New York Attorney General Letitia James today announced the launch of two privacy guides on the Office of the Attorney General (OAG) website: a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web. The Business Guide will help businesses better protect visitors to their websites by identifying common mistakes businesses make when deploying tracking technologies, processes they can use to help identify and prevent issues, and guidance for ensuring they comply with New York law. The Consumer Guide will help New Yorkers by offering tips they can use to protect their privacy when browsing the web. OAG issued these guides following a review that uncovered unwanted tracking on more than a dozen popular websites, collectively serving more than 75 million visitors per month.
“When New Yorkers visit websites, they deserve to have the peace of mind that they won’t be tracked without their knowledge, and won’t have their personal information sold to advertisers,” said Attorney General James. “All too often, visiting a webpage or making a simple search will result in countless ads popping up on unrelated websites and social media. When visitors opt out of tracking, businesses have an obligation to protect their visitors’ personal information, and consumers deserve to know this obligation is being fulfilled. These new guides that my team launched will help protect New Yorkers’ privacy and make websites safer places to visit.”
While many websites provide visitors with information about the tracking that takes place and controls to manage that tracking, not all businesses have taken appropriate steps to ensure their disclosures are accurate and their privacy controls work as described. Most tracking on the internet relies on cookies, which are small text files created by a web browser when visiting a website. Cookies often contain an identifier unique to a user’s device which helps websites and other online services recognize the user as they click from one webpage to the next. Cookies can also be used by advertising companies to track the websites a user visits, the buttons a user clicks, and the searches a user runs, and then be used to serve highly targeted ads to that person.
To help businesses better protect New Yorkers and comply with New York consumer protection laws, Attorney General James launched a Business Guide to Website Privacy Controls. This new guide identifies common mistakes that businesses make and includes steps that can be taken to identify and prevent issues. The Business Guide also provides information to help businesses comply with relevant New York laws, including ensuring that the representations made about tracking, whether express or implied, are truthful and not misleading. The Business Guide provides areas where businesses have run into trouble and tips for avoiding these issues.
In addition to a guide for businesses, Attorney General James launched a guide to help New Yorkers understand how to better protect themselves from unwanted tracking online. The OAG’s Consumer Guide to Tracking explains how website visitors are tracked, what cookie pop-ups do, and to what extent websites’ privacy controls can be relied on to protect users’ privacy. The Consumer Guide explains that on many websites, tracking cookies are created as soon as the first webpage loads, often before consumers have a chance to opt out. Attorney General James wants New Yorkers to appreciate that using a website’s privacy controls to opt out will not delete cookies that already exist on a consumer’s computer, including those created before a webpage visitor had the chance to opt out. This means consumers can be tracked and targeted by personalized ads even if they seemingly opted out.
The online privacy guides released by Attorney General James are part of OAG’s ongoing work to protect New York consumers and help businesses enhance their privacy and data security. Earlier this month, Attorney General James issued a consumer alert to raise awareness about free credit monitoring and identity theft protection services available for millions of consumers impacted by the Change Healthcare data breach. In March 2024, Attorney General James led a bipartisan coalition of 41 attorneys general in sending a letter to Meta Platforms, Inc. (Meta) addressing the recent rise of Facebook and Instagram account takeovers by scammers and frauds. In April 2023, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices. In January 2022, Attorney General James released a business guide for credential stuffing attacks that detailed how businesses could protect themselves and consumers.
This matter was handled by Senior Enforcement Counsel Jordan Adler and Assistant Attorney General Jina John, with assistance from Internet and Technology Analyst Nishaant Goswamy, all of the Bureau of Internet and Technology, under the supervision of Deputy Bureau Chief Clark Russell and Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo. The Division of Economic Justice is overseen by First Deputy Attorney General Jennifer Levy.