Decoding the New York AG’s website privacy controls

Amid US State enforcement actions related to privacy generally and online privacy specifically – including from Texas and California – the State of New York has taken a different approach: publish guidance in advance of promulgation of any general privacy legislation.  

Specifically, the New York Attorney General (AG) has recently produced practical guidelines related to online tracking. Even without a specific regulation to back it up, this guidance is a must-read for any business with a US online presence.  

A result of Office of the Attorney General (OAG) research into multiple commercial websites and how they manage, or fail to manage, online tracking and consents, the OAG’s ‘Website Privacy Controls, A Guide for Business’ provides organizations an opportunity to learn from other’s mistakes and future-proof its online privacy compliance. 

In absence of a privacy law to enforce, this New York AG’s guidance focuses on how organizations may stumble related to the do-say principle; meaning, it underscores research results on how websites fall short on operationalizing the promises they make. Specifically, the guidance mentions common errors, some of which are:  

• Not categorizing or miscategorizing tags and cookies.  
• Misconfiguring tools,  
• Hardcoding tags, and 
• Relying on tag privacy settings,  

Not categorizing or miscategorizing tags and cookies.  

Most cookie/tracker management tools operate on simple, rule-based principles. The organization decides on categories of cookies/trackers for which it wants to provide choice and categorizes each cookie or tracker into one of those categories. Then the tool can act accordingly, based on a user’s preference for cookies/trackers in each category.  

For example, a company may elect to provide a cookie consent experience such that consumers have a choice for one or two categories of cookies, such as advertising and functional/analytics cookies, but not for essential cookies. For the cookie management tool to work correctly, however, the organization must ‘bucket’ each cookie/tracker into the right bucket. If the organization incorrectly buckets a cookie that is really an analytics cookie as an essential cookie, the tool will operate according to its instructions and the analytics cookie that should have been blocked instead gets set.  

Moreover, websites are ever-changing creatures, and the cookies and trackers in place tomorrow will be different than the ones in place today. It can be challenging to keep up on website changes in a timely manner, including classifying new cookies and trackers as they get implemented. In its research, the New York AG found websites that misclassified cookies/tags. Moreover, the AG found websites had cookie/tracker management tool settings such that unclassified cookies were set automatically – and they had cookies/tags that had not yet been classified. This resulted in inappropriate permissions handling.  

To make the process more complicated, it can be hard to understand tag data uses and sharing practices to classify correctly. Though the New York AG addressed this issue separately in its guidance, it is clear that the opaqueness of tag, trackers, cookies and their uses/sharing increases risk for companies that try – but fall short – to accurately classify.  

Fortunately, there are some tips to avoiding these two common pitfalls. A documented, regular process for identifying sharing and uses and classifying cookies and trackers correctly can help reduce errors. As an additional safeguard, it may also make sense to set the online consent management tool to block any unclassified trackers/cookies. This measure will keep the website in compliance with its own promises while web teams catch up with frequent website changes.  

Misconfiguring tools

The good news is that there are technologies to help manage every facet of website development and management. The bad news is that, in order to be effective, the tools need to talk with one another and the organization must configure operating rules between systems so that, if there are conflicting outcomes between two systems, the right outcome prevails.  

The New York AG found that it was common for consent management tools and tag management tools to operate on a single website, but with the tag management tool rules prevailing. This meant that even cookies and trackers a web visitor declined through the consent management tool still fired on the tag management software’s orders.  

The preventative fix for this type of error is to pay attention to how tag management and consent management tools interact with one another, whether and how consents and preferences pass from one to the other, and which rules prevail over others.  

Hardcoding tags 

Hardcoding tags can mean that a consent management tool will not prevent them from firing. Though there are legitimate reasons to hardcode tags, the practice can allow tags to slip through the consent process and risk compliance. Having a documented policy against hardcoding tags, along with a thoughtful exception process to handle outlier use cases where hardcoding tags is required for other reasons, can help ensure unintentional noncompliance with expressed consents.  

Relying on tag privacy settings

Some tags, such as some produced by Meta and Google, provide website owners with additional controls related to tag data use. Ironically, this additional privacy feature can bring additional complexity to implementations. The New York AG underscores in its guidance that tag privacy settings may be implemented only in states with privacy laws, and not in other states – so organizations may be unintentionally misleading web visitors from states without privacy laws about how the website is using and sharing their data. However, a technical review of any available tag privacy settings, the scope of their implementation, and any promises the organization makes about consent will help reduce this risk.  

In addition to revealing the results of its research into how websites commonly fail regarding cookie/tracker consents, the New York AG’s guidance also delves into the importance of a clear, transparent user interface. This nod to what we all know but sometimes overlook – that the best technology cannot result in a compliant, positive privacy experience without appropriate user interface design. The guidance offers practical tips for creating experiences that support informed, unmanipulated consents without overpromising and underdelivering, showing that another regulator is thinking about consent wholistically as an intersection of customer experience and technology.