Penalties for Not Complying With GDPR, CCPA, and Accessibility of Sites

The Americans with Disabilities Act (ADA), California Consumer Privacy Act (CCPA), and General Data Protection Regulation (GDPR) are standards to which all businesses are held accountable. With high awareness of these acts, website owners are actively taking steps to be compliant with all the relevant laws, policies, acts, and regulations. This article will be discussing these regulations in order to help keep you informed as to how they may apply to your business, as well as the possible complications and penalties if you fail to comply with these acts.

What is ADA & ADA compliance for websites?

ADA is the abbreviation which means the American with Disabilities Act. This act was first signed into law on July 26,1990. It was created to prevent discrimination against individuals with disabilities, and brought about many important updates, such as wheelchair-accessible entrances, wheelchair-accessible restrooms, and telephone options for individuals who are hearing impaired or have speech difficulties. During the ‘90s, the internet was just beginning to gain in popularity, and accessibility concerns were not yet apparent. Times have changed, and the internet has become a staple in most people’s lives. Consequently, problems for individuals with disabilities have arisen since they are unable to use websites in the same manner. While specific laws like the initial ADA law are not in place, some guidelines are considered to be the gold standard for website accessibility. They outline everything that designers and developers need to consider while creating a website. Some examples include:

• Color contrast – The contrast between the text and the background color should maintain a marked difference in order for visually impaired individuals to recognize a distinction. 
• Resizing text – The text on a webpage needs to be resizable. Ideally, this modification should be possible while still maintaining the overall design. 
• Keyboard instead of a mouse-  A website needs to be completely accessible by using a keyboard, namely the ‘tab’ key to scroll through a website, as some people are unable to use computer mice due to mobility issues.
• Remove time restrictions – Whenever possible, removing all time restrictions or allowing a user to extend the time to interact is a must. Some users might move slowly due to a disability and a form should not keep resetting on them. There are some exceptions, including timed tests but these have specific rules around them.
• Correct headings and labels – Using HTML elements correctly is imperative to enabling screen readers to do their job properly, as it is essential to make sure that it can scan through the website and tell a user what the headline text is, and what should go in each form field.
• Don’t require movement – A website should not require users to move a mouse to click on something.

SEO and ADA compliance go hand to hand 

While screen readers use alt tags and captions to identify and read the image appropriately to visually impaired users, search bots use them too for the means of determining the contents of an image. For ADA compliance, videos you share on your website need to have a readable transcript. This will also supply search engines with keyword-rich text, which incidentally also serves as a positive gain for your website traffic. 

What is CCPA?

CCPA is a data privacy law that establishes new consumer rights for California state residents relating to access, deletion, and sharing of personal information that is collected by businesses.

Consumers have the right to know what companies are doing with their personal data. In order for businesses to achieve CCPA compliance, they must disclose their data collection and sharing practices to consumers. Consumers must be allowed to exclude their data from being shared with third parties. This is why companies need to update their privacy policies. In addition, they must have a visible footer on their website with the ability to opt-out of data sharing.

CCPA applies to any business in California. It also applies to companies that conduct business in the state of California, or whose customers (or potential customers) are residents of, and meet one of the following criteria:

• Annual gross revenue of more than $25 million
• The organization receives, shares, or sells the personal information of more than 50,000 individuals
• A company earns 50% or more of its annual revenue from selling the personal information of consumers

The major provisions of CCPA are:

• The right to know what information is being collected, where and how it was sourced, how this data is being processed once collected, what part of the information is being sold (if any), and to whom is the data going to be sold.
• The right to decline allowing a business or a company to sell their personal data to another business or any third party.
• The right to request the business to delete any personal data that was collected from them if they refuse this data to be stored in the business’s database, with some exceptions.
• The right to equal services and disclosure requirements while they are exercising their privacy rights under this Act.

What are the penalties for non-complying with CCPA?

CCPA law determines that all violators and non-compliant parties will be penalized with monetary fees and may also result in the loss of clients and business reputation. As you can see, these penalties are serious and hard to ignore. The non-complying businesses may face:

• Private Enforcement – If consumers opt out of such a sale, but their data is sold knowingly and willfully, they are given private actions under the CCPA. Statutory damages range between $1000 and $3000, or actual damages, whichever is greater. This means that consumers can file class-action suits for privacy losses without requiring them to show any evidentiary loss of property or money.
• Governmental Enforcement – The State’s Attorney General or municipalities can enforce the law, and are expected to file a civil case against any business, company, or party that will not comply with the CCPA guidelines after being issued a 30 days notification. Businesses have 30 days to cure any alleged non-compliance. If they are still non compliant following the 30 days notification, they could be liable to pay fines of up to $7,500 per violation.
• Consumer Enforcement – Consumers may recover damages of not less than $100 and not greater than $750 per consumer per incident, or actual damages, whichever is greater, or injunctive or declaratory relief, or any other relief the court deems proper. 

