Websites play a vital role for organizations. They facilitate communication with consumers, constituents, patients, employees, donors, and the general public. They project an organization’s image and promote goodwill, provide information about products and services and allow for their purchase. Websites also inform investors about performance, enable job seekers to view and apply for open positions, and accept questions and comments from visitors to the site or app, among many other activities and functionalities. Because of this vital role, websites have become an increasing subject of regulation making them a growing compliance concern.
What are some of these requirements?
AI – Artificial Intelligence. Organizations are increasingly leveraging automated decision-making tools to enhance their businesses in a range of areas, including employment. Needless to say, artificial intelligence (AI) and similar technologies, which power these tools, is being targeted for regulation. For example, the New York City Council passed a measure that subjects the use of automated decision-making tools to several requirements. One of those requirements is a “bias audit.” Employers that intend to utilize such a tool must first conduct a bias audit and must publish a summary of the results of that audit on their websites. We cover more about NYC Local Law 144 here.
ADA Accessibility. When people think about accommodating persons with disabilities, they often are drawn to situations where a person’s physical movement in a public place is impeded by a disability – stairs to get into a library or narrow doorways to use a bathroom. Indeed, Title III of the Americans with Disabilities Act grants disabled persons the right to full and equal enjoyment of the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation. Although websites were not around when the ADA was enacted, they are now, and courts are applying ADA protections to those sites. The question is whether a website or application is accessible.
Although not yet adopted by the Department of Justice, which enforces Title III of the ADA, guidelines established by the Website Accessibility Initiative appear to be the more likely place courts will look to access the accessibility of a website to which Title III applies. State and local governments have similar obligations under Title II of the ADA, and those entities might find guidance here.
HIPAA…and tracking technologies, pixels. For anyone who has had their first visit to a doctor’s office, they likely were greeted with a HIPAA “notice of privacy practices” and asked to sign an acknowledgement of receipt. Most covered health care providers have implemented this requirement, but may not be aware of the website requirement. HIPAA regulation 45 CFR 164.520(c)(3)(i) requires that covered entities maintaining a website with information about the entity’s customer services or benefits must prominently post its notice of privacy practices on the site and make the notice available electronically through site.
Beyond the notice posting requirement, websites of HIPAA covered entities and business associates have operational issues to consider. In December 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a bulletin with guidance concerning the use of online tracking technologies by covered entities and business associates under HIPAA. The OCR Bulletin follows a significant uptick in litigation concerning these technologies in industries including but not limited to the healthcare. For healthcare entities, the allegations relate to the sharing of patient data obtained from patient portals and websites. We do a deeper dive into this issue here.
COPPA. The Children’s Online Privacy Protection Act (COPPA) was enacted to give parents more control concerning the information websites collect about their children under 13. Regulated by the Federal Trade Commission (FTC), COPPA requires websites and online services covered by COPPA to post privacy policies, provide parents with direct notice of their information practices, and get verifiable consent from a parent or guardian before collecting personal information from children. COPPA applies to websites and online services directed to children under the age of 13 that collect personal information, and to sites and online services geared toward general audiences when they have “actual knowledge” they are collecting information from children under 13. Find out more about compliance here.
FTCA and more on tracking technologies. Speaking of the FTC, that agency also enforces the federal consumer protection laws, including section 5 of the Federal Trade Commission Act (FTCA) which prohibits unfair and deceptive trade practices affecting commerce. When companies tell consumers they will safeguard their personal information, including on their websites, the FTC requires that they live up these promises. Businesses should review their website disclosures to ensure they are not describing privacy and security protections that are not actually in place.
Further to the issue of website tracking technologies noted above under HIPAA, the FTC took enforcement action against digital healthcare companies for sharing user information vie third-party tracking pixels, which enable the collection of user data. However, the FTC’s new focus highlights that issues with pixel tracking are not only a concern for covered entities and business associates under HIPAA.
