Dissecting the New York Attorney General’s Guide on Safeguarding Against Unwanted Online Tracking

The Hidden Risks of Cookie Tracking

Ever noticed those pop-ups asking you to accept cookies when you visit a website? Saying ‘accept’ to these little text files might seem harmless, but they play a powerful role in how businesses interact with you online. Cookies keep you logged in, remember your shopping cart, and personalize your browsing experience.

However, they also raise significant privacy concerns. With the growing emphasis on data privacy in an increasingly digital world, understanding and managing cookie tracking has never been more critical for businesses.

Because here’s the catch: not all businesses are getting it right. Some are making serious mistakes that could not only erode customer trust but also land them in legal hot water. In this blog, we’ll dive into the common pitfalls businesses face with cookie tracking, the impact of New York’s consumer protection laws, and how you can ensure your website stays compliant while maintaining customer trust.

Why Cookie Tracking Matters to Your Business

Cookies are more than just bits of data; they’re essential to your website’s functionality and your business’s success. They enhance user experience, drive marketing strategies, and help you understand customer behavior. However, if mismanaged, cookies can also be a liability.

The recent scrutiny from the New York Attorney General’s Office (OAG) highlights just how crucial it is to get your cookie tracking and privacy controls right.

The OAG’s investigation revealed that many businesses, even high-traffic ones, fail to implement proper privacy controls. They found that on some websites, visitors were still tracked even after opting out, leading to broken trust and potential legal consequences. This is where businesses need to step up their game.

What You Need to Know: Common Cookie Tracking Mistakes

Uncategorized or Miscategorized Tags and Cookies

One of the most common issues is the mismanagement of cookie categories. Websites often use consent-management tools that allow users to enable or disable certain types of cookies. But if these cookies aren’t properly categorized or tagged, they won’t respond to user preferences, leading to unauthorized tracking.

Misconfigured Tools and Hardcoded Tags

Another frequent error is the misconfiguration of tools. Many businesses use both consent-management (which allows users to control what data they share and manage their consent preferences) and tag-management (which controls the deployment of tags that collect data on websites) tools.

But these need to be perfectly synced to work correctly. If not, cookies may remain active even when a user opts out. Additionally, some tags are hardcoded into the website, bypassing privacy controls entirely.

Over-reliance on Tag Settings

Businesses often rely on tag settings from third-party providers like Google or Meta, assuming these settings (which control how and what data is collected and used by tags on their websites) will automatically protect them from legal risks.

However, these settings may not be effective in certain states with strict privacy laws. In New York, this reliance can lead to unintended data collection and potential violations.

Dos and Don’ts for Privacy-Related Disclosures and Controls

According to the OAG, these are the Dos and Don’ts for providing effective disclosures and avoiding dark patterns that complicate easy-to-understand controls:

Do	Don’t
Use plain, clear language	Use large blocks of text that consumers are unlikely to read
Label buttons to clearly convey what they do	Use ambiguous buttons (e.g., clicking “X” in the corner of a cookie banner)
Make the interface accessible (e.g., allowing users to tab to privacy controls with a keyboard)	Use complicated language, including legal or technical jargon
Give equivalent options equal weight (e.g., “Accept” and “Decline” buttons of equal size, color, and emphasis)	Use confusing interfaces
	De-emphasize options to decline tracking
	Make it more difficult to decline tracking than to allow it (e.g., requiring more steps to opt out)

How to Do It Right: Best Practices for Cookie Tracking

Designate and Train Responsible Individuals

Start by designating a qualified individual or team to manage your website’s tracking technologies. Ensure they are well-trained and knowledgeable about your business’s privacy policies and the technologies you use.

Investigate and Understand Your Tags

Before deploying any new tags or tools, investigate what data they collect and how it’s used. Don’t hesitate to ask developers for information that might not be publicly available. This will help you avoid surprises and ensure compliance.

Proper Configuration and Regular Testing

Once your tools are set up, configure them correctly and test them regularly. Automated scanning tools can help identify issues, but manual checks are essential to ensure everything works as intended.

