CCPA Regulations Now Incorporate Accessibility Requirements

Jul 17, 2020 Published Article

The California Consumer Privacy Act Regulations (the CCPA Regulations) are in the process of becoming law in California. The CCPA Regulations were intended as a means for the California Attorney General to provide guidance for businesses on how to comply with the complex requirements of the CCPA. The CCPA Regulations address compliance, have created additional compliance obligations, and have also now included an accessibility requirement for various notices which must be provided consumers pursuant to the CCPA for online notices, as well as other forms of notices to consumers.

This accessibility requirement is a critical new component for businesses to be aware of in order to be in compliance with the CCPA. With the focus of the CCPA on the protection of the personal information of California consumers, the CCPA Regulations have determined that key notices required by the CCPA, such as Privacy Policies and Notices, which detail the types of personal information that may be collected about a consumer, be provided to all consumers including those consumers that may have vision, learning, or other conditions that would not be able to access such notice from a non-accessible website. As an example, for a visually impaired customer, any Privacy Policy would need to be accessible so that such individual could review the policy or notice with a screen reader so that the details of the policy would be converted into an audible format to be read aloud to such an individual. Further, for notices that are not provided online, businesses shall provide requisite notices in an alternative format for consumers with disabilities.

Understanding Accessibility Guidelines

The CCPA Regulations specifically incorporate by reference the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium. These guidelines have been developed to provide a framework on how to make websites accessible for those with visual, auditory, physical, speech, cognitive, language, learning, and neurological disabilities.

Background on the CCPA & How We’ve Gotten Here

The California Consumer Privacy Act of 2018 (CCPA) went into effect on January 1, 2020. The final proposed regulations of the California Attorney General were submitted on June 1st of this year to the California Office of Administrative Law (OAL) to become law as the California Consumer Privacy Act Regulations set forth in § 999.300 through § 999.341 of Title 11, Division 1, Chapter 20, of the California Code of Regulations (the CCPA Regulations).

What Do Businesses Need to Do Now?

Any notices that are being prepared as part of a CCPA compliance strategy now need to be provided in multiple formats to address the CCPA Regulations. These include not only an organization’s privacy policies but any other notices to be provided to consumers such as notices of collection, notices related to loyalty programs and notices to opt-out. A very thorough and thoughtful review of all notices and other CCPA compliance documentation should be completed by privacy professionals to properly address the CCPA Regulations. Online notices will further need to be reviewed with IT professionals to address website accessibility.

Moreover, if your company has not yet started a compliance program related to CCPA requirements, now is the time to do so, with any program constructed to address both the CCPA and CCPA Regulations. The CCPA expressly authorizes the Attorney General to start enforcement actions as of July 1, 2020. Keep in mind that in addition to accessibility considerations, the private right of action regarding data breaches under the CCPA is still in effect.

Why Does This Matter For Businesses

  • If your CCPA compliance strategy does not include accessibility considerations, it should be updated to address these considerations.
  • If you do not have a plan in place to address CCPA requirements and compliance, now is the time to get started.
  • Penalties under the CCPA are substantial. A non-accessible online privacy policy could expose a business to a penalty of up to $7,500 per violation.
  • Keep in mind that there are already a number of other website accessibility requirements in addition to the CCPA Regulations.
  • Any cyber liability insurance policy that may be obtained as a means to address both the CCPA and CCPA Regulations should be reviewed by an experienced cyber insurance coverage prior to binding coverage to confirm that you will actually have the coverage you want and properly address all these requirements.

Our Data Privacy & Security Task Force attorneys are available for consultation by contacting our office at 949-854-7000.