Website Accessibility Under the California Consumer Privacy Act
Jul 16, 2020 Published ArticleEnforcement of the California Consumer Privacy Act ("CCPA") imminent. While much of the CCPA focuses on required notices, processes, and consumer rights, it also contains an accessibility requirement that many may overlook. While enforcement of the CCPA is to be pursued by the Attorney General, accessibility considerations need to take into account not only CCPA requirements, but other laws addressing accessibility that permit civil claims to be made by website users. In the context of all of these requirements a company may face upwards of $11,500 in fines and damages per violation if website accessibility is not properly addressed. So what are the requirements for website accessibility? How might a business implement changes? What are the risks should a website not be deemed accessible?
What Laws Require that a Website is "Accessible"?
There are three laws that address website accessibility:
- The Americans with Disabilities Act ("ADA"): This requires places of public accommodation to provide accommodations to those with disabilities and can be deemed to require website accessibility under certain circumstances;
- The Unruh Act: This requires that all persons within California are treated equally, including for any facilities, services, or business establishments; and
- The CCPA: This requires that businesses provide notices to consumers, in an accessible and understandable format, regarding their personal information, and affords guidance to the how consumers can control personal information.
While the ADA and Unruh Act implemented requirements that effectively mandated website accessibility for some time, we now have the CCPA, which further necessitates that any online privacy policy and other online notices be accessible. However, unlike the ADA and the Unruh Act, the CCPA's associated regulations specify a standard to provide clarity as to what might be reasonably accessible: the WCAG 2.1 guidelines dated June 5, 2018 (" WCAG").
The CCPA's regulations set forth requirements for notices that are provided online, including opt-out notices, notices at collection, notices regarding loyalty programs, and privacy policies – stating that these must be accessible, incorporating the WCAG to specify how accessibility will be achieved. WCAG is promulgated by the World Wide Web Consortium ("W3C"), an international community which works to create standards for internet websites. WCAG is a set of guidelines that W3C has developed to outline how to make websites accessible for those with visual, auditory, physical, speech, cognitive, language, learning, and neurological disabilities.
For example, there are requirements that (1) text alternatives are provided for non-text content like images or videos, (2) timed content is able to be controlled by the user, (3) requirements that a website and its components are functional with screen readers, and (4) websites can be accessible for a user that only utilizes a keyboard.
How Can a Website Move Towards Compliance?
Unfortunately, there is no ‘easy’ button for making your website accessible to the WCAG guidelines. This is a calculated process that requires front-end fixes as well as core back-end template updates that dig into a website’s HTML, CSS & JavaScript. One of the quickest ways to move towards WCAG compliance is to complete a live-user audit on your website. If you prefer not to complete a full live-user audit, you should at least consider having a cursory review completed by a blind auditor of any online policies provided pursuant to the CCPA. It is a critical next step because it can establish your first defensible milestone towards accessibility compliance. In other words, taking action now is critical. Companies like Accessible360 (A360), a national live-user auditing firm, help organizations reach WCAG compliance with customized plans with a responsive start time. A360 helps organizations by developing an accessibility plan that can be configured to your organization’s goals and development process and has an established success record in supporting compliance as well as any litigation efforts.
With a very limited number of WCAG Violations are typically found by automated testing tools (estimated to be only about one-third of all violations), a website audit or cursory review by a live-user is likely necessary. Using an overlay tool, or ‘quick fix’, unfortunately have not been proven to make the experience better for individuals with disabilities or satisfy accessibility requirements. Industry SME's and the disabled community have raised a number of concerns in recent months that they make the experience worse or exclude disabled users from an equitable experience. Engaging with a human driven solution is the preferred initial step to protect your organization in addressing the CCPA's accessibility requirements and potential lawsuits under the other accessibility laws.
Penalties for Non-Compliance
The Attorney General is set to begin enforcement of the CCPA on July 1, 2020, and may impose penalties of up to $7,500 for non-compliance per violation. While it has yet to be determined how violations will be counted for purposes of this penalty, presumably, should a company fail to make a notice accessible, and a privacy policy accessible, this may create a penalty of up to $15,000. Furthermore, the Unruh Act creates a scenario where, due to the inaccessibility of a website, an additional $4,000 in damages per violation may occur. While it has been determined that separate visits to the website will not create additional violations, this still creates a risk for class-action lawsuits, which can quickly multiply the possible liability to the company. Thus, non-compliance creates a risk where a company would have a liability that could easily exceed $11,500 based on each online notice, and could exponentially grow without prompt or proactive measures.
The time to reach compliance is rapidly shrinking, and as it pertains to the ADA and the Unruh Act, it has already passed. With the focus of commerce shifting further from brick-and-mortar locations to the internet, it is more important than ever to form a compliance plan for website accessibility, whether it is to proactively comply with the CCPA, address other accessibility requirements, or as an additional consideration for updates to a company's website.