New York Data Privacy Landscape: Web Tracking Guidelines

The U.S. has seen a surge in consumer privacy laws recently, but New York has yet to pass a broad privacy law like California’s CCPA or Virginia’s VCDPA.

Instead, New York is focusing on digital privacy through specific guidelines.

Notably, on July 30, 2024, New York Attorney General Letitia James released two guides: Website Privacy Controls - A Guide for Business and A consumer guide to web tracking. These resources offer crucial advice on managing website privacy and protecting against online tracking, based on a recent investigation into privacy practices.

In this article, we’ll review New York’s privacy landscape and examine how these new guides impact businesses and consumers.

New York Data Privacy Landscape

As of this writing, New York has several existing and proposed laws aimed at protecting personal information. However, these laws tend to focus on specific types of data or apply to particular types of organizations. Unlike comprehensive privacy laws in states like Montana, Colorado, or Texas, New York’s regulations do not offer full coverage for all types of personal data for its residents.

New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act)

The SHIELD Act (Stop Hacks and Improve Electronic Data Security Act), signed into law in 2019, and effective as of March 1, 2020 expands the definition of private information and broadens the scope of what constitutes a data breach to include unauthorized access. 

The Act requires businesses to implement administrative, technical, and physical safeguards to protect private information and mandates prompt notification to affected consumers and relevant authorities in the event of a breach. 

The Act also imposes penalties for non-compliance, including civil fines for failing to provide timely breach notifications (between $20 and $250,000) or maintain adequate data security measures (up to $5,000 per violation).

New York Biometric Privacy Act

The Biometric Privacy Act is a piece of legislation that was proposed but is not yet signed into law, which seems to have been modeled after Illinois' BIPA. 

If passed, the Act would require companies that collect biometric data, such as fingerprints or facial recognition, to create a written policy. This policy would need to outline how long they will retain the biometric data and when it will be permanently deleted. The data would have to be deleted either when it is no longer needed for its original purpose or within three years of the person’s last interaction with the company, whichever comes first.

Penalties would range between $1,000 per unintentional violation and $5,000 for reckless or intentional ones. 

New York Privacy Act (NYPA) 

The New York Privacy Act (NYPA) is a proposed piece of legislation which is still waiting in the Assembly after being passed by the Senate in May 2024. Key points of the law include: 

• Application: NYPA would apply to “legal persons that conduct business in New York or produce products or  services  that are  targeted  to residents of New York, and that satisfy one or more of the following thresholds:
  • (a) have annual gross revenue of twenty-five million dollars or more;
  • (b) controls or processes personal data of fifty thousand consumers or more; or
  • (c) derives over fifty percent of  gross  revenue  from  the  sale  of personal data.”
• Exemptions: certain activities are exempt from the law, such as those involving the collection, maintenance, disclosure, sale, communication, or use of data regulated by the Fair Credit Reporting Act. In addition to these, data processed for public health activities, human subjects research, or product registration and tracking under FDA regulations is also exempt.
• Consumer Rights: consumers have several rights under this law, including the right to notice, access, correction, deletion, and data portability. They also have the right to opt out of the sale of their personal data and to withdraw consent for data processing.
• Controller Obligations: controllers are required to provide clear and accessible privacy notices, conduct data protection assessments, and maintain reasonable safeguards to protect personal data. They must also enter into contracts with processors that include specific data protection requirements.
• Enforcement: the New York Attorney General is responsible for enforcing the law. The Attorney General may bring actions to enjoin violations, seek restitution, and obtain civil penalties.
• Penalties for Violations: violations can result in civil penalties of up to $20,000 per violation, with each instance of unlawful processing of personal data constituting a separate violation. In assessing penalties, the court considers the nature and seriousness of the violation, among other factors.

Website Privacy Controls - A Guide for Business

The New York Attorney General published this Guide to help businesses avoid common mistakes when using tracking technologies like cookies for analytics and marketing. This follows an investigation revealing that many popular websites had broken privacy controls, leading to continued tracking of visitors even after they attempted to disable it.

The guide outlines how to check that privacy disclosures are accurate and comply with New York law. While New York has not yet passed a comprehensive privacy law, consumer protection laws still require businesses to avoid deceptive practices, accurately describe tracking methods, and check that privacy controls work as promised.

The OAG's investigation revealed that many websites were improperly managing third-party tracking tags, which caused privacy controls to not function as intended. 

The investigation prompted the OAG to notify the companies involved, resulting in corrections to their privacy controls. To help businesses navigate these mistakes, the Guide is organized into 4 main points: 

1. Mistakes to Avoid: Businesses often make errors with tracking technologies, such as miscategorizing tags, misconfiguring consent tools, and using hardcoded tags that bypass privacy controls. These mistakes can lead to visitors being tracked despite opting out. Companies might also use tag features that don’t apply in all states, resulting in unintended data collection. Additionally, a lack of understanding about what data tags collect and how it’s used can complicate compliance. To avoid these issues, check that all tracking technologies are properly configured and respect privacy choices.
2. Identify and Prevent Issues: To avoid problems with tracking technologies, businesses should assign trained staff to manage tracking, review data before using new tools, correctly configure and categorize tags, test these regularly to see that they work properly, and routinely check that everything is correctly set up and synced.
3. Comply with New York Law: Businesses must check that their privacy controls and tracking disclosures are clear and accurate. Websites should clearly explain tracking practices, use straightforward language in cookie pop-ups, and provide intuitive, functional privacy controls. Misleading or confusing interfaces can violate the law, so make sure all privacy features match user expectations.
4. Dos and Dont’s: To improve privacy-related disclosures and controls, businesses should use clear, accessible language, label buttons clearly, and provide equal, easy-to-use options for accepting or declining tracking. Avoid using lengthy text, ambiguous buttons, complex language, or confusing interfaces that make it harder for users to opt out of tracking.

A consumer guide to web tracking

The "Consumer Guide to Web Tracking" was published to help consumers understand how their online activities are monitored and what they can do to protect their privacy. The Guide explains that most websites use tracking technologies like cookies to collect data about users’ browsing habits, which can then be used by companies to deliver targeted advertisements.

To help consumers understand web tracking, the Guide is organized into 4 main sections: 

1. How do websites track consumers?
   Websites track users primarily through cookies—small text files that the users’ browser creates when they visit a site. These cookies contain a unique ID that helps websites and ad services recognize the individual as they browse different pages. For example, if a user visits a shoe store's website, a cookie might be saved. Later, when they visit a news site, the ad service can recognize the cookie and show them ads for shoes based on their earlier visit.
2. What is a cookie pop-up?
   A cookie pop-up is a banner or box that appears on websites to inform visitors about the use of cookies and tracking technologies. These pop-ups can be informational, offering details about data collection; opt-out, allowing users to disable certain cookies; or opt-in, requesting consent for cookie use, with options like "Accept" or "Reject."
3. How can consumers use cookie pop-ups to protect my privacy?
   Cookie pop-ups can help protect users’ privacy by allowing them to disable some tracking technologies, but they have limitations. Not all cookies can be disabled, especially those necessary for a website's operation, and opting out doesn't delete existing cookies. Additionally, websites may have other tracking methods like device fingerprinting that privacy controls may not block. Users should always review cookie banners and privacy notices to understand their options.
4. What else can consumers do to limit online tracking?
   The Guide explains that completely stopping online tracking is difficult, but users can protect their privacy by using browser controls to block or delete cookies, installing trusted ad blockers, and disabling browser-based tracking through their browser's privacy settings.