ACA – Transparency in Coverage. Pursuant to provisions in the Consolidated Appropriations Act, 2021, the Departments of Labor, Health and Human Services, and the Treasury issued regulations to implement the Transparency in Coverage Final Rules. The Final Rules require certain health plans and health insurance issuers to post information about the cost to participants, beneficiaries, and enrollees for in-network and out-of-network healthcare services through machine-readable files posted on a public website. The Final Rules for this requirement are effective for plan years beginning on or after January 1, 2022 (an additional requirement for disclosing information about pharmacy benefits and drug costs is delayed pending further guidance).
Since we originally published this post, five other states have enacted a similar data privacy framework – Colorado, Connecticut, Iowa, Utah, and Virginia. For organizations subject to those law, additional work may be needed on their privacy policies to comply.
Delaware and Nevada. In 2016, Delaware became the second state to have an online privacy protection act, requiring similar disclosures to those under CalOPPA. Nevada enacted website privacy legislation of its own. First, like DelOPPA and CalOPPA, NRS 603A.340 requires “operators” to make a privacy notice reasonably accessible to consumers through its Internet website or online service. That notice must, among other things, identify the categories of covered information the operator collects through the site or online service about consumers who use or visit the site or service and the categories of third parties with whom the operator may share such covered information. In general, an operator is a person who: (i) owns or operates an Internet website or online service for commercial purposes; (ii) collects and maintains covered information from consumers who reside in this State and use or visit the Internet website or online service; and (iii) engages in any activity that constitutes sufficient nexus with this State, such as purposefully directing its activities toward Nevada. Effective October 1, 2019, Nevada added to its website regulation by requiring operators to designate a request address on their websites through which a consumer may submit a verified request to opt out of the sale of their personal information.
California’s Fair Chance Act. This is California’s version of the “ban the box” law, those law enacted in many states which generally prohibit employers from asking job applicants about criminal convictions before making a conditional job offer. In California, the law imposes similar restrictions on employers with five or more employees. Why is this a website requirement?
Recently, the state’s Department of Fair Employment and Housing (DFEH) announced new efforts to identify and correct violations of the statute by using technology to conduct mass searches of online job advertisements for potentially prohibited statements. The DFEH deems blanket statements in job advertisements indicating that the employer will not consider anyone with a criminal history to be violative of the statute. In its press release, the DFEH states in one day of review it found over 500 job advertisements with statements that violate the statute. The DFEH has released a new Fair Chance Toolkit, that includes sample forms and guides, and employers should also consider reviewing the descriptions of job opportunities on their websites.
California Transparency in Supply Chains Act. California seeks to curb slavery and human trafficking by making consumers and businesses more aware that the goods and products they buy could be supporting the commission of these crimes. To do so, the Transparency in Supply Chains Act requires large retailers and manufacturers to provide consumers with information regarding their efforts to eradicate slavery and human trafficking from their supply chains. This information must be conspicuously provided on the company’s website (or provided in writing if it does not have a website). To be subject to the law, a company must (a) identify itself as a retail seller or manufacture in its tax returns; (b) satisfy the legal requirements for “doing business” in California; and (c) have annual worldwide gross receipts exceeding $100,000,000. To assist with compliance, the state has published a Resource Guide and Frequently Asked Questions.
Not-For-Profits, Donors, and Ratings. A donor’s decision to contribute to an organization is significantly affected by that organization’s reputation. To assist donors, several third-party rating sites, such as Charity Navigator, the Wise Giving Alliance, and CharityWatch, do much of the legwork for donors. They collect large amounts of data about these organizations, such as financial position, use of donated funds, corporate governance, transparency, and other practices. They obtain most of that data from the organizations’ Forms 990 and websites, where many organizations publish privacy policies.
This is by no means an exhaustive list of the regulatory requirements that may apply to your website or online service. Organizations should regularly revisit their websites not just to add new functionality or fix broken links. They should have a process for ensuring that the sites or services meet the applicable regulatory requirements.