The effective date of the California Consumer Privacy Act (CCPA) is finally here and while most companies have been working hard to prepare compliant notices and privacy policies for distribution to employees and consumers, the requirement that these policies are accessible to consumers with disabilities may not be top of mind. The California Attorney General's proposed regulations, however, contain specific requirements for the formatting and delivery of these notices and policies, which include the requirement that the policies are accessible.
- CCPA-covered businesses are required to provide accessible information about their data collection and sharing practices, including practices for offline data.
- Businesses covered by the CCPA should ensure their websites and apps comply with industry-standard accessibility guidelines and should implement policies and procedures to ensure access to information distributed offline.
- Offering to read notices and policies to customers or providing a privacy-specific customer service number may not be sufficient to meet a business's accessibility obligations.
The CCPA and Accessibility
Under the AG's proposed regulations, CCPA-covered businesses are required to make sure their internal and consumer-facing notices and privacy policies (whether applicable to online or offline collection of personal information) are accessible to individuals with disabilities. At a minimum, a covered business must provide information on how an individual with a disability may access notices and privacy policies in an alternative format. The regulations are silent as to how businesses can meet their accessibility obligations, but companies can look to existing guidelines and recent court decisions for potential strategies.
Businesses can address accessibility of online notices and policies by taking steps to make sure websites and apps comply with industry standards for digital accessibility. The most widely recognized standards, the Web Content Accessibility Guidelines (WCAG) 2.0 and 2.1, have been widely adopted and are often cited in settlements and consent decrees. Earlier this year, the Supreme Court decided to leave in place a Ninth Circuit ruling that held, in part, that an order requiring compliance with WCAG 2.0 could be an appropriate remedy for violation of the accessibility requirements of the Americans with Disabilities Act (ADA).
WCAG 2.0 and 2.1 are designed to be broadly applicable to digital properties. They address issues such as:
- Labeling graphics appropriately.
- Ensuring that all functionality is available via the keyboard.
- Providing users with enough time to read and use content.
- Making sure that websites and apps are easily navigable by screen readers used by individuals who are blind.
- Using icons and other visual elements that benefit people with cognitive disabilities.
Less guidance is available to businesses that collect personal information offline. These companies will need to consider how best to ensure that consumers with disabilities can access the information they provide to other customers and employees. Some businesses may choose to maintain accessible electronic versions of notices and policies that they can email to individuals upon request. Microsoft Word comes equipped with an "Accessibility Checker" that can assist with this process.
Some businesses might consider using a privacy-specific customer service hotline or email address to provide information to consumers with print-related disabilities, but at least one California Court of Appeals ruling casts doubt on the sufficiency of this approach in the general context of website accessibility. In Thurston v. Midvale Corp., the court upheld the decision of the trial court, which stated that the presence of an email address and a telephone number on a restaurant's website was not an acceptable alternative to a site that could be accessed by the blind plaintiff's screen reader. Customers with print disabilities were forced to call during business hours or wait for a response via email, which was not equivalent to the 24-hour-a-day access granted to customers without disabilities. (The court didn't address whether or not a phone number that was staffed 24 hours a day could have provided equal access to the information on the site.)
The CCPA imposes penalties of up to $7,500 per violation, including violations related to the accessibility requirements. In addition, failure to provide accessible notices and policies could also lead to claims that the business violated California's Unruh Civil Rights Act. A plaintiff who establishes a violation of the UCRA is entitled to recover the greater of their actual damages or statutory damages equal to $4,000.
As covered businesses work to comply with their obligations under the CCPA, it is crucial for them to ensure that notices and policies are accessible to California consumers and employees, including those with disabilities.