Alert January 29, 2020

Accessibility and the CCPA

For all that has been written about the California Consumer Privacy Act (CCPA), one often-overlooked requirement is that covered businesses’ transparency disclosures must be accessible to consumers with disabilities. The CCPA does not specify how to meet this requirement; instead, the CCPA delegates the relevant rulemaking authority to the California Attorney General (AG).

Under the AG’s proposed regulations published in October, a company’s privacy policy, notice at the point of collection, notice of the right to opt out of the sale of personal information, and notice of financial incentive must “[b]e accessible to consumers with disabilities.” The proposed regulations clarify that, “[a]t a minimum,” a business must “provide information on how a consumer with a disability may access the notice in an alternative format.” Although the AG has not opined on what exactly this minimum standard would entail, one possible approach would be to, in each CCPA notice, inform and provide consumers with the contact information they could use to obtain a copy of the notice in a format compatible with assistive technology, such as a screen reader or text-to-speech software.

While this approach appears to technically comply with the text of the proposed regulations, it raises an obvious practical Catch-22: how would a visually impaired consumer, relying on a screen reader or other assistive technology, know that he or she can contact the company to get an accessible version of the notice if the notice, or the navigation path to the notice, is not already accessible via assistive technologies? For a CCPA-mandated notice to be truly accessible to consumers with disabilities, it may be necessary for the entire website to conform with the Web Content Accessibility Guidelines. The CCPA thus presents an opportunity for companies to review the accessibility of their websites, which is important not only for potential CCPA compliance, but also because of the increasing threat of lawsuits for violations of the Americans with Disabilities Act (ADA) and other accessibility laws.

While stakeholders await potential additional guidance from the AG when the final CCPA regulations are published, companies interested in learning more about what steps to take to bring their web and mobile assets into compliance with the latest best practices may want to attend a webinar on January 30th co-hosted by Goodwin addressing just that subject. 

The CCPA took effect January 1, 2020. Companies that may be subject to the CCPA should be sure to monitor ongoing developments, including further guidance issued by the AG and publication of final rules.

Authors + Contributors
Karen L. Neuman
Alex J. Moyer
Andrew Kim

Goodwin’s key CCPA team members include: Karen Neuman, Eric DiIulio, Alex Moyer, David Kantrowitz, Jackie Klosek and William Stern.

To learn more about how Goodwin can help your company address privacy and cybersecurity, contact Brenda R. Sharton, partner and Chair of the Privacy & Cybersecurity practice, or Karen L. Neuman, partner and privacy lead, Privacy & Cybersecurity practice in Washington, DC.

Goodwin's Chambers and Legal 500 ranked Privacy & Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients' data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include a former Chief Privacy Officer of the U.S. Department of Homeland Security, a Legal 500 “Leading Lawyer” and a “Next Generation Lawyer” in Cyber Law and Data Breach Response, as well as four other Legal 500 Cyber Law ranked partners, several former federal prosecutors, and multiple GDPR, CCPA, HIPAA, and COPPA experts. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe.