More than a dozen popular ecommerce sites that were recently
examined by New York officials had defective privacy controls, the state Attorney General's office said Tuesday.
“Unfortunately, not all businesses have taken appropriate steps to ensure
that their disclosures are accurate and that privacy controls work as described,” the office wrote in a new report that gives businesses guidance about online privacy.
According to the report,
investigators examined examined tracking code and privacy controls on various sites, and found that 13 highly trafficked sites -- which drew an estimated 75 million visitors in March -- had privacy
controls that were “effectively broken.”
“Visitors to these websites who attempted to disable tracking technologies would nevertheless continue to be tracked,” the
Attorney General's office stated.
The report didn't name the websites, but described them as “well-known" ecommerce sites that sell "consumer products, such as apparel, books, and
tickets to live events.”
The companies operating the websites fixed the privacy controls after being alerted to the problems, the report said.
Some of the websites examined by
investigators were also found to have privacy controls and disclosures that were “confusing and even potentially misleading.”
For example, one website required people who wanted to
avoid tracking to undertake a two-step process. First, they had to click on a slider, then they had to click on the phrase “Save Settings.”
“This second step was easy to
overlook,” the report states. “The words 'Save Settings' appeared in a different area of the screen, in a faded gray color, and without any visual indication that the words could be
clicked. Indeed, when we first reviewed the site, we missed the step entirely.”
Justin Brookman, director of technology policy for Consumer Reports, said he was glad to see New York
officials taking on the topic and providing guidance, but added that concerns about broken opt-out mechanisms have been raised before. In January, for instance, Consumer Reports said its tests of health care sites found that some sites that offered privacy
controls “seemed to have technical issues” that prevented testers from limiting cookies.
“I'm glad the specific companies took actions to remediate, but without consequences
-- or even naming or shaming -- this isn't enough,” Brookman said, referring to the websites referenced in the New York report. “Unless there are actual enforcement actions with penalties,
companies don't have enough incentives to fix broken interfaces.”