Ignoring California standards like the CCPA and Unruh Act will cause significant risk even for organizations based outside of the state.
Federal laws are a minimum standard that must be followed by every entity they apply to in every US state/territory. The Supreme Court stated in Geier v. American Honda Motor Co. that individual states are allowed to pass laws that will “establish greater safety than the minimum safety achieved by a federal regulation intended to provide a floor.” California has grabbed on to that “greater safety than the minimum” part of the Geier case with a pretty strong grip. Let’s look at how this “floor/safer” federal/state balance has worked in the non-tech world.
- The federal EPA set guidelines for car gas mileage and air pollution
- California didn’t think those were good enough, and Californians were largely willing to pay more to reverse the choking pollution that had saturated the area in the 70s
- California passed stricter guidelines for within the state
- The current administration loosened the federal regulations, and then threatened legal action to undermine California’s stricter requirements
- California executed an end-run around this by making a private deal with auto manufacturers
Why is it California that matters? California:
- is the largest state in the US
- has a population larger than many countries
- has the 5th largest GDP in the world (ranking just behind Germany and above the UK)
So why shouldn’t California have the right to define regulations that protect its citizens more strongly than the federal floors?
Because California is going down this road right now, woe be to the company outside of California that ignores California law and then tries to sell to California citizens. I have already written about the Unruh Act and recent California case law tying the Unruh Act (which comes with an automatic $4000 per violation fine) to digital accessibility. This article will focus on a law that is about to come into force: The California Consumers Privacy Act.
California Consumers Privacy Act
The CCPA (California Consumer Privacy Act) includes a specific requirement that privacy notices be accessible and have alternative format access clearly called out. This law is taking effect Jan 1, 2020. Fines range from $2500 to $7500 per instance, so you don’t want to mess around. Because this is the “California Consumers” privacy act, it doesn’t just affect companies that are based in California, it affects companies doing business in California. Which is in effect, almost everyone in the US, unless you specifically block viewers with IP addresses known to be in California.
Who does the CCPA Apply to?
Unlike the Unruh Act which leverages ADA requirements, the CCPA has it’s own guidelines. It is mostly intended to apply to larger companies. Organizations that must comply with the CCPA include those that:
- Have $25 million or more in annual revenue; or
- Possess the personal data of more than 50,000 “consumers, households, or devices” or
- Earn more than half of its annual revenue selling consumers’ personal data.
The California legislature also exempted a few types of companies. These are:
- Health providers and insurers already under HIPAA
- Banks and financial companies covered by Gramm-Leach-Bliley
- Credit reporting agencies (Equifax, TransUnion, etc.) that come under the Fair Credit Reporting Act
CCPA Fine Print
Use plain straightforward language
There are many studies on the average reading grade level in the US. Most of these studies place the average at between 6th and 8th grade. Basic contract legalese isn’t going to work here. If flowery, complex language is used, it is going to leave a lot of consumers not really understanding what they just agreed to. Read this article on how complicated language is discriminatory, and how to make it more accessible to all.
Make the policy readable
“Readable” in this part of the regulation pertains to actually being able to perceive the text, not understand it. To satisfy this part of the regulation:
- Zoom/Magnification *must* work. Both built-in (pinch-to-zoom and <Ctrl-+> and external (Zoomtext) should work
- HTML must be responsive (not explicitly stated, but the call out of “small screens” really strongly implies it)
- Icons and other interactive components must be big enough to easily use
- Icons and other interactive components must have enough contrast to be easily seen
Be accessible to consumers with disabilities
California case law has repeatedly identified WCAG 2.0 Level AA as the applicable standard in determining whether or not a website or mobile app is accessible. However, in specifically calling out “small screens” in 999.308(b) above, the CCPA has implicitly triggered three WCAG 2.1 standards (responsive, non-text contrast, and touch target size), and the touch target size guideline is a WCAG 2.1 AAA standard.
Provide Alternate Formats
The types of alternate formats that can be requested include but probably aren’t limited to:
- Captions. FYI, captions are a Level A WCAG guideline, so if you aren’t already doing this, you are likely out of compliance.
- Descriptive audio. Another Level A WCAG guideline.
- Large print
- Electronic text
- ASL interpretation for pre-recorded video sound tracks
Some of these alternate formats (Braille and Large Print, for example) have their own strict requirements in California in terms of how they are produced.
If you are searching for vendors when the request for an alternate format comes in, chances are you are NOT going to provide the information in the requested format in a commercially reasonable time frame. The time to start setting up these relationships, especially for larger companies, is now.
The CCPA will go into effect on January 1, 2020. The California Attorney General, who generally enforces the CCPA, will adopt regulations on or before July 1, 2020. Enforcement actions will not be brought until 6 months after the publication of such regulations or July 1, 2020.
There are already several companies making CCPA compliant privacy / cookie / consent software. If you don’t feel capable of creating your own, consider using one of theirs. Hint: Googling CCPA brings up a number of ads from these companies.