Just announced: Level Access and eSSENTIAL Accessibility agree to merge! Read more.

co-authored by Tim Springer

The California Consumer Privacy Act of 2018 (CCPA) is a consumer protection law in the State of California. The CCPA extends the privacy and consumer rights of residents of California. It includes a variety of requirements for notices on privacy policies and opt out requirements to be provided to California consumers. Notably, for digital accessibility, it provides requirements to ensure the accessibility of online privacy policies and notices.

The CCPA governing law is part of the California Civil Code—the body of laws for the state of California. It can be found at Title 11 “Law,” Division 1 “Attorney General,” and Chapter 20 “California Consumer Privacy Act Regulations” in the California Civil Code. For this post we’ll refer to that as California Civil Code, with references to the specific sub-sections of that code.

The CCPA only applies to for-profit businesses that collect consumer personal data and do business in the state of California and meet any of the following criteria:

  • Over twenty-five million dollars a year in gross revenue;
  • Collects the personal information of 50,000 or more consumers, households, or devices; or
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

(California Civil Code 1798.140)

The Act is organized around a variety of broad protections that are provided to residents of California. These protections span a variety of areas, but include the following key items:

  • Residents have the right to know what information is being collected about them
  • Residents have the right to know if their information is being sold or transferred to another party and to whom it is being sold or transferred to.
  • Residents have the right to block or “opt out” of the sale of their personal data.
  • Residents have the right to access what personal data is being stored about them.
  • Residents have the right to request the deletion of their personal data.

In addition, if the resident exercises any of the above rights they cannot be discriminated against.

The Act directs the Attorney General of California to adopt regulations that, among other things, “ensure that the notices and information that businesses are required to provide pursuant to this title are provided in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities.” (California Civil Code 1798.185) The subsequent regulations adopted the WCAG 2.1 requirements but didn’t specify the level of conformance with those requirements.

Notices and Requirements

Under the CCPA, the covered business must provide a variety of notices to consumers on how their data is being used. In general, these include the following types of notices:

  • Privacy Policy – All businesses covered by the CCPA must provide a privacy policy.
  • Notice of Collection – All businesses that collect personal information from a consumer must provide a notice at the time of collection covering what data is gathered.
  • Opt Out – Any business that sells personal information must provide a notice of the right to opt-out of the sale of that data.
  • Financial Incentive – If a business provides a financial incentive, price or service difference based on the authorization to collect or sell personal information they must provide a notice of it.

(California Code of Regulations § 999.304)

In addition, the law places a variety of requirements on businesses in terms of the method a business must implement to conform to the law. This includes methods of obtaining consent from and for minors related to the use of personal data, providing methods for opting out of collections and rules on when California residents can be asked to opt back in.

Accessibility Impact

Notable in the CCPA is the consideration for digital accessibility defined in the Act. As noted above, the Act directs the Attorney General of California to adopt regulations to ensure that notices and information provided pursuant to the Act are accessible to people with disabilities.

The regulations focus on three specific notices required by the Act and the general requirement that a privacy policy be provided by the covered business. The following notices are included:

In addition, the overall privacy policy provided by the business must be provided in a method that is reasonably accessible to people with disabilities. (California Code of Regulations § 999.308 (a) (2) (d))

The three notices and privacy policy generally include the same language for accessibility which reads in the following fashion:

[The thing must be] “reasonably accessible to consumers with disabilities. For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference. In other contexts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format.”

This approach would allow access to be provided in other methods that follow “generally recognized industry standards” but make it quite clear that the expected standard is the WCAG 2.1 requirements.

So, what level of WCAG conformance is required?

Interestingly, the regulations do not specify a level of WCAG conformance that is required. Conformance with the WCAG is recommended, but only insofar as it is an example of a “generally recognized industry standard.” Absent specific direction in the regulation we typically revert to the rulemaking process and related notes provided by the promulgating agency to see if specific direction can be gleaned.

A little more depth on the approach can be provided through the review of the regulatory record. First stop on that, the final statement of reasons issued by the State of California DoJ contemporaneously with the final regulations. Two items worthy of note in that:

First, it adjusted the requirement that the notice be “accessible” to “reasonably accessible” to consumers with disabilities. This adjustment is necessary to address public concerns that “accessible” is an overly broad term that goes beyond what may be reasonable in some circumstances, particularly for smaller businesses.

The subsection was also modified to add that for online notices, businesses must follow generally recognized industry standards, such as the Web Content Accessibility Guidelines (World Wide Web Consortium, Web Content Accessibility Guidelines (WCAG) 2.1 (June 5, 2018) <https://www.w3.org/TR/WCAG21/> [as of May 21, 2020]) (hereafter WCAG). This standard for making web content accessible by desktops, laptops, tablets, and mobile devices was developed through the cooperation of individuals and organizations around the world, with a goal of providing a shared standard for Web content accessibility that meets the needs of individuals, organizations, and governments internationally. Since the issuance of the first version in 1999, the WCAG has become the dominant standard for web accessibility in the United States. This change is necessary to address several public comments asking for additional more specific guidance regarding what would be considered accessible to consumers with disabilities.

In addition, there is some further logic in why the DoJ included the WCAG requirement pursuant to comments provided during the comment period. Notably:

The OAG [Office of Attorney General] considered and rejected the alternative of deleting the requirement to comply with the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium. This alternative is not as effective in providing meaningful notice to consumers about their privacy rights. The CCPA requires that the notice be accessible to consumers with disabilities. (Civ. Code, § 1798.185, subd. (a)(6).) The regulations limit the burdens on business by only requiring them to follow an already recognized industry standard, which reduces the burden on business in complying with a mandated standard that may be novel or not widely adopted.

Combined together, we can extract the final requirements:

  • The level of accessibility provided must pass the definition for “reasonable” and is meant to be qualified, not unlimited.
  • Conformance to the WCAG is provided as an example approach because it is likely to provide a better user experience for people with disabilities.
  • Conformance to a widely recognized industry standard is presumed to be cheaper than creating a custom, one off approach to accessibility for a specific system.

Given all that, we’d counsel that WCAG 2.1 AA conformance level most broadly meets the definition of compliance here. The AA level is by far the most widely adopted and is seen, by virtually all experts in the space, as meeting the definition of “reasonable” accessibility. The AA level is also the de-facto industry standard and is broadly “recognized” as the appropriate level of WCAG conformance.

Learn how to translate CCPA accessibility requirements into actionable guidance for websites and mobile apps in The CCPA & Digital Accessibility: Implementing the Requirements.