"Accessibility" - Google News - Thursday, January 9, 2020 at 2:18 PM
CCPA, HIPAA, Accessibility, State Laws: Web Compliance Concerns - The National
Law Review
Thursday, January 9, 2020
Websites play a vital role for organizations. They facilitate communication
with consumers, constituents, patients, employees, and the general public. They
project an organization’s image and promote goodwill, provide information about
products and services and allow for their purchase. Websites also inform
investors about performance, enable job seekers to view and apply for open
positions, and accept questions and comments from visitors to the site or app,
among many other activities and functionalities. Because of this vital role,
websites have become an increasing subject of regulation making them a growing
compliance concern.
Currently, many businesses are working to become compliant with the California
Consumer Privacy Act (“CCPA”) which, if applicable, requires the conspicuous
posting of a privacy policy on a business’s website. But, the CCPA is not the
first nor will it be the last compliance challenge for organizations that
operate websites and other online services. However, the CCPA along with the
flood of ADA accessibility litigation are causing many organizations to revisit
their websites and online services to meet the growing compliance burden.
What are some of these requirements?
ADA Accessibility. When people think about accommodating persons with
disabilities, they often are drawn to situations where a person’s physical
movement in a public place is impeded by a disability – stairs to get into a
library or narrow doorways to use a bathroom. Indeed, Title III of the
Americans with Disabilities Act grants disabled persons the right to full and
equal enjoyment of the goods, services, facilities, privileges, advantages, or
accommodations of any place of public accommodation. Although websites were not
around when the ADA was enacted, they are now, and courts are applying ADA
protections to those sites. The question is whether a website or application is
accessible.
Although not yet adopted by the Department of Justice, which enforces Title III
of the ADA, guidelines established by the Website Accessibility Initiative
appear to be the more likely place courts will look to access the accessibility
of a website to which Title III applies. State and local governments have
similar obligations under Title II of the ADA, and those entities might find
guidance here.
HIPAA. For anyone who has had their first visit to a doctor’s office, they
likely were greeted with a HIPAA “notice of privacy practices” and asked to
sign an acknowledgment of receipt. Most covered health care providers have
implemented this requirement, but may not be aware of the website requirement.
HIPAA regulation 45 CFR 164.520(c)(3)(i) requires that covered entities
maintaining a website with information about the entity’s customer services or
benefits must prominently post its notice of privacy practices on the site and
make the notice available electronically through site.
COPPA. The Children’s Online Privacy Protection Act (COPPA) was enacted to give
parents more control concerning the information websites collect about their
children under 13. Regulated by the Federal Trade Commission (FTC), COPPA
requires websites and online services covered by COPPA to post privacy
policies, provide parents with direct notice of their information practices,
and get verifiable consent from a parent or guardian before collecting personal
information from children. COPPA applies to websites and online services
directed to children under the age of 13 that collect personal information, and
to sites and online services geared toward general audiences when they have
“actual knowledge” they are collecting information from children under 13. Find
out more about compliance here.
FTCA. Speaking of the FTC, that agency also enforces the federal consumer
protection laws, including section 5 of the Federal Trade Commission Act (FTCA)
which prohibits unfair and deceptive trade practices affecting commerce. When
companies tell consumers they will safeguard their personal information,
including on their websites, the FTC requires that they live up these promises.
Businesses should review their website disclosures to ensure they are not
describing privacy and security protections that are not actually in place.
CCPA. As mentioned above, a CCPA-covered business that maintains a website must
post a privacy policy on its website homepage through a conspicuous link using
the word “privacy,” on the download or landing page of a mobile application.
That is not all. The website must also provide certain mechanisms for consumers
to contact the business about their CCPA rights, such as the right to require
deletion of their personal information, and the right to opt-out of the sale of
personal information. The latter must be provided through an interactive
webform accessible via a clear and conspicuous link titled “Do Not Sell My
Personal Information,” or “Do Not Sell My Info.”
GDPR. In 2018, the European Union’s General Data Protection Regulation (GDPR)
became effective in 2018 and reached companies and organizations globally. In
general, organizations subject to the GDPR which collect personal data on their
websites must post a privacy policy on their website setting for the
organization’s privacy practices.
CalOPPA. The California Online Privacy Protection Act (CalOPPA) requires
commercial operators of online services, including websites and mobile and
social apps, which collect personally identifiable information from
Californians to conspicuously post a privacy policy. Privacy policies should
address how companies collect, use, and share personal information. Companies
can face fines of up to $2,500 each time a non-compliant app is downloaded.
Delaware and Nevada. In 2016, Delaware became the second state to have an
online privacy protection act, requiring similar disclosures to those under
CalOPPA. Nevada enacted website privacy legislation of its own. First, like
DelOPPA and CalOPPA, NRS 603A.340 requires “operators” to make a privacy notice
reasonably accessible to consumers through its Internet website or online
service. That notice must, among other things, identify the categories of
covered information the operator collects through the site or online service
about consumers who use or visit the site or service and the categories of
third parties with whom the operator may share such covered information. In
general, an operator is a person who: (i) owns or operates an Internet website
or online service for commercial purposes; (ii) collects and maintains covered
information from consumers who reside in this State and use or visit the
Internet website or online service; and (iii) engages in any activity that
constitutes sufficient nexus with this State, such as purposefully directing
its activities toward Nevada. Effective October 1, 2019, Nevada added to its
website regulation by requiring operators to designate a request address on
their websites through which a consumer may submit a verified request to opt
out of the sale of their personal information.
This is by no means an exhaustive list of the regulatory requirements (we’ve
focused generally on privacy and security) that may apply to your website or
online service. Organizations should regularly revisit their websites not just
to add new functionality or fix broken links. They should have a process for
ensuring that the sites or services meet the applicable regulatory requirements.
Jackson Lewis P.C. © 2020
https://www.natlawreview.com/article/websites-growing-compliance-concern-ccpa-hipaa-accessibility-state-laws
David Goldfield
Assistive Technology Specialist
Feel free to visit my Web site
WWW.DavidGoldfield.info