website on laptop

Websites: A growing compliance concern

Author: Jackson Lewis P.C.

Websites play a vital role for organizations. They facilitate communication with consumers, constituents, patients, employees, donors, and the general public. They project an organization’s image and promote goodwill, provide information about products and services and allow for their purchase. Websites also inform investors about performance, enable job seekers to view and apply for open positions, and accept questions and comments from visitors to the site or app, among many other activities and functionalities. Because of this vital role, websites have become an increasing subject of regulation making them a growing compliance concern.

Currently, many businesses are working to become compliant with the California Consumer Privacy Act (“CCPA”) which, if applicable, requires the conspicuous posting of a detailed privacy policy on a business’s website. But, the CCPA is not the first nor will it be the last compliance challenge for organizations that operate websites and other online services. An growing compliance burden has led to a wide range of operational and content requirements for websites. The push for CCPA compliance and responding to the flood of ADA accessibility litigation may cause more organizations to revisit their websites and, in the process, uncover a range of other issues that have crept in over the years.

What are some of these requirements?

AI – Artificial Intelligence. Organizations are increasingly leveraging automated decision-making tools to enhance their businesses in a range of areas, including employment. Needless to say, artificial intelligence (AI) and similar technologies, which power these tools, is being targeted for regulation. For example, the New York City Council passed a measure that subjects the use of automated decision-making tools to several requirements. One of those requirements is a “bias audit.” Employers that intend to utilize such a tool must first conduct a bias audit and must publish a summary of the results of that audit on their websites. We cover more about NYC Local Law 144 here.

ADA Accessibility. When people think about accommodating persons with disabilities, they often are drawn to situations where a person’s physical movement in a public place is impeded by a disability – stairs to get into a library or narrow doorways to use a bathroom. Indeed, Title III of the Americans with Disabilities Act grants disabled persons the right to full and equal enjoyment of the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation. Although websites were not around when the ADA was enacted, they are now, and courts are applying ADA protections to those sites. The question is whether a website or application is accessible.

Although not yet adopted by the Department of Justice, which enforces Title III of the ADA, guidelines established by the Website Accessibility Initiative appear to be the more likely place courts will look to access the accessibility of a website to which Title III applies. State and local governments have similar obligations under Title II of the ADA, and those entities might find guidance here.

HIPAA…and tracking technologies, pixels. For anyone who has had their first visit to a doctor’s office, they likely were greeted with a HIPAA “notice of privacy practices” and asked to sign an acknowledgement of receipt. Most covered health care providers have implemented this requirement, but may not be aware of the website requirement. HIPAA regulation 45 CFR 164.520(c)(3)(i) requires that covered entities maintaining a website with information about the entity’s customer services or benefits must prominently post its notice of privacy practices on the site and make the notice available electronically through site.

Beyond the notice posting requirement, websites of HIPAA covered entities and business associates have operational issues to consider. In December 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a bulletin with guidance concerning the use of online tracking technologies by covered entities and business associates under HIPAA. The OCR Bulletin follows a significant uptick in litigation concerning these technologies in industries including but not limited to the healthcare. For healthcare entities, the allegations relate to the sharing of patient data obtained from patient portals and websites. We do a deeper dive into this issue here.

COPPA. The Children’s Online Privacy Protection Act (COPPA) was enacted to give parents more control concerning the information websites collect about their children under 13. Regulated by the Federal Trade Commission (FTC), COPPA requires websites and online services covered by COPPA to post privacy policies, provide parents with direct notice of their information practices, and get verifiable consent from a parent or guardian before collecting personal information from children. COPPA applies to websites and online services directed to children under the age of 13 that collect personal information, and to sites and online services geared toward general audiences when they have “actual knowledge” they are collecting information from children under 13. Find out more about compliance here.

FTCA and more on tracking technologies. Speaking of the FTC, that agency also enforces the federal consumer protection laws, including section 5 of the Federal Trade Commission Act (FTCA) which prohibits unfair and deceptive trade practices affecting commerce. When companies tell consumers they will safeguard their personal information, including on their websites, the FTC requires that they live up these promises. Businesses should review their website disclosures to ensure they are not describing privacy and security protections that are not actually in place.

Further to the issue of website tracking technologies noted above under HIPAA, the FTC took enforcement action against digital healthcare companies for sharing user information vie third-party tracking pixels, which enable the collection of user data. However, the FTC’s new focus highlights that issues with pixel tracking are not only a concern for covered entities and business associates under HIPAA.

ACA – Transparency in Coverage. Pursuant to provisions in the Consolidated Appropriations Act, 2021, the Departments of Labor, Health and Human Services, and the Treasury issued regulations to implement the Transparency in Coverage Final Rules. The Final Rules require certain health plans and health insurance issuers to post information about the cost to participants, beneficiaries, and enrollees for in-network and out-of-network healthcare services through machine-readable files posted on a public website. The Final Rules for this requirement are effective for plan years beginning on or after January 1, 2022 (an additional requirement for disclosing information about pharmacy benefits and drug costs is delayed pending further guidance).

Comprehensive State Privacy Laws, including the CCPA. As mentioned above, a CCPA-covered business that maintains a website must post a privacy policy on its website through a conspicuous link on the home page using the word “privacy,” on the download or landing page of a mobile application. That is not all. The website must also provide certain mechanisms for consumers (including employees and applicants) to contact the business about their CCPA rights, such as the right to require deletion of their personal information, and the right to opt-out of the sale of personal information. The latter must be provided through an interactive webform accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” or “Do Not Sell My Info.” Several of these requirements have been enhanced beginning in 2023 under the California Privacy Rights Act.

Since we originally published this post, five other states have enacted a similar data privacy framework – Colorado, Connecticut, Iowa, Utah, and Virginia. For organizations subject to those law, additional work may be needed on their privacy policies to comply.

CalOPPA. Even if an organization is not subject to the CCPA, it still may be subject to the California Online Privacy Protection Act (CalOPPA). CalOPPA requires certain commercial operators of online services, including websites and mobile and social apps, which collect personally identifiable information from Californians to conspicuously post a privacy policy. Privacy policies should address how companies collect, use, and share personal information. Companies can face fines of up to $2,500 each time a non-compliant app is downloaded.

Delaware and Nevada. In 2016, Delaware became the second state to have an online privacy protection act, requiring similar disclosures to those under CalOPPA. Nevada enacted website privacy legislation of its own. First, like DelOPPA and CalOPPA, NRS 603A.340 requires “operators” to make a privacy notice reasonably accessible to consumers through its Internet website or online service. That notice must, among other things, identify the categories of covered information the operator collects through the site or online service about consumers who use or visit the site or service and the categories of third parties with whom the operator may share such covered information. In general, an operator is a person who: (i) owns or operates an Internet website or online service for commercial purposes; (ii) collects and maintains covered information from consumers who reside in this State and use or visit the Internet website or online service; and (iii) engages in any activity that constitutes sufficient nexus with this State, such as purposefully directing its activities toward Nevada. Effective October 1, 2019, Nevada added to its website regulation by requiring operators to designate a request address on their websites through which a consumer may submit a verified request to opt out of the sale of their personal information.

California’s Fair Chance Act. This is California’s version of the “ban the box” law, those law enacted in many states which generally prohibit employers from asking job applicants about criminal convictions before making a conditional job offer. In California, the law imposes similar restrictions on employers with five or more employees. Why is this a website requirement?

Recently, the state’s Department of Fair Employment and Housing (DFEH) announced new efforts to identify and correct violations of the statute by using technology to conduct mass searches of online job advertisements for potentially prohibited statements. The DFEH deems blanket statements in job advertisements indicating that the employer will not consider anyone with a criminal history to be violative of the statute. In its press release, the DFEH states in one day of review it found over 500 job advertisements with statements that violate the statute. The DFEH has released a new Fair Chance Toolkit, that includes sample forms and guides, and employers should also consider reviewing the descriptions of job opportunities on their websites.

California Transparency in Supply Chains Act. California seeks to curb slavery and human trafficking by making consumers and businesses more aware that the goods and products they buy could be supporting the commission of these crimes. To do so, the Transparency in Supply Chains Act requires large retailers and manufacturers to provide consumers with information regarding their efforts to eradicate slavery and human trafficking from their supply chains. This information must be conspicuously provided on the company’s website (or provided in writing if it does not have a website). To be subject to the law, a company must (a) identify itself as a retail seller or manufacture in its tax returns; (b) satisfy the legal requirements for “doing business” in California; and (c) have annual worldwide gross receipts exceeding $100,000,000. To assist with compliance, the state has published a Resource Guide and Frequently Asked Questions.

