Dissecting the New York Attorney General’s Guide on Safeguarding Against Unwanted Online Tracking

The Hidden Risks of Cookie Tracking

Ever noticed those pop-ups asking you to accept cookies when you visit a website? Saying ‘accept’ to these little text files might seem harmless, but they play a powerful role in how businesses interact with you online. Cookies keep you logged in, remember your shopping cart, and personalize your browsing experience.

However, they also raise significant privacy concerns. With the growing emphasis on data privacy in an increasingly digital world, understanding and managing cookie tracking has never been more critical for businesses.

Because here’s the catch: not all businesses are getting it right. Some are making serious mistakes that could not only erode customer trust but also land them in legal hot water. In this blog, we’ll dive into the common pitfalls businesses face with cookie tracking, the impact of New York’s consumer protection laws, and how you can ensure your website stays compliant while maintaining customer trust.

Why Cookie Tracking Matters to Your Business

Cookies are more than just bits of data; they’re essential to your website’s functionality and your business’s success. They enhance user experience, drive marketing strategies, and help you understand customer behavior. However, if mismanaged, cookies can also be a liability.

The recent scrutiny from the New York Attorney General’s Office (OAG) highlights just how crucial it is to get your cookie tracking and privacy controls right.

The OAG’s investigation revealed that many businesses, even high-traffic ones, fail to implement proper privacy controls. They found that on some websites, visitors were still tracked even after opting out, leading to broken trust and potential legal consequences. This is where businesses need to step up their game.

What You Need to Know: Common Cookie Tracking Mistakes

Uncategorized or Miscategorized Tags and Cookies

One of the most common issues is the mismanagement of cookie categories. Websites often use consent-management tools that allow users to enable or disable certain types of cookies. But if these cookies aren’t properly categorized or tagged, they won’t respond to user preferences, leading to unauthorized tracking.

Misconfigured Tools and Hardcoded Tags

Another frequent error is the misconfiguration of tools. Many businesses use both consent-management (which allows users to control what data they share and manage their consent preferences) and tag-management (which controls the deployment of tags that collect data on websites) tools.

But these need to be perfectly synced to work correctly. If not, cookies may remain active even when a user opts out. Additionally, some tags are hardcoded into the website, bypassing privacy controls entirely.

Over-reliance on Tag Settings

Businesses often rely on tag settings from third-party providers like Google or Meta, assuming these settings (which control how and what data is collected and used by tags on their websites) will automatically protect them from legal risks.

However, these settings may not be effective in certain states with strict privacy laws. In New York, this reliance can lead to unintended data collection and potential violations.

Dos and Don’ts for Privacy-Related Disclosures and Controls

According to the OAG, these are the Dos and Don’ts for providing effective disclosures and avoiding dark patterns that complicate easy-to-understand controls:

How to Do It Right: Best Practices for Cookie Tracking

Designate and Train Responsible Individuals

Start by designating a qualified individual or team to manage your website’s tracking technologies. Ensure they are well-trained and knowledgeable about your business’s privacy policies and the technologies you use.

Investigate and Understand Your Tags

Before deploying any new tags or tools, investigate what data they collect and how it’s used. Don’t hesitate to ask developers for information that might not be publicly available. This will help you avoid surprises and ensure compliance.

Proper Configuration and Regular Testing

Once your tools are set up, configure them correctly and test them regularly. Automated scanning tools can help identify issues, but manual checks are essential to ensure everything works as intended.

Review and Adjust Regularly

Technology and privacy laws are constantly evolving. Regularly review your tags and tools to ensure they are properly categorized and in sync with your consent-management tools. This proactive approach will help you stay compliant and maintain customer trust.

The Bottom Line: Complying with New York’s Consumer Protection Laws

In New York, your business’s privacy controls and disclosures must be truthful and not misleading. Ensure that your website’s privacy statements are accurate, and that your controls work as described. Avoid using confusing language or designing interfaces that mislead users about their privacy choices.

Protect Your Business and Your Customers

Privacy isn’t just a legal requirement; it’s a cornerstone of customer trust. Don’t let mismanaged cookies and broken privacy controls undermine your business. Audit your tracking technologies, refine your privacy controls, and ensure your website complies with all applicable laws today. Your customers—and your bottom line—will thank you.

Nymity Research

Find more detailed insights and tools to help you navigate online tracking.

Start today

Third-Party Cookie Trackers

Understand and manage online trackers effectively while maintaining trust.

