This week, the New York Attorney General issued two privacy guides—one for businesses and one for consumers—outlining online tracking and privacy controls for websites and browsers.

The investigation found that many websites’ consent-management tools failed to transmit opt-out signals to their tag-management tool, which is used to simplify tag management. This results in the tool allowing certain tags to remain active (e.g., targeted advertising tag), even if the user disabled a particular cookie via the consent-management tool.

Additionally, several websites’ tag privacy settings, which allow the operator to configure how much information is actually collected by the tags, were only enabled for states in which there are consumer privacy laws (e.g., California, Colorado). Moreover, many websites did not understand the purpose of the tag or even the exact type of data that the tag would collect from the website users based on the Attorney General’s review of the sites’ privacy policy and statements about tracking technologies made therein.

The business guide, available here, sets forth the “do’s and don’ts” for using website tracking technology and sets out the top mistakes that businesses make when using website tracking technologies, such as:

  • Not categorizing/mis-categorizing cookies and other trackers on the website’s consent-management tool;
  • Using tags that are hardcoded into websites such that consent-management tools cannot control them; 
  • Understanding the functions of each tracker deployed by the business’ website;
  • Implementation of a procedure to identify and prevent issues;
  • Designation of a qualified individual(s) to be responsible for implementing and managing all tracking technologies used on the website (including appropriate training);
  • Implementation of a process for investigating and identifying the types of data that will be collected from a tag and how the data will be used and shared;
  • Conducting regular tests on how the trackers are functioning;
  • Review tags on regularly to ensure tags are properly configured; and,
  • Aligning privacy controls and disclosures with New York privacy and consumer laws.

Additionally, the guide offers recommendations for the responsible use of website tracking technology:

  • Make sure that the disclosures and statements made in the website’s privacy policy are accurate regarding the website’s privacy controls and that such options are honored when selections are made and function properly and as described;
  • Avoid using language that may create confusion/misinterpretations in tracker banners and pop-up boxes;
  • Design the user interface for privacy controls to be easy to use and not misleading;
  • Make the ability to opt-out just as simple as it is to opt-in to online tracking;
  • Avoid large amounts of text that could overwhelm users;
  • Design website buttons that are intuitive to the user; and
  • Avoid using language to de-emphasize options to decline tracking.

This guide’s publication follows the Attorney General’s investigation of websites, finding that 13 high-traffic websites had dysfunctional and misleading privacy controls governing the use of cookies and web tags. The investigation determined that website users who opted-out or turned off trackers on these websites were continually tracked after making those choices. Without detailed regulatory guidelines on the use of website tracking technology, state-level guidelines like this one issued by the New York Attorney General will be a welcomed resource for businesses combing through the complicated web of online tracking and profiling.