Skip to site navigation Skip to main content Skip to footer content Skip to Site Search page Skip to People Search page

Alerts and Updates

Companies Must Ensure CCPA Privacy Notices Comply with Disability Accessibility Requirements

June 17, 2020

Companies Must Ensure CCPA Privacy Notices Comply with Disability Accessibility Requirements

June 17, 2020

Read below

Businesses will need to be proactive and flexible with compliance with these laws and regulations.

Disability accessibility, including specific accessibility requirements for websites, are an independent feature of the final regulations for the California Consumer Privacy Act (CCPA), submitted on June 1, 2020, by the Office of the California Attorney General to the California Office of Administrative Law (OAL). These accessibility requirements supplement existing requirements under federal and state laws already in effect. Businesses will need to be proactive and flexible with compliance with these laws and regulations.

The OAL has 30 working days, plus an additional 60 calendar days under an executive order related to the COVID-19 pandemic, to review the final regulations package. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law.

Accessibility Requirements

The final regulations require the following required disclosures be “reasonably accessible” to consumers with disabilities:

  • Privacy policy of online and offline practices regarding the collection, use, disclosure and sale of personal information and of the rights of consumers regarding their personal information.
  • Notice at collection explaining the categories of information to be collected and the purposes for which it will be used;
  • Notice of right to opt out explaining a consumer’s ability to direct a business to stop selling personal information; and
  • Notice of financial incentive explaining the financial incentive or price or service difference the business may offer.

The final regulations require businesses posting any of the disclosures online to “follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, Version 2.1.”

Key Takeaways: General Accessibility and Website Specific Requirements

The general accessibility requirement applies to all forms of the required disclosures/notices. Examples of accessibility tools may include, but are not limited to, TTY for telephonic interactions, braille for written notifications, personnel to read the disclosures aloud and/or assist with filling out forms, etc. This is particularly important for consumer requests to know and/or delete their personal information, for which businesses are required to provide two or more designated methods for consumers to make such requests (unless the business is solely online and has a direct relationship with its consumers, then only an email address is required). Similarly, businesses must provide a website form as one of the two required methods for consumers to submit requests to opt out of the collection of their personal information. This is all in addition to the admonition that businesses select disclosure processes similar to the methods they use to interact with customers. Additionally, businesses must consider a request submitted by a means other than the established methods complete and effective (or engage in an interaction to help the consumer submit missing information to complete the request). In short, businesses will need to be proactive as well as flexible when it comes to providing accommodations to consumers with disabilities.

For website disclosures in particular, the new regulations suggest—but do not require—adoption of the WCAG 2.1 guidelines. Rather, the WCAG 2.1 is listed as an example of an “industry standard.” There is still room for businesses to adopt a different accessibility standard, so long as the website can be shown to be reasonably accessible. Second, the reference to WCAG 2.1 guidelines is still muddled—the guidelines have three subset rankings that reflect a continuum of accessibility (A, AA or AAA), and there is no bright-line rule establishing which is required to ensure a website is accessible. Moreover, each of those subsets has numerous components to be met, and the failure to meet one of those subsets may render a website inaccessible for one type of disability (e.g., hearing) but not another (e.g., mobility). Simply put, the WCAG 2.1 standards help websites be accessible but are not guarantees of accessibility. Businesses will need to stay vigilant for regulatory changes or case law to further clarify which level of WCAG 2.1 may be preferred or for other factors/standards used to determine accessibility.

Additional Considerations: CCPA Operates in Conjunction with Other Disability Rights Laws

The CCPA supplements—not supplants—the already existing requirements of federal disability rights laws (e.g., the Americans with Disabilities Act, Section 504 of the Rehabilitation Act of 1973) and California’s disability rights laws (e.g., Unruh Act, Disabled Persons Act). These laws have been enforced to require that websites be accessible for all manner of disabilities, and best practices are for businesses to have 1) accessible websites now and 2) a policy in place to ensure the websites remain accessible. Features of such a website accessibility policy typically include:

  • Appointing a website accessibility coordinator.
  • Inserting a link on all pages to a landing page for people to request website-related accommodations or report accessibility issues with the website.
  • Specifying a team (internal and/or external) who will review the website for accessibility, and how frequently they should do so.
  • Inserting language into contracts with outside vendors who post/create content for the website requiring that all content be compliant with a selected standard of compliance.

This dual approach embraces the process-oriented spirit of the disability rights laws, as well as helps ensure websites are accessible now and will remain so as technology advances.

For More Information

If you have any questions related to this Alert, please contact Michelle Hon Donovan, Sandra A. Jeskie, Bryce Young, any of the attorneys in our California Consumer Privacy Act Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.