How to meet the New York AG website privacy controls requirements

Brands and businesses, brace yourselves—New York has just laid down the law on website privacy controls. It’s time to get serious about your website tags, trackers, and consent. 

What’s the new guidance from the New York State AG? 

On July 30, 2024, New York State Attorney General Letitia James announced the release of two comprehensive privacy guides aimed at both consumers and businesses. 

• Business Guide to Website Privacy Controls: highlights common mistakes in deploying tracking technologies and provides actionable steps to ensure compliance with New York laws
• Consumer Guide to Tracking on the Web: educates New Yorkers on protecting their privacy online

These guides emerged following an investigation revealing widespread unwanted tracking on popular websites, collectively serving over 75 million visitors per month.

What is significant about this announcement? 

For most businesses, the risk of data privacy enforcement ramifications has to-date been an empty threat. Big tech companies like Meta and Google attract outsize regulator scrutiny. Yet in the last 12-18 months, the pool has expanded. In 2024, enforcement actions included:

• In January 2024, California Attorney General Rob Bonta announced an investigative sweep targeting streaming services to ensure compliance with the California Consumer Privacy Act (CCPA), focusing on whether these platforms properly allow consumers to opt out of the sale or sharing of their personal information.
• In February 2024, AG Bonta announced a settlement with DoorDash after an investigation revealed the company violated the CCPA and California Online Privacy Protection Act (CalOPPA) by selling customers' personal information without proper notice or opt-out option.
• In August 2024, Texas Attorney General Ken Paxton announced a suit against General Motors, alleging GM mislead drivers into sharing their data with the company, which it then sold to data brokers.

Most U.S. enforcement actions have been driven by the FTC and the CPPA. Now, the New York State AG’s Business Guide to Website Privacy Controls provides a new level of guidance: not just in that it’s from a new player (NY AG), but in its level of specificity. There’s a clear, substantive tone change: instead of talking about policies, they’re diving into tag managers and pixels. 

At Ketch, we’ve said it for years: to effectively honor consumer privacy choices, brands must implement privacy technology that goes beyond the “Hollywood facade” of privacy compliance. The infamous cookie banner, despite its widespread adoption and signal to the world that your brand “does privacy,” is finally being realized for what it is: a single piece of a bigger puzzle. The Hollywood facade of privacy is officially crumbling down.

This publication from the NY AG isn't nebulous legal advice; it's technical guidance for aligning your website privacy controls–a broad category of rules and settings surrounding your website trackers, tags, cookies, and pixels–with the new, heightened expectations of regulatory bodies.

Unpacking the Business Guide to Website Privacy Controls

Let’s dig into the common mistakes brands make when it comes to website privacy controls, and best practices for maturing your privacy program to meet these standards.

Uncategorized or miscategorized tags and cookies

One of the most pervasive mistakes highlighted by the NY AG is the improper handling of tags and cookies. Too often, businesses either fail to categorize tags and cookies correctly, or don't categorize them at all.

This isn’t a problem that’s magically solved by deploying a consent management platform (CMP). The NY AG evaluated several websites with active CMPs and found instances of unclassified or miscategorized cookies and tags. There are two major reasons why CMPs fail brands in this categorization mission.

1. Lack of programmatic rules for uncategorized tags

Many CMPs take a named, list-based approach to blocking tags and cookies from firing. When you add a categorized tag to your named list, it adheres to visitor consent selections. But if a new, uncategorized tag appears, these CMPs are in the dark. If it’s not on the list, no rules will apply, and the tag will fire regardless of visitor opt-outs. 

TIP: Avoid this uncategorized free-for-all by asking your privacy tech vendor if they can support an “allow list” based approach. In an “allow list” model, your defined tags fire according to consent permissions, and all uncategorized tags are restricted from firing until further evaluation. Instead of ignoring unknown tags, you can use your CMP to set programmatic rules for unknowns, regardless of origin or category. 