Review and Adjust Regularly

Technology and privacy laws are constantly evolving. Regularly review your tags and tools to ensure they are properly categorized and in sync with your consent-management tools. This proactive approach will help you stay compliant and maintain customer trust.

The Bottom Line: Complying with New York’s Consumer Protection Laws

In New York, your business’s privacy controls and disclosures must be truthful and not misleading. Ensure that your website’s privacy statements are accurate, and that your controls work as described. Avoid using confusing language or designing interfaces that mislead users about their privacy choices.

Protect Your Business and Your Customers

Privacy isn’t just a legal requirement; it’s a cornerstone of customer trust. Don’t let mismanaged cookies and broken privacy controls undermine your business. Audit your tracking technologies, refine your privacy controls, and ensure your website complies with all applicable laws today. Your customers—and your bottom line—will thank you.

From compliance to trust

As data breaches fill headlines and consumer skepticism is at an all-time high, the traditional view of privacy as merely a compliance requirement is rapidly becoming outdated. Privacy is growing. And it’s now a must-have for businesses.

Today, leading organizations understand that privacy is not just about meeting regulatory demands; it’s a strategic asset that can differentiate a brand and build deep, trusting customer relationships.

What caused this shift?

With the rise of technology and the internet over the past two decades, the amount of data available has exploded. Businesses recognized the potential to use this information to increase efficiency and profits.

And as technology use accelerated, regulators fell behind. In some companies, data protection and privacy fell by the wayside. But the enactment of the General Data Protection Regulation (GDPR) in 2018 ushered in a new era of privacy, where compliance was especially prioritized.

A positive privacy experience increases brand preference by as much as 43%.

Yet, in 2024, the tides have shifted again. Gone are the days when privacy was seen solely through the lens of regulation and compliance. Most of the population is protected under some type of data privacy regulation, and businesses have moved beyond privacy compliance to leveraging privacy as a differentiator.

For the second year in a row, TrustArc’s annual Global Privacy Benchmark survey reveals that ‘keeping brand trust’ was the top privacy goal for responding organizations. The report also highlights ‘risks to reputation and trust’ as the second highest privacy risk.

Consumers have also gotten savvier. Now, privacy is a pivotal point of customer experience, with a positive privacy experience increasing brand preference by as much as 43%. This dramatic shift signifies that customers are interested in the end product and the ethics and practices of the companies they engage with.

Companies like Apple are using this shift to their advantage. For example, Apple is known for championing user privacy. It encrypts all data stored on its devices and has a strict policy against collecting and sharing user data without explicit consent. And it focuses on educating consumers about how companies use their data and what options they have to protect it.

34% of consumers will switch companies after one suffers a data breach.

The standard has changed. B2B and B2C consumers expect businesses to be deeply committed to data protection and privacy. In fact, 34% of consumers will switch companies after one suffers a data breach.

The obscurity of trust and safety information

However businesses are running into a problem. Many companies’ policies, notices, communications, cookie banners, etc., aren’t building trust—they’re doing the opposite.

You can’t use privacy to build trust if your policies, notices, disclosures, overviews, and communications are scattered, outdated, and too hard to understand. From managing personalized data privacy preferences to real-time notifications about policy changes, customers want a better solution.

As technology advances and data becomes more valuable than ever, the importance of privacy and transparency will only grow. It’s no longer enough for organizations to simply comply with regulations and meet minimum requirements; they must prioritize building trust with their customers through transparency.

What is a unified Trust Center?

A Trust Center is more than a website or a section on a company’s page. It’s a comprehensive, centralized, virtual space where organizations transparently share privacy, legal, compliance, and security information. These centers demonstrate an organization’s commitment to safeguarding data and respecting user rights, showcasing everything from security reports such as SOC 2 and privacy certifications (e.g. TRUSTe Responsible AI Certification) to real-time updates on policy changes.

