: If using both a consent-management and a tag-management tool, ensure that that the consent-management tool is properly passing opt-out signals to the tag-management tool.
  3. Hardcoded tags: Avoid hardcoding tags into the website since consent-management tools may not be able to disable them.
  4. Tag Privacy Settings: Confirm that tag privacy settings are available in New York, as many widely used tags only enable privacy settings in states with comprehensive privacy laws.
  5. Incomplete understanding of tag data collection and use: Be sure to understand what data each tag collects and how that data may be used or shared.
  6. Cookieless technology: Ensure that privacy controls do not mislead consumers regardless of whether their data is shared by cookies or other methods.

The OAG also provided “Dos and Don’ts” for providing effective disclosures and steps companies could take to identify and prevent problems with these technologies. The OAG encouraged companies to use plain, clear language, label buttons clearly, make interfaces accessible, and give equivalent options equal weights (e.g., make “Accept” and “Decline” buttons the same size and color). The OAG encouraged companies to avoid using large blocks of text consumers won’t read, ambiguous buttons, complicated language, and confusing interfaces.

The OAG also said that companies should not de-emphasize options to decline the use of tags and cookies and should not make it harder to decline the use than to allow it. Additionally, the OAG recommended that companies designate qualified individuals to implement and manage cookies and similar technologies, investigate the types of data that new tags will collect, and test to ensure that tags and tools operate as intended.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She regularly defends clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories…

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She regularly defends clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories for clients in the technology, entertainment, consumer product, and financial services industries. In addition, Kate has substantial experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), and common law and constitutional rights of privacy, among others.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Natalie Dugan Natalie Dugan

Natalie Dugan is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group.

Natalie advises clients on a broad range of data privacy and cybersecurity issues and across industries. Natalie’s practice includes helping clients…

Natalie Dugan is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group.

Natalie advises clients on a broad range of data privacy and cybersecurity issues and across industries. Natalie’s practice includes helping clients comply with existing and emerging state privacy laws, such as the California Consumer Privacy Act and the California Privacy Rights Act, along with federal privacy frameworks such as those set forth by the Federal Trade Commission and consumer protection laws and guidance.

With a focus on AdTech and related privacy issues, Natalie routinely partners with clients to develop privacy notices and choices, draft and negotiate privacy terms with vendors and third parties, and design related governance programs and new products. Additionally, Natalie helps clients strategically engage with and respond to privacy-related inquiries from regulators like the FTC, the California Privacy Protection Agency, and state attorneys general.

Natalie also counsels clients on various other technology-related consumer protection issues, such as state “right-to-repair” legislation and anti-tying warranty provisions under the Magnuson-Moss Warranty Act.

Photo of Conor Kane Conor Kane

Conor Kane advises clients on a broad range of privacy, artificial intelligence, telecommunications, and emerging technology matters. He assists clients with complying with state privacy laws, developing AI governance structures, and engaging with the Federal Communications Commission.

Before joining Covington, Conor worked in…

Conor Kane advises clients on a broad range of privacy, artificial intelligence, telecommunications, and emerging technology matters. He assists clients with complying with state privacy laws, developing AI governance structures, and engaging with the Federal Communications Commission.

Before joining Covington, Conor worked in digital advertising helping teams develop large consumer data collection and analytics platforms. He uses this experience to advise clients on matters related to digital advertising and advertising technology.