Bloomberg Law
March 31, 2020, 8:00 AM

INSIGHT: Applying the CCPA’s New Accessibility Requirements to Privacy Policies

Kristen Mathews
Kristen Mathews
Morrison & Foerster LLP
David McDowell
David McDowell
Morrison & Foerster LLP
Courtney Bowman
Courtney Bowman

The California Consumer Privacy Act’s regulations are expected to add protections for people with disabilities. The disclosures required by the CCPA will have to be “accessible” to consumers with disabilities so that those consumers will be able to benefit from the privacy disclosures.

What will this require businesses to do? What does “accessibility” mean in the CCPA context?

This accessibility requirement applies to the following types of notices:

  • The notice at collection, in which a business must disclose the categories of personal information it collects from consumers, and the purposes for which those categories of personal information will be used;
  • The notice of right to opt out of sale, in which a business must alert consumers if it sells their personal information, and that consumers have the right to opt out of any such sales;
  • The notice of financial incentive, in which a business must notify consumers of any compensation it offers in exchange for the collection, sale, or deletion of consumers’ personal information; and
  • The business’ privacy policy, which must contain a number of specific provisions required by the CCPA, including a description of consumers’ rights under the CCPA, along with the categories of personal information the business collects, sells, or discloses for business purposes.

The draft regulations’ inclusion of an accessibility requirement raises questions of what it means for a business’ CCPA notices to be “accessible.”

‘Accessibility’ Under the CCPA

The initial draft CCPA regulations stated that accessibility, “[a]t a minimum,” meant “provid[ing] information on how a consumer with a disability may access the notice in an alternative format.”

The recently issued second draft of the regulations provides some more constructive guidance. First, the revised draft regulations require these notices to be “reasonably accessible” to consumers with disabilities, which introduces a reasonability standard to the accessibility regulation.

Second, and more significantly, the revised draft regulations provide specific guidance as to the types of measures that satisfy that “reasonably accessible” threshold. The revised regulations state that, for online notices, businesses “shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium.”

The revised draft regulations further state that “[i]n other contexts,” businesses must provide consumers with information as to how to access the notices in an “alternative format.” This latter provision suggests that businesses must provide information about “alternative formats” if they post offline notices, such as in a retail store. This article focuses on the accessibility of online notices.

‘Accessibility’ Under Web Content Accessibility Guidelines

The drafters’ incorporation by reference of the Web Content Accessibility Guidelines, version 2.1 (commonly referred to as “WCAG 2.1”), is not necessarily surprising, as WCAG 2.1 (along with its predecessor, WCAG 2.0) already has been recognized as a means for making websites accessible to consumers with disabilities in accordance with the federal Americans with Disabilities Act (ADA).

In general, WCAG requires adherent websites to provide certain accommodations to improve accessibility. For example, a business seeking WCAG 2.0 compliance must ensure compliance with the following requirements, among others:

  • Provide captions and audio descriptions of live and prerecorded audio content;
  • Allow content to be viewed and operable in multiple display orientations (i.e., not exclusively in portrait or landscape mode);
  • Allow users to resize text without losing functionality; and
  • Include descriptive headings and labels in order to improve navigation.

WCAG 2.1 builds on WCAG 2.0 by providing a few additional requirements, including some designed to improve the accessibility of websites accessed via mobile devices.

The revised draft CCPA regulations specifically cite WCAG 2.1 as an appropriate standard for ensuring accessibility, but its text suggests that another “generally recognized industry standard” could be considered adequate as well. The revised draft regulations also fail to note which level of WCAG 2.1 compliance (WCAG sets out three levels: A, AA, or AAA) would be considered sufficient.

‘Accessibility’ Under Other Industry Standards

As an alternative to WCAG, website operators seeking to make their websites accessible to consumers with disabilities sometimes choose to comply with the federal government’s standards for website accessibility, as set out in Section 508 of the Rehabilitation Act of 1973 and its accompanying technical standards.

Accordingly, Section 508 may serve as a suitable alternative for businesses seeking to comply with the revised draft regulations’ “accessibility” requirement. Section 508 requires federal agencies to make the federal government’s electronic and information technology (including websites) accessible to individuals with disabilities, and the technical standards set out what measures agencies must implement to make their websites sufficiently accessible.

Several of the Section 508 standards require adherents to comply with WCAG; for example, public-facing electronic content, as well as user interface components, must conform to WCAG ’s Level A and AA Success Criteria. The Section 508 standards also impose their own technical requirements, including the following:

  • Websites that involve a “visual mode of operation” must offer at least one mode of operation that does not require vision.
  • Websites that offer an “audible mode of operation” must offer at least one mode of operation that does not require hearing.

Although these requirements apply to the federal government, and not to the private sector, Section 508’s technical standards are recognized as “accessibility” standards. Accordingly, a private business that adheres to the technical standards adopted under Section 508 may be viewed as providing an “accessible” website.

Making a Business’ CCPA Notices ‘Accessible’

Businesses may wish to start considering how to present their online CCPA notices in a way that makes those notices “accessible”; in other words, in accordance with WCAG 2.1 or a comparable industry standard.

The fact that the regulations’ “accessibility” requirement has survived a round of edits by the AG’s office is a good indication that the general “accessibility” requirement is unlikely to disappear entirely from the final set of regulations. Businesses may wish to use this time to familiarize themselves with the requirements of WCAG 2.1 and determine how best to implement its standards.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Kristen Mathews is a partner in Morrison & Foerster’s Global Privacy + Data Security Group. She has more than 20 years of experience with the full spectrum of complex privacy and cybersecurity issues.

David McDowell is also a partner with the firm’s Global Privacy + Data Security Group where he provides practical and timely legal advice that is tailored to today’s fast-moving retail environments.

Courtney Bowman is former associate at Morrison & Foerster.