TrustArc’s Trust Center exemplifies this evolution, offering a seamless blend of brand elements that reinforce trust while managing all front-facing trust and safety information efficiently. By enabling organizations to update documents instantly and toggle between public and private settings, Trust Centers have become dynamic tools that reflect an organization’s live commitment to trust and safety.

It serves as a hub for consumer engagement, answering critical questions about a company’s privacy policies and practices. It has become a standard tool for managing trust content – crucial for organizations that uphold trust as a core brand value.

The ability to quickly provide stakeholders with easy access to privacy and security information streamlines workflows and drives tangible ROI through enhanced consumer relationships.

Unified Trust Center development

While building a unified Trust Center will vary depending on the organization, below is an example of what’s included in the process. For most organizations this takes at least three months and requires cross-collaboration between many stakeholders including privacy, security, legal, compliance, IT, marketing, and web development.

1. Strategic Planning and Vision:

Identify the trust center’s primary goals and determine its target audience and their specific needs. For example, simplify how the organization communicates and manages all trust and safety information, including privacy, security, legal, compliance, and product. The target audience includes consumers, regulators, and business partners or vendors. Establish a leadership team to oversee the project, align stakeholders, and assign roles and responsibilities.

2. Data Security and Privacy Notices and Policies:

Create or locate your data security and privacy notices and policies that adhere to applicable standards and regulations. Develop an internal audit of content and methods for easy maintenance of content updates.

3. Infrastructure and Technology:

Working with your organization’s information technology and security teams, establish a secure IT infrastructure with advanced security measures, secure data storage solutions, and backup mechanisms. Choose appropriate platforms for the Trust Center’s content management and website development.

4. Content Development:

Design a clear and intuitive information architecture for the Trust Center. Organize content into logical sections such as security, legal, privacy, and transparency/availability. Develop all necessary detailed documents including policies, procedures, certifications, and FAQs. Plan to update this content regularly to reflect the latest practices and updates.

5. Compliance and Certification:

If you haven’t already, consider obtaining relevant security and privacy certifications to display prominently on the Trust Center. Conduct regular audits and address their findings promptly and updated practices as needed.

6. User Experience and Design:

Design the Trust Center with a focus on usability and availability. Test the website’s responsiveness and be sure it works well on various devices and browsers. Incorporate interactive features like compliance reports, self-service portals, and customer support options. Provide tools for customers to assess your compliance and security posture and make individual rights requests.

Keep in mind that poor management of individual rights requests and a subpar user experience can undo the benefits of spending millions on building positive customer sentiment.

7. Continuous Improvement and Monitoring:

Implement tools to monitor the Trust Center’s performance, security, and user engagement. Use analytics to understand user behavior and improve the Trust Center continuously. Establish channels for user feedback and incorporate relevant suggestions into the Trust Center. Regularly review and iterate on your Trust Center based on user needs and industry trends.

8. Communication and Training:

Ensure all stakeholders know their roles in maintaining the Trust Center. Develop a communication plan to promote the trust center to customers and partners. Use various channels to keep stakeholders informed.

9. Incident Response and Management:

Have a clear process for reporting security incidents to customers. Provide timely updates and detailed reports on incidents and resolutions in the Trust Center.

10. Documentation and Reporting:

Gather detailed records of all security measures, compliance activities, and audit results. Be sure this information is easily accessible and current.

Aligning all stakeholders to plan and build a homegrown Trust Center is no easy task.

Not to mention, the build and continuous updates take away time from marketing and web development, costing between $15,000 and $30,000. It also takes weeks and months to build and maintain it (e.g., updating a policy or adding a downstream vendor).

There’s also an enhanced compliance risk to consider as legal and security teams will often need to wait several weeks for their updates to be implemented into the platform.

Don’t Create, Use Trust Center by TrustArc

The transition to viewing privacy as a trust-building tool represents an organizational cultural shift. TrustArc’s no-code Trust Center embodies this change, centralizing privacy, security, legal, and availability workflows, thereby enabling organizations to manage their front-facing trust efficiently.

As privacy regulations continue to evolve, so will the importance of trust and transparency in business practices. Organizations that strategically invest in building a strong Trust Center now will position themselves for long-term success as customer expectations shift towards increased privacy protection.

