In the scramble to come into compliance before the January 1, 2020 deadline, companies may have overlooked a key—and potentially costly—requirement in the California Attorney General draft regulations to the California Consumer Privacy Act (CCPA).1 Under these proposed regulations, CCPA-covered businesses are required to ensure that their internal and external notice and privacy policies are reasonably accessible to individuals with disabilities.2
Even before the CCPA came into force, plaintiffs were filing an average of eight website accessibility suits per day in 2019, and a 2019 Ninth Circuit case, Robles v. Domino’s Pizza, LLC, No 17-55504 (9th Cir. Jan. 15, 2019), reaffirmed the application of the Americans with Disabilities Act (ADA) to websites and mobile applications. In 2018, more than 10,000 Title III ADA actions were filed in courts across the country, up approximately 35% from 2017, and the trend continues unabated.
The CCPA portends even more activity along website accessibility lines, both in terms of regulatory enforcement and litigation. The CCPA imposes penalties of up to $7,500 per violation, including accessibility violations, in actions brought by the California Attorney General.3 While the CCPA’s private right of action is confined only to data breaches, the statutory requirement for accessibility could nevertheless result in a private cause of action under other California laws, including the Unruh Civil Rights Act,4 which allows for the potential recovery of $4,000 per violation, treble damages, and attorney’s fees.5
What to do
Whether under the CCPA, ADA or California’s Unruh Act, it is important to understand the need for “effective communication” (in ADA terminology) and accessibility to a company’s web-based privacy disclosures, notices and policies.
Neither the CCPA nor the ADA provides specific metrics or standards of accessibility. That said, the recently revised draft California Attorney General CCPA Regulations specifically reference the Web Content Accessibility Guidelines (WCAG), version 2.1, as among the “generally recognized industry standards” that businesses could follow for their online notices.6 These guidelines often feature in settlements and consent decrees as well. They offer advice such as making transcripts of audio available to those hard of hearing, and making sure website navigation is fully accomplishable through a keyboard. The WCAG standards are not, however, legally enforceable or required by law in order to demonstrate that a website provides “effective communication.”
Moreover, the U.S. Department of Justice, the agency responsible for ADA enforcement, has issued regulations that require places of public accommodation to “furnish appropriate auxiliary aids and services where necessary to ensure effective communication with individuals with disabilities.” These auxiliary aids include “accessible electronic and information technology” or “other effective methods of making visually delivered materials available to individuals who are blind or have low vision.” Unfortunately, the DOJ did not provide any further or more specific guidance.
Although there are other guidelines and tools for determining what may be sufficient, it is also important to note what is likely not sufficient. In Thurston v. Midvale Corp., No. B291631 (Cal.Ct.App. Sept. 3, 2019), for example, the California Court of Appeals upheld a trial court decision finding insufficient a mere email address and telephone number that an individual could call—only during normal business hours—to make a reservation or order food, as opposed to doing so through the website, which is always available. The Court of Appeals also affirmed the trial court’s injunction mandate for the restaurant’s website to comply with the WCAG’s guidelines.
Conclusion
In the race to the January 1, 2020 deadline, companies may have overlooked the CCPA’s accessibility requirement. Particularly with the hefty potential penalties for noncompliance, the time is now to ensure that external and internal-facing privacy policies, notices and procedures are sufficiently accessible.
_____
1See Draft California Attorney General Guidelines at 999.305(a)(2)(d), 999.306(a)(2)(d) and 999.307(a)(2)(d) available at https://us.eversheds-sutherland.com/portalresource/ccpa-proposed-regs.pdf.
2The text of the CCPA requires the Attorney General to establish rules, procedures, and any exceptions necessary to ensure that the notices and information that businesses are required to provide are provided in a manner that “are accessible to consumers with disabilities….” (Cal. Civ. Code § 1798.185(a)(6)).
3A company that intentionally violates CCPA may be fined up to $7,500 per violation. (Cal. Civ. Code § 1798.155(b)).
4The Unruh Civil Rights Act specifies that a “violation of the federal American with Disabilities Act of 1990 shall also constitute a violation of this section,” (Cal. Civ. Code, § 51, subd. (f), but it does not mean that a violation of the CCPA’s accessibility requirement is not also actionable.
5Cal. Civ. Code, § 52(a).
6See Revised Regulations § 999.305(a)(2)(d), 999.306(a)(2)(d), 999.307(a)(2)(d), 999.308(a)(2)(d).
[View source.]
