More than a dozen popular ecommerce sites that were recently examined by New York officials had defective privacy controls, the state Attorney General's office said Tuesday.
“Unfortunately, not all businesses have taken appropriate steps to ensure that their disclosures are accurate and that privacy controls work as described,” the office wrote in a new report that gives businesses guidance about online privacy.
According to the report, investigators examined examined tracking code and privacy controls on various sites, and found that 13 highly trafficked sites -- which drew an estimated 75 million visitors in March -- had privacy controls that were “effectively broken.”
“Visitors to these websites who attempted to disable tracking technologies would nevertheless continue to be tracked,” the Attorney General's office stated.
advertisement
advertisement
The report didn't name the websites, but described them as “well-known" ecommerce sites that sell "consumer products, such as apparel, books, and tickets to live events.”
The companies operating the websites fixed the privacy controls after being alerted to the problems, the report said.
Some of the websites examined by investigators were also found to have privacy controls and disclosures that were “confusing and even potentially misleading.”
For example, one website required people who wanted to avoid tracking to undertake a two-step process. First, they had to click on a slider, then they had to click on the phrase “Save Settings.”
“This second step was easy to overlook,” the report states. “The words 'Save Settings' appeared in a different area of the screen, in a faded gray color, and without any visual indication that the words could be clicked. Indeed, when we first reviewed the site, we missed the step entirely.”
Justin Brookman, director of technology policy for Consumer Reports, said he was glad to see New York officials taking on the topic and providing guidance, but added that concerns about broken opt-out mechanisms have been raised before. In January, for instance, Consumer Reports said its tests of health care sites found that some sites that offered privacy controls “seemed to have technical issues” that prevented testers from limiting cookies.
“I'm glad the specific companies took actions to remediate, but without consequences -- or even naming or shaming -- this isn't enough,” Brookman said, referring to the websites referenced in the New York report. “Unless there are actual enforcement actions with penalties, companies don't have enough incentives to fix broken interfaces.”