The fines for CCPA are not as costly as the GDPR, but sizable data breaches for thousands of consumers easily add up. For example, if a business violated the rights of 10,000 consumers, penalties for non-compliance could reach a staggering $7,500,000.

What is GDPR?

The General Data Protection Regulation is considered to be the most significant change in data privacy laws in over 20 years. It was the starting point for the CCPA, both are centered around personal data and what businesses are allowed to do with it. Just like the CCPA, GDPR applies to you regardless of where your business is based, where you process your data, or where you store your data. If you are advertising to, or doing business with individuals, including travelers, within the European Union (EU) or the UK, GDPR applies. Simply put, the GDPR gives individuals within the EU and UK the opportunity to consent to specific uses of their data.

The rules state that businesses must explain consent in an easy-to-understand and easily accessible format. Consent cannot be provided in a pre-checked box and cannot be a requirement for a completely separate process. Also, consent must have an expiration date after which it has to be re-attained. Besides consent, GDPR compliance includes other rights for EU and UK residents. Data breach notification and the right to data erasure are covered by this as well. 

GDPR applies to businesses that have:

• A presence in an EU country
• No presence in the EU, but processes personal data of EU residents
• More than 250 employees
• Fewer than 250 employees, but its data-processing impacts the rights and freedoms of data subjects, is not occasional or includes certain types of sensitive personal data.

The major provisions of GDPR are:

• The right to be informed
• The right of access
• The right to rectification
• The right to be forgotten
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

What are the penalties for non-complying with GDPR?

The GDPR sets a maximum fine of 20 million euros or 4% of annual global turnover, whichever is greater. However, not all DGPR infringements lead to data protection fines, as supervisory authorities can take other actions like:

• Issuing warnings and reprimands
• Imposing a temporary or permanent ban on data processing
• Ordering the rectification, restriction or erasure of data
• Suspending data transfers to third countries

What is the maximum GDPR fine?

There are two tiers of an administrative fine for non-compliance with the GDPR:

• Up to 10 million euros, or, in case of an undertaking, 2% of annual global turnover, whichever is greater
• Up to 20 million euros, or, in the case of an undertaking, 4% of annual global turnover, whichever is greater

As GDPR breach fines are discretionary, they are imposed on a case-to-case basis and should be effective, proportionate, and dissuasive. The lower level of penalties can be issued for infringements of articles:

• 8 – conditions for children’s consent
• 11 – processing that doesn’t require identification
• 25 – 39 – general obligations of processor and controllers
• 42 – certification
• 43 – certification bodies

The higher level penalties can be issued for infringements of articles:

• 5 – data processing principles
• 6 – lawfulness of processing
• 7 – conditions for processing
• 9 – the processing of special categories of data
• 12 – 22 – data subject’s rights
• 44 – 49 – data transfers to third countries or international organizations

What is considered to be personal data?

According to DataPrivacyLaw.com, personal data refers to “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Personal information includes, but is not limited to: 

• Identifiers, such as a real name, alias, postal address and geolocation data, unique personal identifier, online identifier IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
• Characteristics of protected classifications under federal law.
• Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
• Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
• Professional (employment-related information) and education information, defined as information that is not publicly available, personally identifiable as defined in the Family Educational Rights and Privacy Act.
• Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Personal information doesn’t include information that is publicly available, which means lawfully made available whether through federal, state, or local government records, provided no conditions are associated with information as such. Also, “publicly available” doesn’t include biometric information that a company or business collects without the consumer’s knowledge.

To translate into common language, personal data includes:

• Real name
• Postal address
• unique personal identifier
• IP address
• Email address
• Account name
• Social security number
• Driver’s license number
• Passport number
• Biometric data
• Browsing history
• Employment or educational data, etc.

What should businesses and marketers do?

Besides following all the regulations necessary to comply with these acts, businesses need to make sure they are ready and willing to clear all the data collected from residents upon request. However, there are occasions when a business can keep the data despite a customer’s request. This can only happen if:

• The information is needed to debug and/or repair errors that affect current intended functionality
• The customers’ details are necessary for companies to exercise free speech, or if businesses need to make sure another consumer’s right is exercised as provided for by law
• The information is of public interest, whether for historical, scientific, or statistical research purposes
• Businesses need the data to comply with policies and laws

While we can’t argue with the fact that technology has made our lives easier, we must remain cognizant of the potential negatives that it’s daily use may have on us. If there were no regulations about the use and selling of our personal data, it could be misused in ways one wouldn’t want to even begin to imagine. This is why it is critical to follow the GDPR, CCPA, and ADA guidelines. Our motivation should not only be avoiding penalties for non-compliance, but also working together to make the internet a safer and friendlier place for all users.