What Does My Website Need to Be GDPR/ADA Compliant?
GDPR and ADA are two important regulations that companies with websites need to adhere to.
GDPR compliance (General Data Protection Regulation) refers to a set of data control requirements for companies operating web-based services and products for EU citizens. The main purpose of GDPR is to ensure the data privacy of EU citizens is protected. ADA (American Disability Act) is a broad set of regulations that outlines accessibility requirements for businesses and public infrastructure. Websites also fall under ADA regulations, and as such must comply with accessibility guidelines for people with disabilities. This article will describe both of these regulations, who must comply with them, and how to comply.
GDPR is essentially a framework of regulations developed in the EU to enforce the implementation of responsible user data protection practices. The GDPR is generally based on the seven data protection principles listed below:
- Lawfulness, fairness, and transparency: Data subjects must be made aware of how their data will be used.
- Purpose limitation: Data must be collected for a specific reason.
- Data minimization: Data must only be collected for a specific reason, i.e., broad unrelated data collection is prohibited.
- Accuracy: The data must be kept current and updated or removed if a data subject makes a request to do so.
- Storage limitation: Data will not be stored for longer than absolutely necessary.
- Integrity and confidentiality: Data must be adequately protected against unauthorized access.
- Accountability: Data collectors must ensure compliance with the GDPR.
GDPR compliance requires that companies collect and store data responsibly. Responsible data collection means that companies must only collect data for a specific and legitimate use, and the processing of data must follow one of the following guidelines as outlined in Article 6 of the GDPR:
- Unambiguous consent has been provided by the user.
- The processing of data is needed to prepare for or enter into a contract with the user.
- The processing of data is needed to comply with a legal obligation.
- Data access is required to protect the vital interests of a user.
- The processing of data for a task in the public's interest or to carry out an official function.
- There is a legitimate interest to process personal data, however, the interests or fundamental rights of the user take precedence.
According to Recital 23 of the GDPR, any company offering goods and services to data subjects within any of the member states of the EU must demonstrate GDPR compliance, even if these goods and services are not directly related to any form of payment. Any implied reference on a company's website to the EU or EU subjects may make that company subject to GDPR compliance. If a company tracks and analyzes any facet of EU citizens’ visits to a website, then it may need to be aware of and comply with the GDPR.
Companies that do not comply with the requirements laid out in the GDPR may result in fines that could be either 20 million euros or 4 % of total global annual revenue, whichever is highest. Furthermore, the subjects of the data can seek further compensation for damages.
Following the GDPR compliance checklist is the best place to start to comply with GDPR. The checklist is broken into four subcategories as listed below:
- Data Security: Data security is critical to eliminating unauthorized access to user data. Data security can be achieved through encryption or anonymizing user data where practical. Robust internal company security policies with a mechanism for reporting data breaches to the relevant authorities are also required for end-to-end data protection. Performing data protection impact assessments is also required to understand how the integrity of user data can be compromised.
- Accountability and Governance: Appoint a GDPR accountability officer to ensure compliance and make sure that third parties have the relevant systems in place to protect any user data that they have access to. For companies outside the EU, a GDPR representative within the EU can help streamline compliance.
- Privacy Rights: It must be simple for users to request access and to update the data that has been collected about them. Users must be able to request that all data-collection activities are ceased as well as request that their data be permanently deleted.
With reference to digital spaces like websites, being ADA compliant refers to how easily people with disabilities can interact with a website’s contents. The ADA regulations do not specifically include websites, but websites are considered places of public accommodation and are therefore subject to the ADA. While there is not a clear range of guidelines for websites within the ADA regulations, the WCAG (Website Content Accessibility Guidelines) is often referenced by the DOJ (Department of Justice) as the accessibility standard to follow to achieve compliance. Specifically, the 2.1 level AA grading of the WCAG is the minimum level of compliance required.
Any public website that offers a service must comply with ADA. Failure to do so may expose a company to lawsuits by persons who are unable to access a website effectively due to a disability. While the specific ADA regulations are enforced only in the United States, the WCAG is an internationally recognized standard, and complying with this ensures that ADA requirements and similar regulations in other countries are adhered to. However, it is important to consult with an attorney within the relevant jurisdiction(s) in which a website will be used to determine the legal requirements. Despite any potential legal issues, enabling more people to access a website can only be beneficial in the long term.
To achieve company compliance, follow the WCAG 2.1 set of guidelines (be aware, that there are no guidelines within the ADA that outline precise requirements for websites). These guidelines can be broken down into three levels:
- Level A: Basic accessibility.
- Level AA: Most common accessibility barriers addressed. This is generally considered to be ADA compliant.
- Level AAA: Highest possible level of accessibility.
The types of interventions required are further broken down into five general categories:
- Alternatives: There must be alternatives available for all content. I.e., captions for video or screen reader compatibility for text.
- Presentation: Make use of colors that don’t exclude those with color blindness, content must be presented in a meaningful order and text must be able to be resized up to 200 %.
- User Control: Users must be able to navigate the website and must not be trapped in a certain part of the site without being able to navigate with the keyboard. Any time-limited functions must be adjustable.
- Understandability: Pages must have a meaningful title, headings must be descriptive, and multiple languages must be made available where applicable.
- Predictability: Nothing must automatically change, i.e., the user must be allowed to press submit for example. Required input format must be made clear.
It is recommended to hire an accessibility consultant to ensure a website is compliant.
Protecting user data and allowing people with disabilities to access your website make for an overall better online experience for everyone. Building websites with both GDPR and ADA in mind will not only protect your company from potential legal challenges and fines but will also drive more potential customers to your business.