GDPR, CCPA & ADA Regulations

GDPR, CCPA and ADA, three little acronyms that may have a big effect on your business and its website. You may have been hearing or reading about these acronyms in the news for years now, but what do they really entail? 

At Gravity, we value keeping our clients informed about important website rules and regulations. So, we put together some brief information on each regulation to help better inform you of how they may apply to your business: 

What are GDPR & CCPA? 

GDPR is the General Data Protection Regulation. It is legislation that requires businesses to protect the personal data and privacy of citizens within the European Union. It went into effect on May 25, 2018. It focuses primarily on the ‘processing’ of data, safekeeping of data, and handling data breaches.  

The California Consumer Privacy Act (CCPA) was passed in June 2018 and is one of the nation’s first statewide data privacy laws. It officially went into effect on January 1, 2020. Companies are required to disclose what data will be collected and how it will be used, as well as provide a method to delete and stop selling it if the customer requests.  

Why is this all happening now? 

In short, it's due to increased data breaches ( https://www.identityforce.com/blog/2019-data-breaches) and questionable uses of collected data. ( https://www.wired.com/story/23andme-glaxosmithkline-pharma-deal/). Lawmakers and average citizens are demanding better protections and more transparency surrounding users’ personal data.  

Who do these laws apply to? 

GDPR applies to businesses that have: 

• A presence in a European Union country.
• No presence in the EU butprocesses personal data of EU residents. 
• More than 250 employees.
• Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional or includes certain types of sensitive personal data.

So, basically all businesses! 

CCPA applies to any business in California or companies that do business or have customers (or potential customers) in California AND meet one of the following criteria  

• Annual gross revenue is more than $25 million.
• The organization receives, shares, or sells personal information of more than 50,000 individuals.
• A company earns 50% or more of its annual revenue from selling personal information of consumers.

Most agree that the CCPA will be the defacto  privacy law in the U.S. as many other states are already using it as a template to draft their own privacy legislation. Non-compliance can result in fines up to $7,500 per violation. The CCPA does allow the business in violation 30 days to cure the problem once notified in writing. 

What is considered personal data? 

GDPR and CCPA have similar definitions of "personal data." However, the CCPA does outline some specific exclusions. There is a good chart of similarities and differences here.

According to the CCPA, personal information is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It goes on to list a bunch of obvious things such as:    

• Real name
• Postal address
• Unique personal identifier
• IP address
• Email address
• Account name
• Social security number
• Driver’s license number
• Passport number, etc.

The law also includes some not so obvious data such as: 

• Biometric data
• Browsing history
• Employment or educational data

Woof, that’s fun. If you just love legislative documents, you can read the entire CCPA bill.

Or if you really have time on your hands, the GDPR.

What does it all mean? 

Both pieces of legislation aim to change how businesses collect and handle data collected on the web. The stated intent of the CCPA is to “further Californians’ right to privacy by giving consumers an effective way to control their personal information”. The rights outlined in CCPA are:  

1. The right to know what personal information is being collected about them.
2. The right to know whether their personal information is sold or disclosed and to whom.
3. The right to say no to the sale of personal information.
4. The right to access their personal information.
5. The right to equal service and price, even if they exercise their privacy rights.

Any compliance exercise will involve multiple teams working together to ensure the business is adequately covered. Your legal counsel should be involved in helping determine your obligation to the CCPA and how your company can comply with it. Among other things, you may need to:  

• Map out consumer data collection processes to understand what data you have and where it goes
• Update your privacy policy
• Add a “Do Not Sell My Personal Information” link to your site
• Avoid requesting opt-in consent for 12 months after a California resident opts out 
• Implement processes to obtain opt-in consent for minors
• Parental or guardian consent for minors under 13 years
• Affirmative consent of minors between 13 and 16 years
• Develop a process to handle requests from users
• Audit your current security processes

Gravity can work with your legal team and other stakeholders to implement key functionality on your website to help achieve and keep you in compliance.  

What is ADA & ADA compliance for websites?

Lately, there have been quite a lot of stories about ADA compliance in the news. You might have followed the lawsuit filed against Dominos, or seen it in an advertisement. Either way, you are probably wondering if it applies to you and what it means.  