Creating a modern trust and safety hub like TrustArc’s unified Trust Center empowers core teams, setting up in minutes without the need for coding, and seamlessly blending brand elements into the Trust Center to reinforce trust. This approach enhances efficiency and showcases an organizational commitment to trust and safety by centralizing all relevant information.

The evolution of privacy from compliance to trust is an ongoing process, but embracing this shift can benefit businesses and consumers significantly.

By prioritizing transparency and investing in a comprehensive Trust Center, organizations can build strong customer relationships based on trust and ethical data practices. This will set them apart in a crowded marketplace and foster long-term loyalty and support, as privacy remains a crucial concern for individuals worldwide.

So, the message is clear- make sure your organization has a robust Trust Center in place to reduce reputational and legal risk, while achieving trust by demonstrating your commitment to privacy.

What are online trackers?

Online trackers, in simplest terms, are technologies used by websites and apps to collect data about user interactions. These trackers remember and recognize users by recording, processing, or logging details such as browsing habits, time spent on a webpage, clicked links, and more. This data may serve multiple purposes, from personalizing content and targeted ads to improving website functionality, analytics, or authenticating users for web experiences.

Some common organizational or business purposes for using online trackers include:

• Website analytics: Understanding how users interact with websites or which features they use help businesses improve their user experience and marketing strategies.
• Targeted advertising: Tracking technologies allow advertisers to show personalized ads based on your interests and browsing behavior.
• Fraud detection and security: Tracking can be used to identify and prevent suspicious activity, such as credit card fraud or online hacking.
• Market research: Companies use tracking data to learn about consumer behavior and preferences.
• Personalization: Some websites, advertising, and social media platforms use tracking to personalize your experience by remembering your preferences and settings.

Cookies, a type of tracker, are small pieces of data stored on a user’s device by websites a user visits. Cookies are used to remember user preferences, login information, auto-fill information, shopping cart information, and other information that help enhance a user’s experience.

First-Party and Third-Party Data: What’s the difference?

Online trackers (including first-party and third-party cookies) have the ability to collect two different kinds of data: first-party data and third-party data. What is the difference between the two?

First party data provides valuable specific information to your organization as it is collected directly from your audience (e.g., consumers, data subjects, or website users) and the lawful basis (e.g., consent, legitimate interest, etc.) will vary depending on the purpose and use of the data. In other words, first party data utilizes in-house or internally developed cookies or trackers set directly by your organization on your own web pages or web properties.

On the other hand, third-party data is information collected by other organizations that do not have a direct relationship or interaction with the user. This type of data is typically what is collected by online trackers that are provided by third-party providers (e.g., a third-party analytics or advertising provider) on a website. In other words, third-party data utilizes cookies that may be set by your organization, but are created by third-party service providers or partners, and placed in your web pages or web properties.

Third-party cookies can be accessed by external parties in a manner that results in less user control or understanding of data processed, collected, or tracking – including without the knowledge of the website owner. Since the result of third-party cookies is a physical file/data being placed on a users’ device, some browser providers believe there is elevated privacy risk and have decided to block third-party trackers/cookies, including Firefox and Safari, with Chrome following suit in early 2025 (expected).

Different types of online trackers

Online trackers can, depending on their use case and implementation, share personal or sensitive information with third-party entities, such as advertisers, to help with tailoring and personalizing advertising. This is done for a variety of reasons, including to make ads more relevant to recipients and also to manage ad spend. Trackers come in several forms, each serving distinct purposes and collecting different types of data. Below are some common examples of trackers:

1. Cookie trackers: These are small files stored on your device that track your website activities. Third-party cookies have been the primary method of storing client-side data for over two decades.
2. Pixels: Also known as web beacons, these are tiny, invisible images embedded in web pages or emails, used to track user interaction. These are popularly used for advertising as well, but have numerous purposes.
3. Browser fingerprinting: A more advanced method that gathers data about your device (like screen resolution, installed fonts, or browser type) to create a unique profile for tracking, even without cookies.
4. Embedded scripts: Code snippets that track user behavior within a website. These scripts create most trackers and are responsible for reading and storing data
5. Web beacons: Embedded images that track when a page is loaded.

