Internet users are now more diligent and aware of how their data is collected and used online than ever before. They expect clarity and transparency from the websites they visit. Global regulatory developments within the data privacy space will further increase these expectations.
In such a world, websites must ensure they have appropriate privacy controls and disclosures in place that are not only easily accessible but also understandable by the users visiting their website to provide them a clear idea of how a website plans on collecting, storing, using, sharing, and potentially selling their data.
New York's Office of the Attorney General (OAG) has recently published a resource meant to be a guide on website privacy controls that it hopes can serve as a comprehensive framework for businesses operating within New York. The guidelines offer not just actionable information for effective privacy controls but also potential mistakes websites may be committing and their own observations about businesses' data collection practices. Read on to learn more.
OAG's Findings
The OAG's findings focused on various on-page practices by various businesses on their websites.
The most important of these findings were related to tags. These tags are snippets of code inserted in the webpage that redirect a visitor's browser to connect to a third-party service. The third-party replies with a unique identifier that the visitor's browser saves in a cookie, allowing the user to be identified during future browsing sessions. Hence, most websites use these tags to track user activity on their site.
The OAG's investigation analyzed various third-party tags on several websites. At least 13 major websites had privacy controls that were not operating as they claimed to. These 13 sites had almost 75 million visitors in March 2024 alone, highlighting the sheer scale of potential data privacy violations.
These potential violations include tags remaining active even after users had disabled them via the privacy control, leading to user activity being monitored when it should not have been.
However, after the OAG alerted them, each of the 13 websites amended its practices and mitigated the potential violations.
Key Mistakes to Avoid
Some key mistakes the OAG's investigation found and that require corrective actions include the following:
Most websites use consent management tools to implement privacy controls. These tools allow users to turn off and on categories of tags and cookies depending on their unique needs and the tags' purposes. For example, users can choose to disable tags related to marketing but enable tags used for fraud detection and analytics.
However, the effectiveness of such tools relies entirely on the tags being appropriately categorized within the tool. If a tag is miscategorized or not categorized at all, it will not respond to the choices being made. For example, the user may make a decision to disable a tag and it may remain active.
Many websites use consent management tools and tag management tools to simplify tag management. However, using these tools together may often cause more problems than they solve, as they can lead to technical and operational complexities if not properly configured to integrate seamlessly.
The guide illustrates examples of this by pointing out that the consent management tool might not pass out proper opt-out signals to the tag management tool, leading to marketing cookies still being active when the user had explicitly asked for them to be disabled.
Cookieless Tracking
Websites often use tracking technologies beyond third-party cookies, such as directly passing visitor data to advertisers without cookies or consent tools. Regardless of the method, businesses must not mislead consumers about privacy or choice. Privacy controls should honor visitors’ choices across all tracking technologies, ensuring consistent application of preferences.
Before implementing a new tag, businesses must fully understand what data the tag collects and how that data is used or shared. However, this process can be challenging, as marketing materials and technical documentation for tags are often incomplete or unclear, leaving businesses with gaps in knowledge about the tag's functionality.
Tag privacy settings
Many widely used tags include configurable settings that allow website operators to control how collected data is used. The guidance illustrates this with an example of how Meta and Google have options that enable businesses to manage their data collection and also dictate how third-party tag providers may collect data, such as limited data use (LDU) and restricted data processing (RDP).
However, these options only work in states with comprehensive data privacy laws. In states without such laws, such as New York, these features may not prevent tags from collecting and using visitor data. This has led to cases where businesses mistakenly relied on these settings, assuming they would limit data collection for all users, including those who opted out of marketing activities in states without comprehensive privacy laws.
Many websites may also have tags that are not properly configured to work with the privacy controls deployed on the website and were hardcoded into the website. Because of their hardcoding, the consent management tools and the users' decisions via these tools will not apply to the tags, and they will continue to function regardless of the users' choices.
Best Practices to Adapt
Some practices that businesses can adopt to alleviate most of the aforementioned mistakes include the following:
Designate
Arguably, the most effective way to ensure a website has the appropriate mechanisms in place to manage its tracking technologies is to have a qualified individual overseeing such operations.
By having such an individual in charge of website tracking, a business can rest assured that the technical aspects will be taken care of. Such individuals may also prove helpful in facilitating relevant training for employees using the tracking technologies and regularly reviewing the website's data collection practices to ensure compliance with regulatory requirements.
Understand the Technology
Far too many businesses often fall into the trap of simply adapting and implementing the latest technology without fully understanding its implications. Hence, before a new tag or tool is deployed, businesses must thoroughly understand how their existing tag and tool works and, more importantly, whether its usage is in line with how they wish to manage their data collection activities.
This can be done by contacting the tag developer or tool directly and requesting relevant documentation.
Before a new tag or tool is deployed in real-time, it would be a good idea to ensure it is categorized and configured appropriately, as failure to do so can lead to some problems identified earlier.
Test
It goes without saying that businesses must ensure that any new tag or tool is rigorously tested to verify its functionality's consistency with their expectations. Furthermore, these tests must be conducted at regular intervals and should not be a one-time formality. Doing so can ensure that such a tag or tool's functionality complies with regulatory obligations.
Review
All deployed tags and tools must be regularly reviewed. The scope of these reviews will depend entirely on the website's use of such tags and tools and any other tools it may have deployed in tandem with them.
Complying with New York Law
Any privacy disclosures presented to users must comply with the relevant New York consumer protection laws. Some key considerations to take into account include the following:
Accurate Privacy Controls
It's one thing to empower users with choices about how they wish their data to be collected, stored, and used. However, it is the website's responsibility to appropriately honor the users' choices related to their data.
Hence, websites must ensure that all privacy controls operate and work as users understand in both express and implied forms through the design and implementation of the controls.
Clear & Simple Language
A website's exact language in its privacy policy disclosures can tremendously influence how users understand it and consent to the data being collected. Hence, it is critical to avoid any language that creates a misleading impression in the user's mind about how the website collects, stores, and uses their data.
The guidance mentions an example where a user may be presented with a button labeled "Accept Cookies" or "Accept All" with a description that clicking on the button means they agree to use the cookies. This implies that the cookies will only be used if the button is clicked, which can be misleading if the website uses an opt-out mechanism where cookies are deployed without user consent as soon as users visit a website.
User-Friendly Privacy Interface
This may seem more of a cosmetic choice rather than an operational one, but the exact design of the privacy controls, as users view them, can significantly impact their choices owing to how they convey information about the controls' functions and uses.
Hence, the functionality of the privacy controls must be simple enough for the user to understand without unnecessary complications that impede their ability to make straightforward decisions. Additionally, websites should strictly avoid the use of dark patterns where certain functionalities are intentionally made harder for the user to understand or use.
How Securiti Can Help
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Numerous reputable global enterprises have come to rely on Securiti's Data Command Center for their data security, privacy, governance, and compliance needs.
This Data Command Center provides organizations access to various modules and solutions designed to ensure compliance with all major privacy-related obligations they may be subject to. This includes cookie consent management and privacy policy & notice management. With these solutions, organizations can ensure they have a reliable and robust automated mechanism in place that corresponds with user decisions and reflects their choices within the tools' functionality almost instantaneously.
Furthermore, organizations can gain real-time insights into compliance status via the centralized dashboard and make proactive interventions whenever necessary per their needs.
Request a demo today to learn more about how Securiti can help you comply with the New York State Attorney General's privacy control recommendations and other major data privacy-related regulations within the US and globally.