2. Prioritizing completeness over relevance 

Many tag and cookie scanning products have a reputation for producing inaccurate scans. This is because scanning products are looking for ANY tracker that is set. While this may seem like the right approach, seeking to define a comprehensive, definitive list of trackers is a fool’s errand, thanks to trackers that get set by third parties ushered onto your site:

• Cookies and tags are ALWAYS changing. When your marketing vendor’s javascript is on your webpage, they may engage in what is called “cookie syncing.” Every time your page loads, they may choose to sync with a set of vendors regarding the identity of a person on your webpage. These changing vendors result in variable scanning results depending on the time of the scan. 
• Blocking this activity is unproductive and impossible. These types of cookie syncing operations are using third-party cookies which cannot really be blocked in the first place. The only way to block them is to either remove your marketing vendor (not ideal), or ask them to stop cookie syncing (not realistic). 

The point is: focus your categorization efforts on the things your company can actively control. Work to understand the downstream impacts of their vendors on your website, and take separate measures to contain and control those downstream actions. If your tracker scanning tool doesn’t support you in understanding these nuances, perhaps it's worth looking for another solution.

‍

‍

Javascript tag mismanagement

The Attorney General emphasized that many brands have misconfigured (or failed to configure at all) the connection between visitor opt-outs and tags firing on pages. If a visitor opts out of data collection of any type, the respective tags in that category should cease to fire. However, this wasn’t the case in several tests, where one of two things occurred: 

• The tag management tool (such as Google Tag Manager) failed to connect to the consent management tool, meaning that when visitors opted-out using the consent banner, the related tags did not receive that communication and continued to fire. 
• Tags were “hardcoded” and placed directly into the website page, bypassing the tag management tool. In these cases, the tag management tool may have been working properly, but the hardcoded tags weren’t included in the automation process.

These failures are the result of one major problem: brands rely too much on developers and manual tasks to ensure that website tags fire according to visitor consent signals. 

Most modern brands are constantly changing various website elements, including javascript tags, to maximize growth. It’s simply not sustainable to rely on manual backend developer support to match the digital marketing pace of change. (See here for what it takes to manually connect Google Tag Manager to your CMP.) Businesses that depend on developers to do this configuration work will ALWAYS be one step behind the website teams. Simply put, it’s choosing to operate in failure mode. 

The solution here isn’t faster humans, it’s native integrations. By embracing a CMP that natively integrates with your tag management system (TMS) and tags directly on your site, you’ll get:

• Immediate notifications when a new script tag appears, whether it’s in your TMS or javascript placed directly on a page. (Yes, that’s right: the best consent management platforms can surface hardcoded, on-page scripts that sit outside of your tag manager.) 
• Context about what that script tag does so you can accurately assign category and purpose.
• Automation that connects tag firing behavior with the consent choices of your visitors.

A CMP with native TMS integrations is cost-effective; you’ll stop pulling developers away from more important tasks. Beyond that, you gain real agility and awareness in your ability to map tags to consumer consent preferences.

Reliance on vendor tag privacy settings 

Would it surprise you to know that Meta’s privacy controls don’t exactly have your brand’s best interests in mind? Yea.. we didn’t think so. 

Tag privacy settings are options provided by companies like Meta and Google that allow you to control how data collected by their tags on your site is used. The NY AG rightfully called out this important, nuanced issue: that companies like Meta have produced privacy APIs with initial configuration that, without intervention, override the best intentions of your brand. 

For example: Meta offers an option called Limited Data Use (LDU). LDU is designed to help businesses comply with privacy laws in certain U.S. states by limiting the use of collected data. The AG notes two clear issues with settings like LDU: 

1. Friction in configuration…

The LDU API enables brands to say to Meta, “please limit this visitor’s data use to comply with privacy laws in certain states.” However, in the default behavior the brand doesn’t get to decide if a consumer is in an applicable jurisdiction to enable LDU. Meta does! If the LDU is supposed to have Meta act as a “processor/service provider,” it stands to reason that Meta should make it easy for the controller/business (the brand) to decide and communicate whether LDU is applicable or not. Instead, the controls require that the brand use the API to effectively lie that the consumer is in a Jurisdiction in which Facebook supports LDU. (Many privacy experts would argue that LDU should comply with Section 5 of the FTC Act, prohibiting unfair and deceptive business practices. This means LDU might need to be respected across the entire US.)