Types of cookies

Generally speaking and historically, cookies have been one of the most common and popular forms of tracking technologies. Cookies can serve many purposes, including remembering preferences (language, login credentials), tracking website usage (clicks, pages visited), securing a page/preventing fraud, and aiding in personalized content, user experiences, and ads.

Types:

• Session cookies: Temporary, deleted when you close your browser.
• Persistent cookies: Remain on your device for a set period or until manually deleted.
• First-party cookies: Placed by the website you’re visiting or by embedded scripts loaded on your site.
• Third-party cookies: Placed by a different website (e.g., advertising network). They are usually created as a hidden frame and exchange information with a third-party domain.

Examples:

• Session cookie remembering your login on a website.
• Persistent cookie saving your language preference on a news site.
• Third-party cookie tracking your browsing across different websites to show targeted ads.

As noted above, cookies are a specific type of tracker, while trackers are a broader category. Cookies in particular primarily collect website browsing data, while trackers can gather a wider range of information.

Third-party cookies and trackers are at the center of recent privacy concerns due to their ability to collect, aggregate, and store information across sites without user consent. They are able to mass data harvesting, profiling, and real-time bidding for marketing advertising and analytics as well as gather extensive personal data, including IP addresses, search and browsing history, and private details like health and religious beliefs.

Current and future state of third-party cookies in browsers

Cookies, first introduced in the 1990s as a way for websites to remember information about the user or their visits and at a time, called “HTTP cookies.” Cookies were designed to fill the gap created by the stateless nature of the web, where websites could not inherently remember previous interactions.
In some circumstances, third-party cookies can be used to track users around the web and build a detailed profile based on browser history and hence are referred to also as tracking cookies. This type of profiling and targeting that is not aggregated has become an essential tool for online advertisers, who use them to track individual user behavior across multiple websites to deliver personalized ads.

Legislation like the General Data Privacy Regulation (GDPR) and Digital Markets Act (DMA) in the European Union and the California Consumer Privacy Act (CCPA) have strong data privacy components around third-party cookie tracking. Combined with strong consumer demand for greater privacy, the combination of regulation and consumer demand has led web browsers and major publishers or media houses like the New York Times to react to these concerns by blocking or depreciating third-party cookies.

Chrome

While Google first pledged depreciation in 2022, there have been a number of delays over the last few years. On January 4th, 2024, Chrome began restricting third-party cookies for 1% of users, or approximately 30 million users, under Tracking Protection, with intention to restrict 100% of users in 2024. Google has now reversed it’s decision to phase out third-party cookies, and plans to maintain third-party cookie support while continuing to develop additional privacy-preserving functionality.

Google’s Privacy Sandbox, is the main vehicle which Google uses to test and development proposals for the replacement of third-party cookies with a collection of emerging technologies aimed at protecting users’ online privacy while also providing tools to provide relevant advertising and targeting.

The sandbox is designed to allow users to still see relevant ads based on interests, with the intent to keep personal information from being tracked or stored by websites. The effectiveness of these new approaches is novel and therefore, is yet unproven, and many details are still being worked out. Regulators such as the CMA (Competition & Markets Authority) and ICO (Information Commissioner’s Office) still have questions about these approaches.

Google’s Privacy Sandbox Proposal

Some of the new mechanisms within Google’s Privacy Sandbox include Google’s TopicsAI, a type of contextual targeting, which uses categories of topics of interest, without relevant additional information about the user’s browsing history. Other types of contextual targeting include keyword and semantic versus behavioral targeting. Some critics have had concerns that this may introduce discriminatory practices.

Google has also introduced other mechanisms such as Enhanced Conversions to capture hashed customer data where advertisers can collect hashed first party conversion data from a website to Google in a privacy safe way. Essentially, matching the data against Google’s logged-in data for identification.

