3 Key Privacy Questions U.S. Businesses Should Ask About Their Website Tracking

by: Chloé Nelson

In today’s digital landscape, nearly all businesses rely on website tracking technologies to gather insight and optimize online experiences. However, as data privacy concerns continue to rise, businesses must take a closer look at the tracking technologies embedded in their websites. Regulators from coast to coast are issuing warnings and guidance on the use of website tracking technologies and privacy tools, emphasizing the need to prioritize consumer privacy. In fact, in recent months, both the California Privacy Protection Agency and the New York Attorney General have released guidance on these issues, making it clear that businesses’ privacy practices are in the spotlight. 

Increased scrutiny from U.S. regulators and heightened privacy expectations from consumers means that failing to properly manage website tracking tools can lead to both legal and reputational risks. Here are three key privacy questions every business should consider when evaluating their website tracking technologies and privacy tools.

1.     Does my website have a cookie banner?

Prior to asking this question, some businesses may want to know more fundamentally whether their website needs a cookie banner. Cookie banners are needed when opt-in consent is required – such as when the business collects or shares certain types of information, like sensitive personal information or consumer health data. With respect to other personal information collected or shared, some state laws (like California’s CPRA) require a mechanism that gives consumers the ability to opt out of sales or sharing and targeted advertising.

But regardless of whether any particular state law applies to your business, a website owner should consider including a banner simply for the purpose of mitigating the risk of litigation. Online tracking technologies have been a hot subject of litigation recently under various long-standing privacy statutes, including state and federal wiretapping statutes, the California Invasion of Privacy Act (“CIPA”), and the Video Privacy Protection Act (“VPPA”). In these cases, plaintiffs allege that their personal information was collected via website tools like tracking pixels and cookies and then shared with third parties.   

Including a cookie banner on your website can help mitigate the risk of ending up on the wrong side of the “v” in a lawsuit, but it’s not as easy as throwing up a cookie banner and walking away. Businesses must ensure that they are presenting consumers with clear options and that consumers’ privacy choices are being honored. To do this, a business must properly manage their cookies and tags and avoid using dark patterns that can affect consumers’ privacy choices. Read on to understand what this means.

2.     Am I properly categorizing and managing cookies and tags?

The cookies and tags on your website are not all the same. Some may be used for website functionality, some may be used for analytics, while others may be used for advertising and personalization purposes. Many websites use a consent-management tool to manage user consent for storing cookies and other tracking technologies. But failing to categorize or mis-categorizing cookies and tags can impact a business’s ability to honor consumers’ privacy choices. When website visitors elect to turn categories of cookies and tags off through the website’s consent-management tool, those cookies that are uncategorized or miscategorized will not respond to the tool’s controls in the way that visitors expect, meaning that the tags and cookies will remain active regardless of the website visitor’s privacy selections. For example, if a marketing cookie is mis-categorized as a functional performance cookie, it may remain active after a visitor has expressed a desire to disable marketing cookies.

Additionally, businesses should look out for other issues with tags and management tools commonly present on websites. For instance, if a website uses both a consent-management tool and a tag-management tool, the tools must be properly configured to interface with one another in order to properly pass opt-out signals. Further, if a website uses hardcoded tags, the business must check that those tags have been configured to work with the website’s privacy controls. Lastly, if third-party’s website tag offers a setting to limit how information collected by the tag is used, the business should make sure that this feature works in all states and not just those that have comprehensive privacy laws.

Businesses should designate the right people to implement and manage tracking technologies, take the appropriate steps to identify the data a tag will collect, appropriately categorize and configure the tag, and test and regularly review the tag and any management tools. Failing to properly manage tracking technologies and honor consumer privacy choices may not only take a toll on consumers’ trust in your business, but these failures can expose a business to regulatory action and steep fines.

3.     Does my website use dark patterns that may affect consumers’ privacy choices?

It is now more important than ever for businesses to recognize and remove any dark patterns on their website – particularly those that impact consumers’ privacy choices. With the CPPA and New York AG both recently issuing guidance to businesses on the avoidance of dark patterns, this may be a signal that they are more closely scrutinizing websites and planning to ramp up enforcement efforts.

In its most recent guidance, the CPPA reminds us that a “dark pattern” is defined by the CCPA as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice,” and that any agreement obtained using a dark pattern does not constitute consent. Further, the New York AG warns businesses to ensure that statements about tracking and privacy controls are accurate and that privacy control user interfaces are not misleading.  

With respect to website cookie banners, regulator guidance urges businesses to use plain and clear language, label buttons to clearly convey what they do, and give equivalent options equivalent weight, meaning that if users can agree to tracking with a single click, they should be able to decline with a single click, and buttons should be equal in size, color, and emphasis. Additionally, businesses should ensure that privacy controls work properly and as described. For instance, if a business does not allow users to opt-in to tracking, but instead deploys cookies as soon as visitors reach the website, a pop-up stating that clicking the button means “you agree” to the use of cookies may be misleading because users may believe that cookies are deployed only if the button is clicked.

Website design, cookie banners, and use of trackers will differ from business to business, so it is important for each business to make sure that they understand what technologies they use to track website visitors and whether they have the proper privacy disclosures and controls in place. But it doesn’t stop there. Businesses must take appropriate steps to ensure that disclosures are accurate and that privacy controls work as described by properly categorizing cookies and tags and avoiding dark patterns. Regulators and consumers alike have little patience left for businesses that can’t manage their website tracking and data collection practices. 

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.