Website Compliance Primer

website compliance

What is Website Compliance?

Website compliance on the surface seems very straightforward. It is the practice of building and maintaining a website to be in compliance with any and all relevant requirements, legal or otherwise. 

But the subject is actually a good deal more complicated than that due to a number of factors. For starters, the landscape of website governance is a mishmash of legal requirements, industry standards and best practices. And, as we’ve seen in the last couple of years, the landscape is changing rapidly, particularly in the area of consumer and data privacy.

Add to that the ambiguous nature of the main driver of website compliance in the US, namely the Americans with Disabilities Act (ADA). Passed in 1990, this legislation pre-dates the internet and is being interpreted differently by judges ruling on lawsuits regarding website accessibility. Coupled with that is the fact that the guidelines website builders follow to comply with the ADA, the Website Content Accessibility Guidelines (WCAG), are just that, guidelines. And these guidelines were created by an international consortium known as the W3C, not a government agency.

Then, to make things even less clear, many of the standards for websites today are driven by two mega-tech-companies. Google and Microsoft run the two most frequented search engines in the world (and we’re really talking about Google with 92% of the market, MS Bing sits in second place with 2%) and when they decide to change their search algorithms to favor sites that are mobile-friendly, secure or faster, diligent website owners fall in line and comply.

Lastly, website compliance also depends on the type of business you have. For example, a small business with a basic ‘brochure’ site serving a small market has very different compliance requirements than a large, multinational company with transactional websites serving large sections of the globe. 

Suffice it to say, it’s complicated and we’re not going to untangle it all in this short article. Instead let’s just take a look at some of the basics.

Types of Website Compliance

There are three main types of requirements for websites. They are:

Accessibility; whether or not your website accommodates the needs of disabled visitors. For the US and EU, this means adhering to the WCAG 2.1 level A or AA standards. 

Data Privacy; how your website (and your business) collect, transmit and use the data that you collect from your site’s visitors. In the EU, the rules are laid out in GDPR. In the US the rules are being defined on a state-by-state basis. California’s privacy law is the CCPA. Nevada’s is SB220. And Washington State’s is WaPA. Expect new legislation from Oregon, New York, Virginia and other states in 2020. 

Security; how your website is configured from a security standpoint, including how you store data on your web servers and how data are transmitted to and from those servers. Security requirements will vary depending on industry and what your website does. Examples are PCI DSS which sets security requirements for online banking (i.e. credit card payments, etc.) and HIPAA, which sets requirements for the processing of personal health information. 

And then there’s the fourth, lesser type of website compliance (and one with no legal ramifications): 

Search Engine Standards; how your website is perceived by Google, Bing or Yahoo! based on criteria that they deem to be important or relevant to their users. For example, Google penalizes websites (i.e. lowers their rankings in search results) that are not mobile-friendly, not secure or that load slowly.   

Regulations and Standards that Apply to Websites

GDPR; the European Union’s much-talked-about General Data Protection Regulation

CCPA; California’s data privacy law, the California Consumer Privacy Act

SB220; Nevada’s data privacy law, in effect since October 1, 2019

WaPA; Washington State’s Privacy Act, due to go into effect July 31, 2021

HIPAA; the Health Insurance Portability and Accountability Act 

PCI DSS; a set of standards for online credit card processors, the Payment Card Industry Digital Security Standards

ADA/WCAG; the American’s with Disabilities Act and the accompanying Website Content Accessibility Guidelines

Directive (EU) 2016/2102; the European Union’s website accessibility directive, part of the larger European Accessibility Act

FISMA; the Federal Information Security Modernization Act

(NOTE: This is not intended to be a comprehensive list of website regulations and requirements.)

Who needs to comply?

Each regulation above targets a range of organizations, geographical regions or industry sectors. For example, the GDPR is a requirement only for businesses marketing to EU members and the CCPA only for businesses marketing to Californians. 

However, in each of these regulations, there are more specific criteria describing what types of entities must comply. Before proceeding with making your website compliant (or not), take a close look at the regulation language to see if your website falls under its purview. Even though you are doing business in Europe or California, your website may not meet the threshold for complying with those regulations.

Are these regulations enforced?

That depends. Some are and some aren’t and the type of enforcement depends on the type of compliance. 

The GDPR is being enforced by the EU courts and has enacted stiff penalties on non-complying businesses. You can read about the fines imposed at this online database: www.enforcementtracker.com

The CCPA is not yet enforced. It’s been delayed until July 1, 2020 (at the earliest) as the California attorney general completes the law’s implementation regulations. However, the AG has indicated that companies not in compliance with CCPA on January 1st, 2020, could be fined for earlier violations once enforcement begins. 

The GDPR, CCPA, NV SB220 and WaPA all have stiff financial penalties for businesses found to be non-compliant. 

The ADA, as it pertains to websites, is primarily enforced through civil litigation. And the majority (96%) of businesses that have been sued for inaccessible websites are in Florida and New York, where the conditions for such a lawsuit are more favorable. This type of litigation has steadily increased in recent years and we recommend that every business take the time to make their website compliant with Level A or AA of the WCAG 2.1

PCI DSS applies to businesses accepting credit cards for payment. Compliance is required but enforcement is enacted after a breach. In other words, if your company is not PCI DSS compliant and confidential data is exposed, you will be fined and penalized by the banks and credit card industry.

Search Engine Standards are enforced through search index ranking. In other words, a website that is not compliant with current browser standards, can expect to rank lower in search results. As mentioned above, Google will penalize sites for slow-loading pages, not being compatible with mobile devices and for being unencrypted. If having visibility on search engines is important to you and your business website, we recommend staying current with these website standards of the major search engines.

Website Compliance Today and Tomorrow

Website compliance is not a pretty picture right now and our prediction is that it’s likely to get worse before it gets better. The ambiguous nature of accessibility requirements or the patchwork of data privacy requirements are good indicators of how well-meaning requirements can grow organically into complicated burdens. Unfortunately, this is not something that you can ignore. Every business needs to be aware of what regulations apply to their website and to keep an eye on how those requirements are changing. 

We can help your company or organization to develop and implement a website compliance program. Email info@nulltenrec.com or call 888-983-6732 for more information.

0 comments on Website Compliance Primer