How to Ensure Your Website Is Compliant
It’s 2022. Is your website ready for the new year? One of your resolutions should be to ensure that your business website is compliant with regulations and standards. There are three particular compliance areas that will protect your business and help your customers alike. EP Host examines each, starting from the most recent.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act, or CCPA, took effect on January 1, 2020. As with a number of other regulations in areas as diverse as warning labels and car emissions, California’s regulations are stricter than those found elsewhere in the United States — and in some respects, even more stringent than the GDPR. The starting assumption under the CCPA is that Californians own their personal information. The law sets out five provisions to enforce that, and allows consumers to sue companies for non-compliance even if no breach (data loss, theft, or exposure) has occurred.
- Transparency in data collection: Your company’s privacy policy should spell out the personal information your business gathers and the uses to which it’s put, and should be able to provide more information upon request.
- Knowing the use of data sold, and the ability to opt out: If your business benefits — either monetarily, or by gaining some other value — through the sale or sharing of personal information, you must disclose this, and provide a means to opt out. The only exception here is for those aged 16 and under, who must explicitly opt in to having their data sold or shared.
- Access to data: Upon request, businesses must furnish customers’ personal information, the sources from which the information was obtained or purchased, and any third parties with which it has been shared.
- The right to deletion: While businesses have the right to retain information to the extent that it’s required by law (including certain legal, medical, or financial records), consumers have the right to ask that non-essential personal data be deleted.
- The right to be free from discrimination: Exercising one’s rights under the act shall not result in penalties such as higher prices charged, the provision goods or services of a differing quality, or the refusal of goods and services.
Web Content Accessibility Guidelines (WCAG)
W3 updated the Web Content Accessibility Guidelines (WCAG) to Version 2.1 on June 5, 2018. WCAG 2.1 updates 2008’s 2.0 standards to add guidance for mobile devices, users with low vision, and people with cognitive and learning disabilities. Broadly speaking, WCAG is a ISO/IEC 40500:2012 standard that addresses four key performance areas on websites:
- Perceivable, including text alternatives for non-text content, captions, and aids for visibility and audibility.
- Operable, including support for alternate inputs, clear navigation, and content that does not cause physical reactions or seizures.
- Understandable, meaning that text should be clear and readable, and that content (including links and input fields) behave in ways that are predictable.
- Robust, meaning that sites should operate across a wide variety of current and future tools.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) took effect on May 25, 2018 as a replacement for the patchwork web of rules and regulations that had previously governed data protection in the European Union. As with the CCPA, failure to comply can still leave you with liability exposure regardless of whether you have clients in the covered area. GDPR compliance should be spelled out on your website’s Privacy Policy page (or a page of its own, if you prefer), and should include:
- Consent: The nature of data collected, as well as its use, sale, or distribution, must be spelled out in plain language. Consent must be affirmative, and should be as easily revoked as it was given; furthermore, each instance of data use requires a new consent request
- Breach notification: In the event of a security breach, all data subjects must be informed within 72 hours of the breach’s first discovery in as many forms as are deemed necessary — including, but not limited to, public announcements, emails, SMS, or telephone message.
- Right to access: Similar to CCPA, the GDPR affords data subjects full access to their information and its use, in digital format upon request, free of charge.
- Right to be forgotten: Upon the data subject’s request, their personal information must be erased by the holder, after which point it may no longer be processed or further disseminated; as with CCPA, there are exceptions carved out for the retention of certain data, but even that may not be retained once it’s no longer relevant.
- Data portability: Personal data should also be portable free of charge, sent to another processor or provider on the data subject’s request.
- Privacy by Design: In short, privacy should be the default option, with a priority placed on data protection and the rights of data subjects; to this end, only sufficient data for day-to-day operations should be gathered, and access to it limited only to employees with a need to know.
- Data Protection Officers: This provision is murky, since large enterprises — which, as of this writing, remain ill-defined — are required to employ a data protection officer to oversee GDPR application and compliance.
Get Help From the Pros
As important as they are, the three compliance areas listed above are only the beginning of many businesses’ online compliance concerns. Specific industries will often have additional regulatory boxes to check, including ADA website accessibility standards, and HIPAA and Sarbanes-Oxley compliance, to name just a few. Because failure to comply can be expensive — leading to loss of reputation, fines, lawsuits, and worse — we invite you to contact EP Host for help navigating your most urgent web compliance needs, including San Diego web design and development that builds compliant sites from scratch.