CHIPS (Cookies Having Independent Partitioned State) is another method introduced by Google that allows developers to opt a cookie into partitioned storage, with a separate cookie jar per top-level site. This allows cookies to be set by third-party services, but only read within the context of the top-level site where they were initially set. This blocks cross-site tracking while still enabling non-tracking uses of cookies for different persisting use cases such as persisting chat widgets across different sites, persisting configuration information for CDN load balancing, or headless CMS providers.

FLoC (Federated Learning of Cohorts) is a new way for advertisers to show relevant ads by grouping users into cohorts with similar recent browsing history without being individually identified, providing a level of anonymity, while still allowing advertisers to deliver targeted ads.

Google continues to solicit feedback on its Privacy Sandbox proposal.

Firefox

Mozilla’s Firefox has already phased out third-party cookies and implemented Enhanced Tracking Protection (ETP) by default, blocking third-party cookies and limiting the data advertisers can collect. Firefox has yet to initiate alternative solutions, however it is possible to allow for usage of third-party cookies on a case-by-case basis in Firefox via browser settings.

Safari

Apple has also already blocked third-party cookies by default and implemented Intelligent Tracking Prevention (ITP) to protect user privacy. Apple has also taken a stringent approach towards cookies, where allowing access to third-party cookies per frame can only be done at the code level, via the Storage Access API. Similarly, Apple’s iOS updates (e.g., AppTrackingTransparency framework also known as ATT) has given users more control over their data, requiring apps to ask for permission to track user activities.

Emerging advertising technologies across platforms

With the demise of third-party cookies, advertisers are also turning to other emerging tech and advertising options such as universal IDs (e.g., TradeDesk Unified 2.0 solution), data clean rooms, device IDs, “on device” and client-side processing (e.g., Privacy Sandbox Solutions), contextual targeting, and server-side tags or customer data platforms. Techniques like fingerprinting and CNAME cloaking are also being considered.

Time will tell what privacy initiatives will be popular with consumers and marketers. While these new approaches and emerging tech are being tested for effectiveness, advertisers may need to further rely on first-party data instead.

Future of tracker vendor management

The challenge in the future as alternative tracking technologies arise will be two-fold. First, effective management of online trackers in compliance with privacy regulations will be increasingly important. Second, advertisers and publishers will need to obtain consent to process user data.

Organizations can future-proof their business by effectively managing cookies and online tracking technologies as well as obtaining end-user tracker consent with TrustArc’s compliance solutions:

• Cookie Consent Manager: Obtain tracker consents and manage trackers. Easily support server-side tag management integrations and zero-load best practices. Set up automated tracker scans (of pixel tags, beacons, HTML 5 local storage, HTTPS/JavaScript cookies, etc.) regularly and receive on-demand tracker reports for compliance (e.g., CCPA report). Amplify your advertising compliance and recognize enhanced privacy requirements and signals such as Global Privacy Controls (GPC), IAB TCF and GPP frameworks support, and Google Consent Mode as Google certified CMP.
• Website Monitoring Manager: Enrich tracker scanning, auditing, and reporting across your websites. This product includes on-demand compliance risk reports, regular automated tracker vendor scanning, and simplified compliance review to ensure adherence to regulations such as GDPR, CCPA, and guidelines by the FTC.
• Consent & Preference Manager: Leverage a universal preference center that captures all first-party data consents from your customers and sync preferences across all your third-party systems. With a universal repository, Tag Manager technologies can manage tracker technologies based on recorded consents and within an ad ecosystem, Ad Publishers can retrieve the consent status for a particular user in real-time from the Consent & Preferences Manager at the time of serving ads.
• DAA AMI Validation: Demonstrate your online advertising privacy compliance when using data collected through addressable media identifiers to safeguard consumer privacy. TRUSTe helps validate your practices in a cost-effective way assuring your partners and customers that your interest-based advertising practices align with industry standards and best practices.

As privacy regulations tighten and user awareness increases, it’s more crucial than ever for businesses to understand and manage online trackers effectively while maintaining transparency and trust.