GDPR. In 2018, the European Union’s General Data Protection Regulation (GDPR) became effective in 2018 and reached companies and organizations globally. In general, organizations subject to the GDPR which collect personal data on their websites must post a privacy policy on their website setting for the organization’s privacy practices.

Not-For-Profits, Donors, and Ratings. A donor’s decision to contribute to an organization is significantly affected by that organization’s reputation. To assist donors, several third-party rating sites, such as Charity Navigator, the Wise Giving Alliance, and CharityWatch, do much of the legwork for donors. They collect large amounts of data about these organizations, such as financial position, use of donated funds, corporate governance, transparency, and other practices. They obtain most of that data from the organizations’ Forms 990 and websites, where many organizations publish privacy policies.

Rating sites such as Charity Navigator base their ratings on comprehensive methodologies. A significant component of Charity Navigator’s rating, for example, relates to accountability and transparency, made up of 17 categories. A review of an organization’s website informs five of those 17 categories, namely (i) board members listed, (ii) key staff listed, (iii) audited financials published, (iv) Form 990 published, and (v) privacy policy content. Addressing some of these issues on an organization’s website could help boost its ratings and drive more contributions.

This is by no means an exhaustive list of the regulatory requirements that may apply to your website or online service. Organizations should regularly revisit their websites not just to add new functionality or fix broken links. They should have a process for ensuring that the sites or services meet the applicable regulatory requirements.

 

DISCLAIMERS
JACKSON LEWIS P.C. (“FIRM”) PROVIDES THE INFORMATIONIN THIS POST FOR GENERAL INFORMATIONAL PURPOSES ONLY. THIS POST SHOULD NOT BE RELIED UPON OR REGARDED AS, LEGAL ADVICE. NO ONE ACCESSING OR REVIEWING THIS POST, WHETHER OR NOT A CURRENT CLIENT OF THE FIRM, SHOULD ACT OR REFRAIN FROM ACTING ON THE BASIS OFSUCH CONTENT OR INFORMATION, WITHOUT FIRST CONSULTING WITH AND ENGAGING A QUALIFIED, LICENSED ATTORNEY, AUTHORIZED TO PRACTICE LAW IN SUCH PERSON’S PARTICULAR STATE, CONCERNING THE PARTICULAR FACTS AND CIRCUMSTANCES OF THE MATTER AT ISSUE. THE POST MAY NOT REFLECT CURRENT LEGAL DEVELOPMENTS, OR LAWS OR RULES THAT MAY APPLY IN PARTICULAR JURISDICTIONS. THE FIRM AND ITS LAWYERS EXPRESSLY DISCLAIM ALL LIABILITY IN CONNECTION WITH ACTIONS TAKEN OR NOT TAKEN BASED ON ANY OR ALL OF THE CONTENTS OR INFORMATION ACCESSIBLE THROUGH THIS SITE. ANY INFORMATION ABOUT PRIOR RESULTS ATTAINED BY THE FIRM OR ITS LAWYERS IS NOT A GUARANTEE OR WARRANTY THAT A SIMILAR OUTCOME WILL BE ACHIEVED. THE FIRM IS NOT RESPONSIBLE FOR THE CONTENT, OPERATION, LINKS OR TRANSMISSIONS, OR ANY INFORMATION PROVIDED ON ANY OTHER PART OF BLR®, A DIVISION OF SIMPLIFY COMPLIANCE LLC’S WEBSITE OR ANY THIRD-PARTY WEBSITE WHICH MAY BE ACCESSED BY A LINK FROM THIS WEBSITE. NOTHING PROVIDED BY THE FIRM IS INTENDED TO FORM, AND WILL NOT CREATE, AN ATTORNEY-CLIENT RELATIONSHIP. THIS POST MAY BE CONSIDERED ATTORNEY ADVERTISING UNDER THE RULES OF SOME STATES. THE HIRING OF AN ATTORNEY IS AN IMPORTANT DECISION THAT SHOULD NOT BE BASED SOLELY UPON ADVERTISEMENTS. STATEMENT IN COMPLIANCE WITH TEXAS RULES OF PROFESSIONAL CONDUCT: UNLESS OTHERWISE INDICATED IN INDIVIDUAL ATTORNEY BIOGRAPHIES, LAWYERS RESIDENT IN THE FIRM’S VARIOUS OFFICES ARE NOT CERTIFIED BY THE TEXAS BOARD OF LEGAL SPECIALIZATION.