ADA, the American with Disabilities Act, was first signed into law on July 26th of 1990. The purpose was to prevent discrimination against individuals with disabilities. This brought important updates including wheelchair-accessible entrances, wheelchair-accessible restrooms and telephones with options for people with hearing or speech difficulties. At this time, the internet as we know it today was just getting started, so no one worried about making it accessible to everyone.  

Fast forward a few decades and the Internet is now a staple in most people’s lives. Kids are going to school with iPads connected to online classroom tools, a ton of shopping is done  online and it seems no one is able to pick a restaurant without checking reviews first. This has created problems for individuals with disabilities if they are unable to use websites as non-disabled people do. In one instance, Target’s website was built in such a way that some people were not able to buy products online. The prices were more expensive in-store than online so people with disabilities were having to pay more purely because they couldn’t use a computer like a non-disabled individual. The Target lawsuit (along with a few others) kicked off a movement to make the Internet accessible to anyone  and the ADA law was expanded to include websites. 

While we don’t have specific laws like the initial ADA law, people generally accept W3C’s WCAG 2.1 guidelines to be the gold standard for website accessibility (In 2014 the DOJ adopted WCAG 2.0 as their  standard ). You can read more about it here.

These guidelines outline everything designers and developers need to think about while creating a website so everyone can use it. Some examples include:  

• Color contrast: Making sure the contrast between text and the background color are different enough to ensure even  people with impaired vision can read the text. 
• Resizing text: Making sure text on a page can be resized without completely breaking the design for people who are hard of seeing.
• Captions on images: Making sure that images have an accurate alt tag so that screen reader tools can describe to someone who is blind what the image is depicting.
• Keyboard instead of a mouse: Since some people are unable to use computer mice due to mobility issues, a website should be accessible by using a keyboard, namely the ‘tab’ key to scroll through a website.
• Remove time restrictions: Whenever possible, removing all time restrictions or allowing a user to extend the time to interact is a must. Some users might move slowly due to a disability and we don’t want a form to keep resetting on them. There are some exceptions, including timed  tests but these have specific rules around them.
• Correct headings and labels: It’s important to make sure that a screen reader can scan through the website and tell a user what is headline text and what should go in each form field. Using HTML elements correctly is imperative to enabling screen readers to do their job properly.
• Don’t require movement: It’s important that websites don’t require a user to move a mouse to click on something. Even if a user can move a mouse, it can be hard to  click on a moving target.

There are a ton of other guidelines, all can be found here.

The WCAG 2.1 guidelines also come in three levels - A, AA, or AAA. Each is progressively harder to achieve, so it’s important to identify what level of compliance your site needs. Level A is just the absolute basics that every site should comply with. These include things like easier color ratio restrictions, page titles, and image descriptions. AA is optimal for most sites, especially sites that have eCommerce or are widely used. AA follows A guidelines but also include things like identifying programmatically what language a website's content is, consistent navigation throughout the site and input errors. AAA is the strictest of them all and requires a lot of effort to achieve compliance. The color ratio is the strictest, you need to have prerecorded videos with captions, a script, someone doing sign language, and a way to explain the full meaning of an abbreviated text, amongst other things.  

Gravity recommends that all sites are AA compliant and only sites specifically for people with disabilities address AAA requirements. However, it’s always important to connect with your legal team to make sure they don’t have other regulations they want you to follow. While Gravity has worked on numerous ADA websites, we always recommend getting your legal team to sign off on the site or using a third-party certification company to do the final inspection prior to launch. Also, remember that websites initially compliant can become un-compliant over time as the site is updated. Make sure you train your team on the regulations and do semi-annual checks to keep your site accessible!  

What happens if you get sued?  

We can help. If you are being sued, please provide us with all documentation filed against your company so we can use that as an initial checklist to come to an agreement on how we could get everything updated ASAP. If you are worried about a potential lawsuit, we recommend getting your website evaluated and certified by a  third-party website ADA compliance specialist. Either way, let us know if you need help making sure your website is WCAG 2.1 AA compliant. We can customize a plan that ensures everyone has the best possible experience on your site!