Read more

Understanding the Update

In a significant shift from previously communicated plans and strategy, on July 22nd, 2024, Google announced that it would no longer be phasing out support for third-party cookies in its Chrome browser. Instead, Google plans to maintain third-party cookie support while continuing to develop (currently unannounced) additional privacy-preserving functionality.

The Impact on Your Business

This update means that third-party cookies, such as those used for purposes including online advertising and tracking, should continue to operate as intended. While this may provide short-term continuity, it also underscores the ongoing complexities of managing user data and preferences in an ever-evolving privacy-conscious world.

While other major browsers like Firefox and Safari have already phased out certain cookie support (e.g., third-party cookies), this change and the evolving nature of the tracking technology space and regulation thereof further necessitate that organizations have clear understanding of their tracking technology ecosystem and utilization.

Current Regulatory Landscape and Tools

A number of regulations, frameworks, and tools are unaffected by this decision and remain at status quo, including:

EU Digital Markets Act (DMA) – No changes. Still requires Google and the other six “gatekeepers” to commit to an open and fairer digital economy.

IAB TCF v.2.2 for EU GDPR & ePrivacy Directive – No change at this time. TCF remains as the technical standards that help publishers and advertisers comply with the ePrivacy Directive and the General Data Protection Regulation (GDPR) in the EU.

Google Consent Mode (CoMo) V2 – No changes. Still requires organizations using Google Advertising Suite in UK & EEA to change the collection of cookie consent.

Reactions and Impacts

Google’s recent decisions have elicited responses from regulatory bodies emphasizing the importance of transparency and user control in data practices. The UK Competition and Markets Authority (CMA) and the Information Commissioner’s Office (ICO) have expressed public opinions on the matter, highlighting competition and privacy considerations.

Additionally, the Network Advertising Initiative (NAI) has reiterated its commitment to promoting responsible data practices and developing privacy-preserving technologies. And finally, the Interactive Advertising Bureau (IAB) Europe is assessing the changes and the impact on their ecosystems.

The Importance of Cookie Consent Management Continues

Despite continued support of third-party cookies on Chrome, public awareness and regulatory focus on ethical and responsible use of tracking remains high. This is why the use or adoption of a suitable tracker consent management tool such as TrustArc’s Cookie Consent Manager (CCM) remains (and is increasingly) crucial. TrustArc’s CCM solution helps businesses manage user preferences and comply with global privacy regulations, ensuring they can adapt to any changes in the privacy landscape.

Key Features of TrustArc’s Cookie Consent Manager:

• Comprehensive Compliance: Supports requirements imposed by regional, state, federal, and other requirements, such as those prescribed by GDPR, CCPA, and others.
• User-Friendly Interface: Makes it easy for users to manage their consent preferences.
• Customizable Solutions: Tailored to fit the unique needs of your business.
• Seamless Integration: Works smoothly with your existing digital infrastructure.
• Support for Mobile App Consent: Extends consent management capabilities to mobile apps, ensuring compliance across all digital platforms.

Support for Mobile App Consent

Discover how Consent Management Platforms (CMPs) help mobile apps comply with privacy regulations.

Read now

Cookie Consent Manager

Explore expertise and automation help you meet global consent requirements with minimal effort.

Learn more

Moving Forward

While Google’s decision may delay some immediate changes, the trajectory forward and broad focus on increased privacy and user control over data remains clear. Advertisers and publishers can continue to rely on third-party cookies in Chrome, for now, Google has expressed its commitment to enhancing privacy through its ongoing Privacy Sandbox initiative.

Organizations should continue to pay attention to emerging changes designed to protect user’s from tracking and personal data collection practices in this space.

By implementing robust cookie consent management your business can stay ahead of regulatory requirements and build customer trust. TrustArc remains committed to supporting you through these changes and providing the tools and expertise to manage consent effectively and responsibly.

What are online trackers?

Online trackers, in simplest terms, are technologies used by websites and apps to collect data about user interactions. These trackers remember and recognize users by recording, processing, or logging details such as browsing habits, time spent on a webpage, clicked links, and more. This data may serve multiple purposes, from personalizing content and targeted ads to improving website functionality, analytics, or authenticating users for web experiences.

