The proposed modifications to the draft California Consumer Privacy Act (CCPA) regulations released by the California Office of the Attorney General on Feb. 7 reflect some changes related to digital accessibility. In light of the new regulations, covered businesses should take steps to ensure that privacy policies and interactive opt-out forms are accessible to consumers with disabilities.
- The new regulations require online notices and policies to be “reasonably accessible” to consumers with disabilities.
- The regulations suggest (but do not strictly require) that businesses comply with Web Content Accessibility Guidelines (WCAG) 2.1 Level AA.
- A new requirement that interactive opt-out forms be designed so as not to subvert or impair a consumer’s decision to opt out means that these forms should be accessible.
New Standard for Compliance: ‘Reasonably Accessible’
The proposed regulations require notices and policies to be reasonably accessible to consumers with disabilities. While this phrase is not commonly used to describe a company’s compliance obligations, it suggests that there are some instances where failure to provide complete and total accessibility won’t constitute a CCPA violation.
For example, a covered business might be able to argue that taking certain steps toward accessibility would result in an “undue burden” (a phrase found in the Americans with Disabilities Act). But this can be a high bar to meet. One district court held that a cost of $250,000 to make a website accessible wouldn’t be an undue burden where the company at issue had recently spent $7 million to redesign its website. While this holding isn’t binding on California courts, it underscores that what might be considered an undue burden depends on the resources available to a covered business, among other factors.
The reference to reasonable accessibility in the new regulations also makes sense in light of the requirement that businesses follow “generally recognized industry standards” for digital accessibility, such as WCAG 2.1 Level AA. Accessibility experts recognize that Level AAA (the highest level of WCAG conformance) is not always possible. For this reason, Level AA, not Level AAA, is the standard that most businesses should aim to achieve.
Differences Between WCAG 2.0 and 2.1
If enacted as proposed, the regulations will be the first regulations promulgated under any statute in the U.S. to apply WCAG 2.1 to private businesses irrespective of industry or activity. WCAG 2.0, the version of the WCAG that is most often cited in settlements and consent decrees relating to digital accessibility, is the more familiar version.
Internet usage and browsing patterns have changed drastically since the release of WCAG 2.0 in December 2008. Today, mobile devices account for more than half of all web traffic.
It’s not surprising, then, that many of the 17 new testable requirements (referred to in the WCAG as “success criteria”) in WCAG 2.1 relate to mobile browsing.
Examples of new WCAG 2.1 requirements include:
- Sufficient contrast for non-text elements such as buttons and icons (important for low-vision users).
- Minimizing the need of a person with low vision to scroll in more than one direction (so they can, for example, enlarge text and read it in a single column).
- Not restricting the display of content to a particular orientation (important because people with some motor disabilities may attach their phone/tablet to a wheelchair and may not be able to move it easily).
- The ability to perform operations with multiple input devices (important for people who can’t physically use a keyboard or mouse).
Outside the new success criteria, the remainder of WCAG 2.1 is identical to WCAG 2.0. For this reason, some companies may conclude that they don’t need to update pages that already comply with WCAG 2.0, particularly given that California’s regulations don’t actually require WCAG 2.1 conformance. But as the digital ecosystem moves further and further away from desktop browsing, WCAG 2.1 (or successor guidelines) may replace WCAG 2.0 as the de facto standard for digital accessibility.
Requests to Opt Out
The regulations do not expressly state that processes to opt out of the sale of personal information must be accessible to people with disabilities, but other new language covering opt-out suggests that online forms should comply with accessibility standards.
The regulations state that a business is prohibited from using an opt-out method “designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt out.” This provision aims to discourage companies from designing opt-out forms that are generally hard for consumers to locate or submit. Because forms that don’t comply with standards such as WCAG 2.1 may be unusable by consumers with disabilities, they could be deemed to violate the CCPA.
Following WCAG 2.1 can help businesses:
- Label form controls so that screen-reader users can identify them and users of voice input technologies can navigate to and activate them.
- Give instructions on how to complete the form, including indications of which elements are required and which are optional.
- Allow the user to review and confirm the information collected on the form.
- Notify users of errors (such as improper formatting and failure to include required information) in ways that allow users to identify and correct the errors.
- Provide accessible and usable alternatives to CAPTCHAs and other tools that screen humans from bots, which can be difficult or impossible for users with disabilities to complete.
These regulations are subject to change following the comment period. In the meantime, given the likelihood that the final regulations will include some accessibility standards, CCPA-covered businesses should take steps to ensure that their privacy policies and opt-out forms are accessible to consumers with disabilities.