We all know that various compliance standards apply to our websites and applications. For some, we can optionally consider complying, yet others may be required to run our businesses online. What does a website owner need to know in terms of what standards must be kept? After all, there are many acronyms and much confusing terminology associated with the concept of compliance. This week, I'm highlighting the compliance standards we most routinely hear about. This isn't an exhaustive list, but rather a primer into what each rule applies to and who should or should not worry about seeking compliance.
ADA
The Americans with Disabilities Act was written into law in 1990, long before the internet was in mainstream usage. However, the law manages to enforce certain standards for websites and applications when it comes to accessibility for users with various disabilities. ADA is an interesting dilemma in the digital world because the rules exist, yet the law doesn't necessarily speak clearly about specific requirements or penalties for lack of compliance.
In recent years, websites and applications have been subject to lawsuits from users who have claimed a lack of compliance and therefore, an inability to use those services. As a result, more and more websites and application owners seeking to become compliant with what standards they can to avoid these lawsuits. When it comes to sites, auditing the website's capabilities in terms of accessibility is not difficult. Best of all, third-party tools are now available, allowing websites to achieve compliance with a simple plug-in model. We use one on our site, which you can see on the lower-left corner of your screen.
Mobile applications, however, are a different story. Sadly, there is no third-party remedy, and audits are typically manual and time-consuming. As such, professional mobile application ADA audits can be expensive and take a long time to turn around.
ADA compliance is good practice no matter what business you are in. First, it's the right thing to do. And secondly, I feel that eventually, issues of compliance will matter to third-parties such as search engines. As such, I recommend all websites work to achieve compliance one way or another. The same goes for mobile applications – it isn't easy, but it's worth achieving some level of compliance. The best bet is to consider it as you start your project – doing it later will be more difficult and potentially sacrifice functionality you had already created.
Finally, as a reminder, it's worth noting that ADA compliance is not a one-and-done scenario. You must continue to stay compliant with each content or application update – so this is an ongoing requirement that you must focus on. This means training content managers to understand what compliance features exist in their content editors and teaching them best practices. Also, ongoing scanning and checking of website and application pages and templates will be essential to maintaining compliance.
HIPAA
HIPAA, or the Health Insurance Portability and Accountability Act, became law in 1996 and governs the usage of health-related personal information and data. If you are working in healthcare, aesthetic medicine, or any other related medical field and have user data (AKA "Personal Health Information" or PHI) on your website, you may be subject to HIPAA regulations. If you are not in those fields, then you can most likely disregard HIPAA and skip to the next section.
HIPAA compliance touches upon almost every area of your digital operation. It is more than just how your website was developed, but also about your infrastructure, hosting, and server environment. The specific language around HIPAA compliance even includes the physical security of your data center. As such, this act engages every aspect of your digital infrastructure. Luckily, it is easier to achieve these days than it was in the past.
For clients who require HIPAA certification, it is recommended they do it in two ways. First, work to ensure your application or website is compliant. There are audits and checklists readily available to help in this regard. You will require development help to achieve this security level, even if the software claims it has HIPAA compliance included (more on this in a minute).
Secondly, you should pursue HIPAA-compatible web hosting services. Doing so makes your life much easier, and many providers have this service available for an additional cost. Since so much of HIPAA regulation comes down to infrastructure and physical security, having a host who is compatible makes for a laundry list of things you don't need to worry about.
Finally, if you are required to be HIPAA compatible, you need to be careful about third-party systems you may utilize, such as CRM systems or similar. Not all of them are HIPAA compliant, and usage of them would not be allowed. While many of the more prominent players are compliant, there are still top-tier providers who are not compliant and could cause you issues down the road. We see many software providers who specialize in HIPAA compatible competitors to popular software packages, taking advantage of this differentiating factor. So, if you take away nothing else from this section, always be aware of who is and isn't compliant when licensing any solutions.
FEDRAMP
FEDRamp, or Federal Risk and Authorization Management Program, is a US-government based program that provides a standardized approach to security for cloud-based products and services. This includes security assessments, authorization protocols, and continual monitoring services, among other areas of concentration.
The people who would most be subject to this are SaaS providers or other cloud-based services. If they wish to serve federal agencies, they will need to achieve this level of compliance. The government has set up a good website that describes all aspects of the program, which we recommend researching.
For the majority of businesses, FEDRam is overkill. The concepts within the program serve as a solid foundation for security procedures you should be following or implementing within your organization. So my recommendation is to become familiar with the program and comply where you can if you aren't necessarily subject to it.
If you are, however, subject to FEDRamp, it will be somewhat of an undertaking to achieve certification or authorization. But when you do, you will have been vetted as a possible option for all government agencies, which could be a competitive advantage.
PCI
Payment Card Industry Data Security Standard (PCI DSS) is a security standard for companies that handle credit cards. The rule is mandated by card brands to ensure that transactions online are being processed and treated securely. It is incumbent upon website owners to understand that this is something they must consider when operating an e-commerce storefront.
PCI compliance can be attained via a variety of technical and infrastructure changes. To understand if you are or are not compliant, you can hire third-party groups to run audits, or utilize other services to determine if you are compliant. If your e-commerce store is run by a hosted provider such as Shopify, you are most likely already compliant. However, if you have built your solution, you may be on the hook to achieve compliance to stay within the regulations and standards of the credit card companies.
At a top-level, website operators must work to protect cardholder data. This means taking steps such as installing firewalls, having secure passwords, encrypting the transmission of data across networks, using anti-virus software, developing systems securely, and regularly testing all systems in place. Also, having policies in-house matter as well. What to do in the event of a data breach, as an example, is a policy you should have in place.
PCI compliance is not the most challenging certification to comply with, and because e-commerce introduces risk, it should be taken seriously by all online merchants.
GDPR
The General Data Protection Regulation is a regulation within the European Union law on data protection and privacy. The goal is to allow individuals more control over their personal data and was first implemented in 2018.
The law requires website operators to do a few things to maintain compliance. It starts with transparency – operators must conduct audits to determine what information they process and who accesses it. Then, they must have a legal justification for those activities. Finally, they need to provide clear information to their users in their privacy policies about these activities.
From a technical perspective, certain things must also be met. Encryption of data, creation of internal data protection policies, and methodologies to provide users the ability to opt-out of any data storage activities are essential.
All companies that do business in the EU are required to comply. Meaning if your website captures the personal data of a European citizen, you must take these steps to protect the data and offer opt-out capabilities. The fines are steep – the maximum is either 20 million Euros or 4% of global revenue – whichever is higher.
If you conduct business in the EU, we recommend looking into our more detailed post on GDPR for more comprehensive information.
CCPA
Our last blog post detailed the CCPA, or California Consumer Protection Act. In that post, we reviewed what the law covers and what is required to comply. In a nutshell, the CCPA is similar to GDPR in many ways. It requires companies to warn users about the usage of private data, and provide ways to opt-out of the usage of said data.
However, CCPA doesn't globally apply; some companies are exempt. As such, we do recommend you look into the specifics of the law, and review our previous post for more detailed explanations of the law, complying, and enforcement.
Wrapping Up
This post is meant to serve as a primer for the most critical compliance standards we see regularly. However, this is not a comprehensive guide. Each rule can have a book written about it, so please refer to the linked materials in the post for more information. Make sure your digital agency is aware of these standards and how to achieve them, as it can save you a legal headache in the future. Compliance is often required, and while you may not be noticed if you are not in compliance, if and when problems do occur, you will be in trouble down the line.