Some common organizational or business purposes for using online trackers include:

• Website analytics: Understanding how users interact with websites or which features they use help businesses improve their user experience and marketing strategies.
• Targeted advertising: Tracking technologies allow advertisers to show personalized ads based on your interests and browsing behavior.
• Fraud detection and security: Tracking can be used to identify and prevent suspicious activity, such as credit card fraud or online hacking.
• Market research: Companies use tracking data to learn about consumer behavior and preferences.
• Personalization: Some websites, advertising, and social media platforms use tracking to personalize your experience by remembering your preferences and settings.

Cookies, a type of tracker, are small pieces of data stored on a user’s device by websites a user visits. Cookies are used to remember user preferences, login information, auto-fill information, shopping cart information, and other information that help enhance a user’s experience.

First-Party and Third-Party Data: What’s the difference?

Online trackers (including first-party and third-party cookies) have the ability to collect two different kinds of data: first-party data and third-party data. What is the difference between the two?

First party data provides valuable specific information to your organization as it is collected directly from your audience (e.g., consumers, data subjects, or website users) and the lawful basis (e.g., consent, legitimate interest, etc.) will vary depending on the purpose and use of the data. In other words, first party data utilizes in-house or internally developed cookies or trackers set directly by your organization on your own web pages or web properties.

On the other hand, third-party data is information collected by other organizations that do not have a direct relationship or interaction with the user. This type of data is typically what is collected by online trackers that are provided by third-party providers (e.g., a third-party analytics or advertising provider) on a website. In other words, third-party data utilizes cookies that may be set by your organization, but are created by third-party service providers or partners, and placed in your web pages or web properties.

Third-party cookies can be accessed by external parties in a manner that results in less user control or understanding of data processed, collected, or tracking – including without the knowledge of the website owner. Since the result of third-party cookies is a physical file/data being placed on a users’ device, some browser providers believe there is elevated privacy risk and have decided to block third-party trackers/cookies, including Firefox and Safari, with Chrome following suit in early 2025 (expected).

Different types of online trackers

Online trackers can, depending on their use case and implementation, share personal or sensitive information with third-party entities, such as advertisers, to help with tailoring and personalizing advertising. This is done for a variety of reasons, including to make ads more relevant to recipients and also to manage ad spend. Trackers come in several forms, each serving distinct purposes and collecting different types of data. Below are some common examples of trackers:

1. Cookie trackers: These are small files stored on your device that track your website activities. Third-party cookies have been the primary method of storing client-side data for over two decades.
2. Pixels: Also known as web beacons, these are tiny, invisible images embedded in web pages or emails, used to track user interaction. These are popularly used for advertising as well, but have numerous purposes.
3. Browser fingerprinting: A more advanced method that gathers data about your device (like screen resolution, installed fonts, or browser type) to create a unique profile for tracking, even without cookies.
4. Embedded scripts: Code snippets that track user behavior within a website. These scripts create most trackers and are responsible for reading and storing data
5. Web beacons: Embedded images that track when a page is loaded.

Types of cookies

Generally speaking and historically, cookies have been one of the most common and popular forms of tracking technologies. Cookies can serve many purposes, including remembering preferences (language, login credentials), tracking website usage (clicks, pages visited), securing a page/preventing fraud, and aiding in personalized content, user experiences, and ads.

Types:

• Session cookies: Temporary, deleted when you close your browser.
• Persistent cookies: Remain on your device for a set period or until manually deleted.
• First-party cookies: Placed by the website you’re visiting or by embedded scripts loaded on your site.
• Third-party cookies: Placed by a different website (e.g., advertising network). They are usually created as a hidden frame and exchange information with a third-party domain.

Examples:

• Session cookie remembering your login on a website.
• Persistent cookie saving your language preference on a news site.
• Third-party cookie tracking your browsing across different websites to show targeted ads.

As noted above, cookies are a specific type of tracker, while trackers are a broader category. Cookies in particular primarily collect website browsing data, while trackers can gather a wider range of information.

Third-party cookies and trackers are at the center of recent privacy concerns due to their ability to collect, aggregate, and store information across sites without user consent. They are able to mass data harvesting, profiling, and real-time bidding for marketing advertising and analytics as well as gather extensive personal data, including IP addresses, search and browsing history, and private details like health and religious beliefs.

Cookie Consent Manager

Meet global consent requirements with minimal effort while maximizing opt-ins and fueling customer trust.

Learn more

Website Monitoring Manager

Identify and monitor cookies, trackers, and website behavior to deliver a secure digital user experience.