2. …Leads to unintentional brand negligence

When brands rely on Meta LDU to stop collecting and using visitor data, they’re relying on an incomplete framework. The New York AG spoke about companies that assumed the LDU settings they were passing ultimately protected their consumers. While this may have been the case in states with comprehensive privacy laws (like CA, CO, and CT, where Meta does enable LDU), it is not the case in New York. Furthermore, the LDU flag does not support the entire set of capabilities within Facebook. In fact, custom audiences, arguably the most important product to control for privacy reasons, are not addressed. 

The incomplete, surface-level nature of these settings is precisely why Ketch builds direct API integrations into essential third-party applications, like Facebook, to control custom audiences for advertising. Brands cannot safely rely on shallow, vendor-supplied privacy APIs to enforce consumer opt-outs. 

Avoid this trap by asking your consent management platform vendor to explain the capabilities of their CMP integrations. When the CMP records a consumer consent signal, can their integrations push that signal into third-party applications to inform audiences? Your provider should be showing up with tools, APIs, and infrastructure that enable you to deploy a comprehensive consent strategy, ensuring every consumer’s data preferences are respected and enforced. 

Incomplete understanding of tag data collection and use

The AG underscored the importance of knowing what a tag does before deploying it. For every tag, businesses must understand 1) what data the tag collects, and 2) how the data may be shared. 

Unlike other website privacy control challenges, improving tag understanding requires capable technology as well as human collaboration. There are three major levers for improvement: 

• You need the ability to label tags with granular purposes. Categorizing what a tag does shouldn’t be limited to language used in the ePrivacy or GDPR frameworks, which often group tags into categories like strictly necessary or functional. A sophisticated CMP should be able to atomize each tag according to its specific purpose for data processing and label as such.
• Consider jurisdiction-specific requirements. Avoid blindly adopting a one-size-fits-all EU-based privacy taxonomy. For example, a tracker that constitutes a data sale in California might be treated differently in Europe. 
• Don’t overlook the need to communicate across teams. Even the most advanced toolset can’t replace internal collaboration. Confused by new tags appearing in your scans? Often the fastest route to closure is a friendly conversation with the marketing team. Privacy is a team sport, and ongoing communication within the business is essential.

Cookieless tracking

The AG’s final point reiterated the privacy community’s obsession with cookie tracking, and the all-too-common mistake of overlooking non-cookie trackers. 

It’s true: cookies and tags ARE the dominant mechanism for tracking individuals and collecting data. But if you are distributing data to your vendors though server side techniques like APIs and file transfers, you STILL need solutions in place to protect your consumer privacy choices in those pipelines. 

Your brand privacy obligations don’t end when your website privacy banner collects the consent signal—that's just the beginning. For most brands, consumer data goes through numerous transfers long after it leaves the website, and each step requires careful management to ensure privacy is respected throughout. If you’re not equipped with the right tools to enforce privacy choices as data moves through your systems, it’s time to prioritize getting them in place.

At Ketch, we believe it’s absolutely critical for your brand to connect directly to your vendors and control how your consumer data is used. We call this consent orchestration: passing consent signals into the systems where personal data flows, ensuring all consumer privacy choices are respected and enforced. If you don’t have integrations and workflows in place to connect your website consent mechanism with your data systems and applications, you should get on it! 

The new standard: elevating your privacy program to meet AG demands 

Data privacy regulation continues to evolve, and state Attorneys General like New York’s Letitia James are becoming increasingly sophisticated in their scrutiny of businesses' privacy practices. 

Gone are the days when superficial compliance measures sufficed. In fact, the Business Guide to Website Privacy Controls begs the question: is the average AG more technically savvy than the average privacy manager?

As a brand and privacy program manager, it’s imperative that you match this level of technical comprehension. This means investing in not just your practical knowledge, but in advanced privacy tech that goes beyond surface-level compliance. The stakes are higher than ever, and the brands that thrive will be those that rise to meet these new regulatory expectations with agility and precision.

‍