ARTICLE
15 August 2024

New York Attorney General Issues Cookie Guidance And Enforcement Warnings

MW
McDermott Will & Emery

Contributor

McDermott Will & Emery logo
McDermott Will & Emery partners with leaders around the world to fuel missions, knock down barriers and shape markets. With more than 1,100 lawyers across several office locations worldwide, our team works seamlessly across practices, industries and geographies to deliver highly effective solutions that propel success.
Explore Firm Details
On July 15, 2024, the Office of the New York State Attorney General (OAG) published website privacy control guidance focused on cookies and other tracking technologies. The guidance identifies common...
United States New York Privacy
Photo of Elliot Golding
Photo of James Mann
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

On July 15, 2024, the Office of the New York State Attorney General (OAG) published website privacy control guidance focused on cookies and other tracking technologies. The guidance identifies common deficiencies and recommendations to avoid enforcement. Companies should pay attention because it signals that the OAG intends to enforce online cookie practices even absent a comprehensive state privacy law.

In Depth

COMMON DEFICIENCIES

The OAG describes common deficiencies that risk unfair and deceptive practices (UDAP) claims, which the OAG identified after investigating several popular websites. Examples include:

  1. Miscategorized tags and cookies: Companies risk UDAP claims when they incorrectly categorize cookies (e.g., miscategorizing cookies as "essential" or failing to categorize cookies at all because that often means consumer choices are not honored fully).
  2. Misconfigured cookie consent tools: Companies risk UDAP claims when misconfigured privacy tools fail to honor consumer cookie choices.
  3. Misconfigured cookie settings: Companies risk UDAP claims when they mistakenly assume that "limited data use" features that some cookie providers offer are implemented nationwide when they are only actually available in states with comprehensive privacy laws. Using "hardcoded" tags that evade privacy tools also risks UDAP claims.
  4. Non-cookie tracking technologies: Companies risk UDAP claims when privacy tools cannot block non-cookie tracking technologies, such as server-to-server and digital fingerprinting.

OAG RECOMMENDATIONS TO MITIGATE ENFORCEMENT RISKS

To mitigate these risks, the OAG recommends:

  • Implementing detailed policies, procedures and processes, including:
    • Designating someone to manage tracking technologies generally.
    • Investigating each cookie's data collection, use and sharing.
    • Configuring and categorizing new and changed tags and tools properly.
    • Testing tags and tools regularly to ensure they honor consumer choices.
  • Ensuring tracking technology representations are accurate and straightforward.
  • Avoiding "weighted" cookie acceptance language that drives consumers to select less privacy-protective settings.

The McDermott team has developed extensive resources to help companies mitigate litigation and regulatory risks, including Standard Operative Procedures, playbooks and template language. Please reach out to your McDermott lawyer or contact the authors if you have questions or need assistance with designing, implementing, testing or benchmarking your company's cookie compliance measures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Elliot Golding
Elliot Golding
Photo of James Mann
James Mann
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More