Learn more

Current and future state of third-party cookies in browsers

Cookies, first introduced in the 1990s as a way for websites to remember information about the user or their visits and at a time, called “HTTP cookies.” Cookies were designed to fill the gap created by the stateless nature of the web, where websites could not inherently remember previous interactions.
In some circumstances, third-party cookies can be used to track users around the web and build a detailed profile based on browser history and hence are referred to also as tracking cookies. This type of profiling and targeting that is not aggregated has become an essential tool for online advertisers, who use them to track individual user behavior across multiple websites to deliver personalized ads.

Legislation like the General Data Privacy Regulation (GDPR) and Digital Markets Act (DMA) in the European Union and the California Consumer Privacy Act (CCPA) have strong data privacy components around third-party cookie tracking. Combined with strong consumer demand for greater privacy, the combination of regulation and consumer demand has led web browsers and major publishers or media houses like the New York Times to react to these concerns by blocking or depreciating third-party cookies.

Chrome

While Google first pledged depreciation in 2022, there have been a number of delays over the last few years. On January 4th, 2024, Chrome began restricting third-party cookies for 1% of users, or approximately 30 million users, under Tracking Protection, with intention to restrict 100% of users in 2024. Google has now reversed it’s decision to phase out third-party cookies, and plans to maintain third-party cookie support while continuing to develop additional privacy-preserving functionality.

Google’s Privacy Sandbox, is the main vehicle which Google uses to test and development proposals for the replacement of third-party cookies with a collection of emerging technologies aimed at protecting users’ online privacy while also providing tools to provide relevant advertising and targeting.

The sandbox is designed to allow users to still see relevant ads based on interests, with the intent to keep personal information from being tracked or stored by websites. The effectiveness of these new approaches is novel and therefore, is yet unproven, and many details are still being worked out. Regulators such as the CMA (Competition & Markets Authority) and ICO (Information Commissioner’s Office) still have questions about these approaches.

Google’s Privacy Sandbox Proposal

Some of the new mechanisms within Google’s Privacy Sandbox include Google’s TopicsAI, a type of contextual targeting, which uses categories of topics of interest, without relevant additional information about the user’s browsing history. Other types of contextual targeting include keyword and semantic versus behavioral targeting. Some critics have had concerns that this may introduce discriminatory practices.

Google has also introduced other mechanisms such as Enhanced Conversions to capture hashed customer data where advertisers can collect hashed first party conversion data from a website to Google in a privacy safe way. Essentially, matching the data against Google’s logged-in data for identification.

CHIPS (Cookies Having Independent Partitioned State) is another method introduced by Google that allows developers to opt a cookie into partitioned storage, with a separate cookie jar per top-level site. This allows cookies to be set by third-party services, but only read within the context of the top-level site where they were initially set. This blocks cross-site tracking while still enabling non-tracking uses of cookies for different persisting use cases such as persisting chat widgets across different sites, persisting configuration information for CDN load balancing, or headless CMS providers.

FLoC (Federated Learning of Cohorts) is a new way for advertisers to show relevant ads by grouping users into cohorts with similar recent browsing history without being individually identified, providing a level of anonymity, while still allowing advertisers to deliver targeted ads.

Google continues to solicit feedback on its Privacy Sandbox proposal.

Firefox

Mozilla’s Firefox has already phased out third-party cookies and implemented Enhanced Tracking Protection (ETP) by default, blocking third-party cookies and limiting the data advertisers can collect. Firefox has yet to initiate alternative solutions, however it is possible to allow for usage of third-party cookies on a case-by-case basis in Firefox via browser settings.

Safari

Apple has also already blocked third-party cookies by default and implemented Intelligent Tracking Prevention (ITP) to protect user privacy. Apple has also taken a stringent approach towards cookies, where allowing access to third-party cookies per frame can only be done at the code level, via the Storage Access API. Similarly, Apple’s iOS updates (e.g., AppTrackingTransparency framework also known as ATT) has given users more control over their data, requiring apps to ask for permission to track user activities.

Emerging advertising technologies across platforms

With the demise of third-party cookies, advertisers are also turning to other emerging tech and advertising options such as universal IDs (e.g., TradeDesk Unified 2.0 solution), data clean rooms, device IDs, “on device” and client-side processing (e.g., Privacy Sandbox Solutions), contextual targeting, and server-side tags or customer data platforms. Techniques like fingerprinting and CNAME cloaking are also being considered.

Time will tell what privacy initiatives will be popular with consumers and marketers. While these new approaches and emerging tech are being tested for effectiveness, advertisers may need to further rely on first-party data instead.

