It has now been nearly one year since the California Consumer Privacy Act (CCPA) went into effect and 6 months since the state of California started its enforcement activities. You have probably completed the work necessary to be in compliance: updating your privacy disclosures, setting up processes for data requests and opt-outs, and perhaps installing cookie compliance tools directly on your website. (If you haven’t done this yet, we wrote a primer earlier this year that is an excellent place to start.) But, did you know that the CCPA includes a backdoor requirement to make your website accessible?
For companies that are careful about their compliance liabilities, this may not make much of a difference. After all, the Americans with Disabilities Act applies to far more organizations than CCPA, and it already requires that websites be accessible to users with disabilities. And California already has its own stricter eligibility requirements under the Unruh Civil Rights Act along with more significant liabilities as well. Unlike the ADA, which has no statutory damages, the Unruh Act allows private plaintiffs to win damages at a minimum of $4,000 per incident (and up to 3x actual damages if they are higher).
However, in our experience, most companies are more motivated to comply with CCPA (and GDPR) over the equivalent accessibility mandates. I’ll leave this to someone else to speculate as to why, but if this describes your company, you may want to consider using the CCPA as a “backdoor” for smuggling in greater web accessibility for your sites and reduce your site’s overall liability. And even if that matters less to your organization, you likely want to make sure that you are in full compliance with the CCPA.
What are the CCPA’s web accessibility requirements?
The CCPA’s primary purpose is, of course, to increase attention to web privacy and grant customers wider control over their personal data. So it is not surprising that the law’s accessibility requirements are narrowly tailored to the specific pages and elements that are newly required as part of the law.
These include:
- Notice provided at the point of collection: this is where the business must disclose the types of personal information it is collecting and what it is used for.
- Notice of right to opt-out of sale: if a company sells personal information, it must give consumers the right to opt-out of these sales.
- Notice of financial incentives: businesses must notify consumers of compensation that it offers in exchange for the collection, sale, or deletion of consumer’s personal information.
- Privacy policy: this is likely the same privacy policy page that you’ve always had (albeit with some specific information required by the CCPA).
What is particularly interesting is that California goes further than previous laws in defining what the baseline requirements are for web accessibility (at least for these particular page elements). The accompanying regulations put out by the California Department of Justice clarifying CCPA includes the following definition of the accessibility requirements:
Be reasonably accessible to consumers with disabilities. For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference. In other contexts, the business shall provide information on how a consumer with a disability may access the [notice or policy] in an alternative format.
Whereas the common understandings of legal accessibility requirements have typically been based on the Web Content Accessibility Guidelines (WCAG), the California regulations make this explicit. More specifically, they require the WCAG 2.1 (presumably AA) standards, which are the most recent version, even though WCAG 2.0 is often still used as a standard elsewhere. And most importantly, the requirements are indexed to “generally recognized industry standards”, which means that as new standards are issued (such as WCAG 2.2) and adapted, you can expect that California’s CCPA requirements will increase apace.
What Are the Consequences of Web Inaccessibility Under CCPA?
As with any other violation of the CCPA, the Attorney General of California can bring actions against a company with penalties of up to $7,500 per violation. These violations have the potential to be even more expensive than those under the ADA and the Unruh Act. While there is no private right of action under which consumers could file suit against you for lack of accessibility, CCPA violations could result in follow-on private claims under the Unruh Act, which also have the potential to be quite expensive (treble damages with a minimum of $4,000 per violation plus attorneys fees).
How to Make Your Site Compliant
The good news is that the CCPA’s circumscribed requirements give you a particular set of pages and elements that you’ll want to audit for accessibility compliance. On a simple, text-based page like a privacy policy, you’re unlikely to have many content accessibility issues like images without alternate text, video captions, etc. However, any technical accessibility issues that affect your entire site will need to be audited and remediated. This won’t make your site 100% accessible but should give you a big boost towards making your entire site more usable for everyone.
All of this can take time to complete; in the meantime, you may want to consider building out a separate accessible version of these pages. This won’t render you fully compliant, but direct users with disabilities to this functionally and informationally equivalent version is a good stopgap while you are working on reviewing and fixing your site.
Finally, you may want to get in touch with your privacy vendors (if any) to confirm that any of their scripts or popups that you deploy on the site are sufficiently accessible. In general, it’s reasonable to expect that companies playing in this space have already taken steps to ensure that their solutions are fully compliant with CCPA’s web accessibility requirements, but you can never go wrong double-checking to make sure.