Digital Accessibility Blog

California’s CCPA and Digital Accessibility: What Businesses Should Know

Written by Caroline | Feb 15, 2022

The California Consumer Privacy Act of 2018 (CPPA) requires for-profit businesses to provide information about data collection and sharing practices. That information needs to be presented in a manner accessible for people with disabilities, and the act suggests conformance with the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA, the consensus standard for accessibility.

If the CPPA applies to your business, you’ll need to create privacy policies that are reasonably accessible for most users. In this article, we’ll discuss the most important features of the CPPA and provide a framework for ensuring compliance with the act’s digital accessibility requirements.

An Overview of the CCPA’s Requirements and Penalties

As one of the country’s most extensive consumer protection laws, the CPPA is intended to provide consumers with more information about the way that their personal information is collected and utilized. 

The CCPA secures California consumers' rights to: 

  • Learn how a business collects, uses, and shares their personal information
  • “Opt-out" to prevent a business from selling their personal information
  • Request deletion of any collected data (with exceptions)

Under the CPPA, companies must provide an accessible mechanism for “opting out" — refusing to allow the business to sell their private information. (“cookies" are small pieces of data used to identify users and their computers). This opt-out mechanism must be accessible. Additionally, businesses must inform consumers that their information is being collected with a clearly written privacy policy.

Does your business need to comply with the CCPA?

The CCPA only applies to businesses that meet one or more of the following conditions:

  • Has a gross annual revenue of over $25 million.
  • Buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices.
  • Derives 50 percent or more of its annual revenue from selling consumers' personal information.

Penalties for non-compliance include fines of $2,500 for each violation or $7,500 for each intentional violation (after California provides notice and a 30-day opportunity for remediation). While the act only applies to businesses operating in California, more than a dozen states have introduced legislation modeled after the CCPA.  

Privacy Policies and Cookie Consent Under the CCPA

Businesses must provide “two or more designated methods" for requesting information that will be disclosed to other organizations. Those methods must include a toll-free phone number and a website address (if the business maintains a website).

Here’s the exact language from the bill:

“A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.”

Crucially, the CCPA requires notifications “at or before the point of collection.” In other words, a business can’t collect personal information and tell the consumer later — and if the business collects data through cookies, consumers must have the option to opt-out before the data collection begins. 

CCPA Compliance and Web Accessibility

So, why is website accessibility important for CCPA compliance? 

Unlike other privacy laws, the CPPA specifically requires that businesses offer a webpage with privacy policy information in an accessible format. While the bill doesn’t include a specific definition for “accessible,” California Code of Regulations § 999.308 (a) (2) (d) applies to privacy notices and specifically cites WCAG:

“[Notifications must] be reasonably accessible to consumers with disabilities. For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference. In other contexts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format.”

And since the CCPA effectively requires opt-in for private information collection, many websites will comply by introducing cookie consent banners, which fill a portion of the user’s screen with a notification about the website’s cookie policy. Needless to say, these banners should also conform with WCAG checkpoints.

In order to comply with the CCPA and the Americans with Disabilities Act (ADA), cookie notifications must be accessible for people with disabilities. WCAG Level AA has been cited as a reasonable standard for accessibility in ADA court cases and structured settlements, and the State of California recommends (but does not explicitly require) WCAG 2.1 Level AA conformance.

Forming a Plan for CCPA Accessibility Compliance

For webmasters, there’s some good news: The WCAG framework provides clear guidance for creating accessible content. By building cookie banners and privacy policy pages with an accessible mindset, your organization can maintain compliance while offering a better experience to users.

Some tips to keep in mind:

  • Make sure cookie consent banners can be navigated with a keyboard alone (no mouse). 
  • When using third-party cookie banners, evaluate them carefully to make sure they conform with the best practices of WCAG 2.1 Level AA
  • Use appropriate color contrast throughout your website. Don’t forget to check contrast ratios on cookie banners. 
  • Make sure opt-out forms have clear labels and test them for keyboard accessibility.

To ensure compliance with the CCPA and similar consumer protection laws, work with an experienced accessibility partner. The Bureau of Internet Accessibility can help your brand identify and remediate barriers, meet WCAG conformance standards, and create a long-term strategy to maintain compliance. Send us a message to get started.