Ask these 3 questions about accessibility, consumer privacy and auto renewal requirements
By: William M. Miller
Ensuring that a website is accessible is particularly important as compliance, or lack thereof, is frequently the subject of litigation.
In this digitally dependent world, the first contact that many consumers have with a company is through its website. As a result, more than ever, it is essential to have a website that complies with both United States and foreign laws, not only to safeguard potential and existing customers but also to avoid costly lawsuits that may result from non-compliance. Below are three questions every company should ask about its website.
Is the Website Accessible to Individuals with Disabilities?
With a few exceptions, it is well established that any retail website doing business in the United States must be accessible to individuals with disabilities (particularly those that also do business through brick-and-mortar stores). As a practical matter, what this means is that the website must be coded to allow it to interface with screen reading software that enables a disabled person to access the website.
While there are no federal or state standards describing what needs to be done in order for a website to be accessible, the de facto standard (which has been used by the United States Department of Justice and approved by courts) is the Web Content Accessibility Guidelines (WCAG) 2.1.
The WCAG 2.1 Guidelines set technical standards that a website needs to meet to ensure that a screen reader will be able to interact with the website and allow a disabled person access.
In order to meet some level of the WCAG 2.1 guidance (most frequently WCAG 2.1 AA), companies without dedicated IT and website teams typically employ third-party consultants that can audit a website and advise on what steps are necessary to bring a site into compliance (if it is not already). The consultants can then recommend policies to be put in place so a website can maintain a level of compliance.
There are a variety of different methods consultants employ in order to bring a website into compliance, ranging from code-based solutions to application-based systems that act as an interface with screen readers.
Disability advocates believe that some methods of compliance are more effective than others. As a result, when choosing a method of compliance, it is important to evaluate the pros and cons of each before implementation.
Ensuring that a website is accessible is particularly important as compliance, or lack thereof, is frequently the subject of litigation. For a company doing business nationally, suits are often filed in California, New York or Florida, but they can be filed anywhere a company is doing business. These lawsuits can be difficult to defend if a business is not vigilant, as it is easy for a website to slip out of compliance.
This fact makes monitoring a website’s compliance, and then suing over its deficiencies, profitable for enterprising plaintiffs. Frequently these types of matters are more cost-effective to resolve with an early settlement than they are to litigate, which has driven the rapid increase in these types of filings by plaintiffs’ attorneys who are looking for a quick, easy “score.”
Lawsuits regarding website compliance have recently faced increased scrutiny, particularly where there is no nexus to a particular physical location. There has long been a split in the different federal Courts of Appeals regarding the issue of whether “online only” businesses are considered to be “places of public accommodation” within the meaning of Title III of the Americans with Disabilities Act (ADA).
Some courts believe a physical location is necessary, while others believe that the ADA applies regardless of whether the business has a brick and mortar storefront. Last summer, the California Court of Appeal took the more conservative approach, ruling that a website must have a nexus to a physical location in order for it to be considered a “place of public accommodation.”
Of course, most direct selling businesses do not sell through brick and mortar locations, so it remains to be seen how the law might be applied to those businesses.
Unfortunately, what constitutes a physical location and a nexus to a physical location is arguable and will likely now be even more intensely litigated. Only time will tell, but this approach could prove to be an effective way of disposing of non-meritorious cases early in a lawsuit.
Regardless of the litigation risks, it is a sound strategy and a good investment for businesses to periodically evaluate their website compliance, particularly if they have retail or physical locations, and ensure that they are accessible as required by law.
Is the Company’s Privacy Policy Up to Date, and Does It Comply with All Applicable Laws?
Consumer privacy has become a critical issue over the past several years. Following the European Union’s lead in passing the General Data Protection Regulation (GDPR), several U.S. states have passed robust and broad laws requiring businesses to take steps to protect a consumer’s personal data. These requirements become even broader if a business sells or shares a consumer’s data.
California has one of the most stringent consumer privacy statutes in the United States, and it has a broad reach. California’s law applies to any business that interacts with California residents. Since the California Consumer Privacy Act (CCPA) was originally passed in 2018 it has been amended twice, with the most recent changes becoming mandatory on Jan. 1 (although enforcement will not begin until July).
Now typically referred to as the California Privacy Rights Act (CPRA), the law requires a company to include specific and robust language in its privacy policy and elsewhere, along with links and instructions that allow consumers to both opt out of having their personal information gathered, and to request what personal data a company has gathered.
While all the elements of compliance with the various regulatory schemes could each be the subject of articles on their own, the first question a company should ask is, what does its current privacy policy say, and is that policy compliant with the privacy laws in all of the jurisdictions in which it does business? A company’s privacy policy, published on its website’s home page, is the essential baseline document for compliance.
