Editor's note: This is the third article in a three-part series addressing some of the more significant areas of the regulations implementing the California Consumer Privacy Act.

On June 2, the proposed regulations were sent to the California Office of Administrative Law for final review, and if approved by the OAL, the California Consumer Privacy Act regulations will then be filed with the California Secretary of State and become enforceable. This third article in a three-part series on the draft regulations focuses on how the CCPA’s accessibility requirements have evolved since their initial inception and raises an important area of compliance potentially overlooked by businesses.

Section 1798.195(a)(6) of the CCPA mandates that the California attorney general adopt regulations to ensure that privacy-related notices and disclaimers that businesses are required to provide under the law “are accessible to consumers with disabilities.” If businesses are not already subject to or compliant with similar federal laws governing website accessibility, the CCPA’s new obligations may require them to spend a significant amount of time and resources to reach full compliance.

Website accessibility and industry standards

The CCPA requires businesses to issue a broad range of privacy notices, such as website privacy policies, do-not-sell disclosures, and financial incentive terms and conditions. The original October version of the CCPA regulations required in multiple sections scattered throughout the regulations that all CCPA-mandated privacy notices “[b]e accessible to consumers with disabilities.” In addition, the regulations provided that businesses must “[a]t a minimum, provide information on how a consumer with a disability may access the notice in an alternative format.”

The February regulations amended these accessibility requirements in two ways. First, the word “reasonably” was added to the opening clause of these accessibility provisions set forth in the CCPA regulations so that it now requires a business to ensure that all its privacy notices “be reasonably accessible to consumers with disabilities.” According to the Final Statement of Reasons, this “adjustment [was] necessary to address public concerns that ‘accessible’ is an overly broad term that goes beyond what may be reasonable in some circumstances, particularly for smaller businesses.” Second, the regulations mandated that privacy notices “provided online” must “follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium, incorporated herein by reference.” For privacy notices provided offline, the February regulations retained the requirement that businesses “provide information on how a consumer with a disability may access the notice in an alternative format.” The March regulations only made a minor technical change by properly identifying the organization cited therein as the W3C, and this text made it into the final version of the CCPA regulations package sent to the Office of Administrative Law on June 2.

According to the Final Statement of Reasons, the WCAG’s “standard for making web content accessible by desktops, laptops, tablets, and mobile devices was developed through the cooperation of individuals and organizations around the world, with a goal of providing a shared standard for Web content accessibility that meets the needs of individuals, organizations, and governments internationally.” It further provides that “the WCAG has become the dominant standard for web accessibility in the United States.” In fact, the U.S. Department of Justice has, through multiple consent decrees and settlement agreements, required entities subject to the Americans with Disabilities Act to ensure their websites comply with WCAG. Even the federal courts have issued injunctions in ADA-related litigation requiring businesses to ensure their websites comply with the WCAG.

The WCAG’s purpose is to make online content more accessible to individuals with disabilities (e.g., visual, auditory, physical, speech, cognitive, language, learning and neurological disabilities), regardless of the technology or device being used. In turn, WCAG 2.1 has 13 guidelines organized under four principles (i.e., perceivable, operable, understandable and robust), and for each guideline, there are several “success criteria” based on one of three levels: A, AA and AAA. Examples of WCAG 2.1 criteria (subject to certain exceptions) related to A-level compliance for websites include: (1) that non-text content has a text alternative; (2) that website captions are provided for all prerecorded audio content; (3) that color cannot be used as the only visual means of conveying information; (4) that websites cannot contain anything that flashes more than three times in any one second period or the flash is below the general flash and red flash thresholds; and, (5) that if an input error is automatically detected, the item in error is identified and the error is described to the user in text.

Privacy notices in the employment context

It is important to note that ADA-related litigation pertaining to website accessibility has substantially increased in recent years; however, much of the focus has been on public-facing websites and online services, overshadowing website accessibility issues in the employment context. This is significant because, as noted above, the CCPA imposes accessibility obligations on all privacy notices and disclosures, including those related to employment. In particular, although personal information collected from employees and job applicants is exempted from most of the CCPA’s scope (until Jan. 1, 2021), a business must still provide California-based individuals with notice of its data processing practices when it collects their personal information (i.e., “Notice at Collection”). This is emphasized in zsection 999.305(f) of the CCPA regulations, which provides that “businesses collecting employment-related information shall comply” (with limited exceptions) the Notice at Collection requirements, including the aforementioned accessibility requirements.

Businesses commonly comply with the notice at collection requirement in the employment context by drafting and implementing an employee data privacy policy that addresses how the business collects, discloses, uses, disposes of and retains personal information pertaining to its employees and contractors, which is furnished to employees during the hiring and onboarding process. In the digital age, it is equally as common for an organization to maintain all employee policies and manuals, including employee data privacy policies, on its internal website (e.g., company intranet) so that they are available only to the organization’s workforce. In these situations, the use of an internal website to disseminate an employee data privacy policy or otherwise comply with the Notice at Collection requirement in the employment context likely implicates the “provided online” standard set forth in the CCPA regulations, and therefore such policies and notices must follow generally recognized industry standards pertaining to accessibility, such as the WCAG.

Similarly, it is common for businesses to post employment positions on third-party platforms (e.g., LinkedIn, Glassdoor, Indeed), directly on their public-facing website and even on their own company intranets. Accordingly, to comply with the Notice at Collection requirement, a business should consider drafting a separate job applicant privacy notice to provide to an applicant when they submit personal information in connection with an employment opportunity. Alternatively, businesses should consider incorporating the Notice at Collection criteria in their public-facing privacy statements and providing a link to the same to California-based job applicants during the employee recruitment and application process. In all these situations, businesses should ensure that all their privacy notices, disclosures and statements are reasonably accessible to consumers with disabilities and compliant with the WCAG or other recognized industry standards. Moreover, if a business is using a third-party platform to post employment positions, collect personal information on California-based applicants and disseminate its job applicant privacy notice, it must ensure that the third party’s website is also able to provide the Notice at Collection in a manner that satisfies the CCPA’s accessibility standard.

Conclusion

As noted above, there has been a significant increase in ADA litigation in recent years related to website accessibility, which demonstrates that organizations are still struggling to meet the accessibility standards set forth in the WCAG. Moreover, given the significant public policy reasons underlying the CCPA’s accessibility requirements, California's Office of the Attorney General may identify noncompliance with this area of the law as an enforcement priority. In addition to complying with CCPA and minimizing legal risk, there are several other reasons why businesses should expand their external and internal websites’ accessibility. For example, complying with the WCAG can help a business design and develop a higher caliber website in terms of end-user experience, broaden its end-user base to increase website traffic and potentially new customers and job applicants, and improve its search engine optimization rankings in accordance with search engine results algorithms. Therefore, in the event they have not done so already, businesses may consider prioritizing the time and resources needed to reach full compliance with the WCAG.

Photo by Iñaki del Olmo on Unsplash