Future of tracker vendor management

The challenge in the future as alternative tracking technologies arise will be two-fold. First, effective management of online trackers in compliance with privacy regulations will be increasingly important. Second, advertisers and publishers will need to obtain consent to process user data.

Organizations can future-proof their business by effectively managing cookies and online tracking technologies as well as obtaining end-user tracker consent with TrustArc’s compliance solutions:

• Cookie Consent Manager: Obtain tracker consents and manage trackers. Easily support server-side tag management integrations and zero-load best practices. Set up automated tracker scans (of pixel tags, beacons, HTML 5 local storage, HTTPS/JavaScript cookies, etc.) regularly and receive on-demand tracker reports for compliance (e.g., CCPA report). Amplify your advertising compliance and recognize enhanced privacy requirements and signals such as Global Privacy Controls (GPC), IAB TCF and GPP frameworks support, and Google Consent Mode as Google certified CMP.
• Website Monitoring Manager: Enrich tracker scanning, auditing, and reporting across your websites. This product includes on-demand compliance risk reports, regular automated tracker vendor scanning, and simplified compliance review to ensure adherence to regulations such as GDPR, CCPA, and guidelines by the FTC.
• Consent & Preference Manager: Leverage a universal preference center that captures all first-party data consents from your customers and sync preferences across all your third-party systems. With a universal repository, Tag Manager technologies can manage tracker technologies based on recorded consents and within an ad ecosystem, Ad Publishers can retrieve the consent status for a particular user in real-time from the Consent & Preferences Manager at the time of serving ads.
• DAA AMI Validation: Demonstrate your online advertising privacy compliance when using data collected through addressable media identifiers to safeguard consumer privacy. TRUSTe helps validate your practices in a cost-effective way assuring your partners and customers that your interest-based advertising practices align with industry standards and best practices.

As privacy regulations tighten and user awareness increases, it’s more crucial than ever for businesses to understand and manage online trackers effectively while maintaining transparency and trust.

Google is introducing significant changes to the way its advertising and analytics products operate across EEA and UK markets. Utilizing a Google CMP (Consent Manager Platform) partner ensures best practices are followed to maintain functionality.

Starting March 2024, Google’s “EU Consent Mode V2” is mandatory for certain Google products ensuring users’ consents are collected before being able to utilize certain functionality in Google’s products.

What’s the history of Google Consent Mode V1 and V2?

The EU Google Consent Mode V1 was optional and was first introduced in 2015 to improve compliance with data privacy laws for advertising purposes. It included a revision of how Google tracks and optimizes data for programmatic advertising strategies.

The EU Google Consent Mode V2 is now required for tracking and using a Google-certified Consent Management Platform (CMP) ensures that your experience follows best practices. Google tracking takes place only when consent has been given via the enabled Google Consent Mode consent manager experience. It is important to ensure that the configurations and implementations of your consent experience are accurate with your Google Tag Manager.

TrustArc’s knowledgeable and highly skilled Technical Account Management team can ensure that your TrustArc Google Consent Mode experience is correctly configured and functioning as intended for compliance and optimal advertising experience.

How does Google Consent Mode work?

Google Consent Mode can be deployed on a site in one of two methods – a Basic or Advanced deployment. With a Basic deployment, Google Tags are not fired until the user opts in. With an Advanced deployment, Google Tags continuously fires cookieless pings until consent is given. You can learn more in Google’s documentation here.

Who is impacted by the mandatory EU Google Consent Mode V2 requirement?

Organizations deploying cookies or trackers for behavioral or targeted ad marketing/ remarketing in Europe should pay attention! This impacts organizations using Google tools: all Google Ad Services (Ad Mob, Ad Serve, Ad Manager), Google Analytics, and Google Tag Manager.

What is the impact?

Organizations not using Google Consent Mode V2 will experience measurement loss affecting marketing campaigns. Impacting all your advertising activities, campaign optimization, and conversion metrics.

Why the change?

Google has made an important change to its advertising tools, including Google Ads. The Consent Mode will become mandatory for all users starting from March 2024. Companies utilizing Google Ads will need to implement Google Consent Mode to avoid the blocking of personalized ads such as remarketing. In the future, Google plans to block conversion tracking as well for those who don’t comply.

What are the benefits of using a Google Consent Manager Platform (CMP) partner?

You can rest assured that you provide the best advertising experience while meeting all technical requirements with Google. Save time with codeless implementation, and know that your CMP partner is continuously upgrading integrations to Google’s latest standards.