How To Stay Compliant: Running a Website

How To Stay Compliant: Running a Website
Photo by Sebastian Pichler / Unsplash

Laws like the Americans with Disabilities Act (ADA), General Data Protection Regulation (GDPR), and California Consumer Privacy Act (CCPA) make owning a noncompliant website a costly mistake. This article is about some of the aspects of remaining compliant when running a Website in the United States.

💡
Shorey IT does not offer legal advice. You should contact a lawyer before finalizing any legal documents or policies.

Lawsuits

Photo by Tingey Injury Law Firm / Unsplash

Websites are considered places of public accommodations, according to some courts. This means accessibility law and other laws apply, and not following them could result in hefty legal fees.

For instance, the Ninth Circuit Court of Appeals in Robles v. Domino’s Pizza, LLC held that the ADA applies to a company’s website and mobile applications, reasoning that the ADA applies to the services of a place of public accommodation and is not limited to services in a place of public accommodation. [2]

It's been made clear that websites are expected to follow the same laws as public places, but the guidelines to follow these laws are not so direct. There is the Web Content Accessibility Guidelines (WCAG), but with multiple versions, success criteria, and lengthy rules that change often, it is hard for someone to learn it all while juggling the responsibilities of running a business.

WCAG

The Web Content Accessibility Guidelines is a standard for web content accessibility that explains how to make web content more accessible for people with disabilities. The WCAG was made to help websites stay ADA compliant, and has 3 levels of criteria with "AAA" being the highest standard. [3] Many healthcare and government agencies follow these guidelines to stay compliant, and for good reason too! Over 1 million Americans are considered blind, and over 12 million have vision impairment. [4]

You can read the WCAG guidelines here.

ADA

Brand New Design
Photo by Possessed Photography / Unsplash

The Americans with Disabilites Act is the law that (in the United States) is sometimes used to argue a poorly designed website or online service is discriminitory towards those with disabilites. Since websites can be considered a public service, not following these guidelines could be seen by a judge as discriminating against disabled people. This is because they cannot use the service properly or don't have access to accommodations.

The ADA also prohibits discrimination against people with disabilities in several areas, including employment, transportation, public accommodations, communications and access to state and local government’ programs and services.

GDPR/CCPA

Photo by Claudio Schwarz / Unsplash

The Global Data Protection Regulation, or GDPR was drafted and passed by the European Union (EU), but it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.

The GDPR covers topics like data processing, personal information, data controllers, and data processors. The California Consumer Protection Act is a similar law in the United States that applies even if your business is not located in California. You only need to have your service for sale or is available to those in CA.

Usually, following GDPR guidelines is enough to be CCPA compliant, although there are serveral key differences. For instance, CCPA applies to "Consumers" (California residents only) whereas GDPR applies to "Data Subjects". CCPA also applies to entier households, whereas GDPR does not.

Difference in Location

As described above, difference in location is an important factor when determining compliance. A local coffee shop in Maine with no website does not need to follow CCPA laws. However, a coffee manufacturer in Maine who ships to California could be held liable for noncompliance with CCPA.

Targeted Users

Who the business targets is a very important part of the equation, and one that is often misunderstood. You don't need to target users directly to have GDPR be applied. If the service is available and used in the European Union, you may need to take a closer look at the regulations.

Stored Data

Fibre optic cable rack
Photo by Lars Kienle / Unsplash

Where you store your data is very important when it comes to data protection. Knowing where your data lives is the first step to figuring out how to secure it. Do you use online services like Dropbox or Google Drive? Do you secure your flash drives and portable hard drives in a safe or lockbox?

Physical access to the data is just as, if not more important than digital access. A bad actor could easily install a backdoor to an unguarded server in an unlocked closet. They could also take the physical media with them, to decrypt and process later.

Even hosting your servers through a cloud provider requires you to stay compliant, and it is much harder to track where your data lives this way. Some hosting providers, like Linode, are HITECH and HIPPA certified.

Certifications like HIPPA/HITECH

Photo by Accuray / Unsplash

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. [5] To oversimplify, it only applies to healthcare providers and processors of healthcare information.

These regulations are mandatory if your business is in healthcare, but usually does not apply and is optional if you don't deal with patient information.

Is it Expensive?

It is easy to spend thousands on compliance, and still become subject to a lawsuit. The amount you spend is less imporant than if you are able to stay compliant with all applicable laws. Local, state, and federal law change often, so it is important you look up your state to see which laws apply to you. A good place to get started is on your state government's website. You can also run a compliance audit and get a detailed report of what to improve on. If you have a website developed by Shorey IT, you can opt-in to certain levels of compliance, up to and including HIPPA compliance. Click here to get started.

Sources

[1] https://www.adatitleiii.com/2021/02/the-pandemic-slowed-2020-federal-ada-title-iii-filings-but-2021-may-be-a-record-breaker/

[2] https://www.rjo.com/publications/website-accessibility-lawsuits-continue-to-inundate-california-courts-despite-covid-19/

[3] https://www.w3.org/WAI/standards-guidelines/wcag/

[4] https://www.cdc.gov/visionhealth/basics/ced/fastfacts.htm

[5]
https://www.cdc.gov/phlp/publications/topic/hipaa.html