n this latest installment of our ongoing consumer privacy series, we focus on potential digital and offline accessibility requirements in the context of the wave of new U.S. state consumer privacy laws. For our most recent article, click here.
In the continued absence of a comprehensive federal privacy law, a wave of new state privacy laws is filling the gap. As of August 2023, there are 11 states that have passed such laws, including two of the largest states in the country, California and Texas.
However, not every region is riding the wave. Thus far, Connecticut is the only state in New England or the Northeast to get on board. But, with active privacy bills working their way through additional state legislatures, including Massachusetts, New Jersey, and Pennsylvania, it is only a matter of time before such laws span from coast to coast. As more laws are adopted, it becomes increasingly critical for businesses to understand how the subtle and not-so-subtle differences within these laws affect compliance efforts.
This alert covers one such area of difference in particular: accessibility requirements for individuals with disabilities. The past few years have seen a significant upward trend in digital accessibility lawsuits. These lawsuits often allege violations under the Americans with Disabilities Act, although some recent cases include additional claims under local laws such as the New York State Human Rights Law.
Although many state privacy laws explicitly omit a private right of action, they may nonetheless be a new basis for claims against businesses under consumer protection and other state laws. In this alert, we’ve categorized into two groups the 11 states with privacy laws based on the extent of and detail surrounding each state law’s potential accessibility requirements and proposed next steps for businesses looking to address accessibility in their privacy compliance.
The Toughest Accessibility Standard: California and Colorado
California and Colorado are particularly distinctive in that accessibility requirements are outlined in both the privacy statutes and accompanying regulations. In California, state privacy law provides that businesses shall comply with its requirements in a form that is reasonably accessible to consumers. The recently adopted regulations from the California Privacy Protection Agency indicate that accessibility requirements apply to a wide range of disclosures, including privacy policies, notices at collection (e.g., cookie banners or pop-ups), notices of a financial incentive to consent to data collection, and notices regarding a consumer’s right to opt-out of the sale or sharing of personal information and to limit the use of sensitive personal information.
In Colorado, the state privacy law itself appears to apply an accessibility requirement only to privacy notices. However, related regulations claim a broader reach. Specifically, the regulations indicate that all disclosures, notifications, and other communications to consumers under the law should be reasonably accessible to consumers with disabilities. The regulations reference the use of digital accessibility tools as one way for businesses to comply.
Neither state’s law defines reasonable accessibility. However, regulations in both states refer to industry standards, such as the Web Content Accessibility Guidelines (WCAG) 2, for online notices. Because WCAG 2 applies only to digital content, the regulations reference unspecified “alternative formats” for other contexts. Note that WCAG 2 is the compliance standard recently proposed by the Department of Justice for digital accessibility regulations for public entities, as well as the standard most commonly referenced by federal courts in digital accessibility litigation.
Privacy Notice Only States: Connecticut, Indiana, Iowa, Montana, Tennessee, Texas, Utah, Virginia, Oregon
In the nine remaining states, state privacy laws require businesses to provide consumers with a reasonably accessible privacy notice, but accessibility requirements don’t appear to apply expressly to any other disclosures or communications that a business might provide. As with California and Colorado, the law itself does not define a standard for reasonably accessible. However, unlike California and Colorado, no accompanying regulations exist to fill in the gap. Note that recently passed legislation in Delaware, which closely resembles the Connecticut law, would join this category if the governor signs it into law.
We suggest adopting an industry standard such as WCAG 2 to meet the accessibility requirements for digital privacy notices in these states. As with California and Colorado, businesses should also perform an accessibility review for offline communications.
And, as with any privacy issue, compliance is a team sport. Complying with new state laws will require a cross-functional team, including in-house counsel, outside counsel, web and systems development, and customer service or operations. With so many new state privacy laws on the horizon, establishing the team early and reaching consensus on approach will significantly reduce the lift required to comply as new laws become effective.
In our next installment, we’ll summarize recently considered and proposed pending consumer privacy bills in state legislatures throughout New England.