Companies must keep up to date on developments in privacy regulation as more states join the rush to safeguard their citizens’ privacy rights. Though there has long been discussion over a federal statute that arguably could preempt state and local regulation, no such uniform standard is on the horizon.
Given the constantly shifting landscape, companies must be vigilant in ensuring that their privacy policies are up to date and that their websites provide all of the various consents and opt-out options required under the law.
If the Company Offers Auto-ship or Other Subscriptions, Does Its Website Comply with Federal and State Auto Renewal Laws?
The federal government—through the Restore Online Shoppers Confidence Act (ROSCA)—as well as numerous states have laws on their books regulating how companies must disclose subscription-based services, including auto-shipping of products.
California’s Auto Renewal Law (ARL), which has been on the books since 2010 (the same year that ROSCA was enacted), and which was most recently updated in July 2022, is one of the most robust laws in the country.
The ARL requires a variety of very specific disclosures to be made at the point of sale for any subscription, along with the requirement that an email and other follow-up be provided to ensure that the consumer knows how they can cancel the subscription.
In the case of California’s statute, consumers must be given the opportunity to cancel at any time in the same way they signed up for the subscription in the first place (i.e., if a consumer signs up for auto-ship online, they have to be able to cancel online).
Though they differ in the details, other statutes from other jurisdictions are often to similar effect. Accordingly, compliance with auto renewal laws requires attention to detail, and the laws must be followed to make sure that the company complies with the latest guidance.
Each of the areas discussed above can become the basis for individual and collective liability, both directly and potentially through various consumer and disabled persons protection statutes. As a result, if the answer to any of these questions is “no,” those issues should be promptly addressed in order to avoid potential liability.
Is the Company’s Privacy Policy Up to Date, and Does It Comply with All Applicable Laws?
Consumer privacy has become a critical issue over the past several years. Following the European Union’s lead in passing the General Data Protection Regulation (GDPR), several states have passed robust and broad laws requiring businesses to take steps to protect a consumer’s personal data. These requirements become even broader if a business sells or shares a consumer’s data.
California has one of the most stringent consumer privacy statutes in the United States, and it has a broad reach. California’s law applies to any business that interacts with California residents. Since the California Consumer Privacy Act (CCPA) was originally passed in 2018 it has been amended twice, with the most recent changes becoming mandatory on Jan. 1 (although enforcement will not begin until July).
Now typically referred to as the California Privacy Rights Act (CPRA), the law requires a company to include specific and robust language in its privacy policy and elsewhere, along with links and instructions that allow consumers to both opt-out of having their personal information gathered, and to request what personal data a company has gathered.
While all the elements of compliance with the various regulatory schemes could each be the subject of articles on their own, the first question a company should ask is, what does its current privacy policy say, and is that policy compliant with the privacy laws in all of the jurisdictions in which it does business? A company’s privacy policy, published on its website’s home page, is the essential baseline document for compliance.
Companies must keep up to date on developments in privacy regulation as more states join the rush to safeguard their citizens’ privacy rights. Though there has long been discussion over a federal statute that arguably could preempt state and local regulation, no such uniform standard is on the horizon. Given the constantly shifting landscape, companies must be vigilant in ensuring that their privacy policies are up to date and that their websites provide all of the various consents and opt-out options required under the law.
If the Company Offers Auto-ship or Other Subscriptions, Does Its Website Comply with Federal and State Auto Renewal Laws?
The federal government—through the Restore Online Shoppers Confidence Act (ROSCA)—as well as numerous states have laws on their books regulating how companies must disclose subscription-based services, including auto-shipping of products. California’s Auto Renewal Law (ARL), which has been on the books since 2010 (the same year that ROSCA was enacted), and which was most recently updated in July 2022, is one of the most robust laws in the country.
The ARL requires a variety of very specific disclosures to be made at the point of sale for any subscription, along with the requirement that an email and other follow-up be provided to ensure that the consumer knows how they can cancel the subscription. In the case of California’s statute, consumers must be given the opportunity to cancel at any time in the same way they signed up for the subscription in the first place (i.e., if a consumer signs up for auto-ship online, they have to be able to cancel online).
Though they differ in the details, other statutes from other jurisdictions are often to similar effect. Accordingly, compliance with auto renewal laws requires attention to detail, and the laws must be followed to make sure that the company complies with the latest guidance.
Each of the areas discussed above can become the basis for both individual and collective liability, both directly and potentially through various consumer and disabled persons protection statutes. As a result, if the answer to any of these questions is “no,” those issues should be promptly addressed in order to avoid potential liability.
William M. Miller is a shareholder with the Buchalter law firm
and a senior member of the firm’s Multilevel Marketing Industry Practice Group.
Link to share this article: https://socialsellingnews.com/link/is-your-website-a-potential-liability-3895/