By Joseph J. Lazzarotti with Jackson Lewis P.C.
Websites play a vital role for organizations. They facilitate communication with consumers, constituents, patients, employees, donors, and the general public. They project an organization’s image and promote goodwill, provide information about products and services and allow for their purchase. Websites also inform investors about performance, enable job seekers to view and apply for open positions, and accept questions and comments from visitors to the site or app, among many other activities and functionalities. Because of this vital role, websites have become an increasing subject of regulation making them a growing compliance concern.
Currently, many businesses are working to become compliant with the California Consumer Privacy Act (CCPA) which, if applicable, requires the conspicuous posting of a detailed privacy policy on a business’s website. But the CCPA is not the first nor will it be the last compliance challenge for organizations that operate websites and other online services. A growing compliance burden has led to a wide range of operational and content requirements for websites. The push for CCPA compliance and responding to the flood of ADA accessibility litigation may cause more organizations to revisit their websites and, in the process, uncover a range of other issues that have crept in over the years.
What are some of these requirements?
AI – Artificial Intelligence. Organizations are increasingly leveraging automated decision-making tools to enhance their businesses in a range of areas, including employment. Needless to say, artificial intelligence (AI) and similar technologies, which power these tools, is being targeted for regulation. For example, the New York City Council passed a measure that subjects the use of automated decision-making tools to several requirements. One of those requirements is a “bias audit.” Employers that intend to utilize such a tool must first conduct a bias audit and must publish a summary of the results of that audit on their websites.
ADA Accessibility. When people think about accommodating persons with disabilities, they often are drawn to situations where a person’s physical movement in a public place is impeded by a disability – stairs to get into a library or narrow doorways to use a bathroom. Indeed, Title III of the Americans with Disabilities Act grants disabled persons the right to full and equal enjoyment of the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation. Although websites were not around when the ADA was enacted, they are now, and courts are applying ADA protections to those sites. The question is whether a website or application is accessible.
Although not yet adopted by the Department of Justice, which enforces Title III of the ADA, guidelines established by the Website Accessibility Initiative appear to be the more likely place courts will look to access the accessibility of a website to which Title III applies. State and local governments have similar obligations under Title II of the ADA.
HIPAA…and tracking technologies, pixels. For anyone who has had their first visit to a doctor’s office, they likely were greeted with a HIPAA “notice of privacy practices” and asked to sign an acknowledgement of receipt. Most covered health care providers have implemented this requirement, but may not be aware of the website requirement. HIPAA regulation 45 CFR 164.520(c)(3)(i) requires that covered entities maintaining a website with information about the entity’s customer services or benefits must prominently post its notice of privacy practices on the site and make the notice available electronically through site.
Beyond the notice posting requirement, websites of HIPAA covered entities and business associates have operational issues to consider. In December 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a bulletin with guidance concerning the use of online tracking technologies by covered entities and business associates under HIPAA. The OCR Bulletin follows a significant uptick in litigation concerning these technologies in industries including but not limited to the healthcare. For healthcare entities, the allegations relate to the sharing of patient data obtained from patient portals and websites.
COPPA. The Children’s Online Privacy Protection Act (COPPA) was enacted to give parents more control concerning the information websites collect about their children under 13. Regulated by the Federal Trade Commission (FTC), COPPA requires websites and online services covered by COPPA to post privacy policies, provide parents with direct notice of their information practices, and get verifiable consent from a parent or guardian before collecting personal information from children. COPPA applies to websites and online services directed to children under the age of 13 that collect personal information, and to sites and online services geared toward general audiences when they have “actual knowledge” they are collecting information from children under 13.
FTCA and more on tracking technologies. Speaking of the FTC, that agency also enforces the federal consumer protection laws, including section 5 of the Federal Trade Commission Act (FTCA) which prohibits unfair and deceptive trade practices affecting commerce. When companies tell consumers they will safeguard their personal information, including on their websites, the FTC requires that they live up these promises. Businesses should review their website disclosures to ensure they are not describing privacy and security protections that are not actually in place.
Further to the issue of website tracking technologies noted above under HIPAA, the FTC took enforcement action against digital healthcare companies for sharing user information vie third-party tracking pixels, which enable the collection of user data. However, the FTC’s new focus highlights that issues with pixel tracking are not only a concern for covered entities and business associates under HIPAA.
ACA – Transparency in Coverage. Pursuant to provisions in the Consolidated Appropriations Act, 2021, the Departments of Labor, Health and Human Services, and the Treasury issued regulations to implement the Transparency in Coverage Final Rules. The Final Rules require certain health plans and health insurance issuers to post information about the cost to participants, beneficiaries, and enrollees for in-network and out-of-network healthcare services through machine-readable files posted on a public website. The Final Rules for this requirement are effective for plan years beginning on or after January 1, 2022 (an additional requirement for disclosing information about pharmacy benefits and drug costs is delayed pending further guidance).
This is by no means an exhaustive list of the regulatory requirements that may apply to your website or online service. Organizations should regularly revisit their websites not just to add new functionality or fix broken links. They should have a process for ensuring that the sites or services meet the applicable regulatory requirements.
If you would like to learn more about how to safely outsource compliance and HR functions, connect with us.
JACKSON LEWIS P.C. (“FIRM”) PROVIDES THE INFORMATION IN THIS POST FOR GENERAL INFORMATIONAL PURPOSES ONLY. THIS POST SHOULD NOT BE RELIED UPON OR REGARDED AS, LEGAL ADVICE. NO ONE ACCESSING OR REVIEWING THIS POST, WHETHER OR NOT A CURRENT CLIENT OF THE FIRM, SHOULD ACT OR REFRAIN FROM ACTING ON THE BASIS OF SUCH CONTENT OR INFORMATION, WITHOUT FIRST CONSULTING WITH AND ENGAGING A QUALIFIED, LICENSED ATTORNEY, AUTHORIZED TO PRACTICE LAW IN SUCH PERSON’S PARTICULAR STATE, CONCERNING THE PARTICULAR FACTS AND CIRCUMSTANCES OF THE MATTER AT ISSUE. THE POST MAY NOT REFLECT CURRENT LEGAL DEVELOPMENTS, OR LAWS OR RULES THAT MAY APPLY IN PARTICULAR JURISDICTIONS. THE FIRM AND ITS LAWYERS EXPRESSLY DISCLAIM ALL LIABILITY IN CONNECTION WITH ACTIONS TAKEN OR NOT TAKEN BASED ON ANY OR ALL OF THE CONTENTS OR INFORMATION ACCESSIBLE THROUGH THIS SITE. ANY INFORMATION ABOUT PRIOR RESULTS ATTAINED BY THE FIRM OR ITS LAWYERS IS NOT A GUARANTEE OR WARRANTY THAT A SIMILAR OUTCOME WILL BE ACHIEVED.
THE FIRM IS NOT RESPONSIBLE FOR THE CONTENT, OPERATION
, LINKS OR TRANSMISSIONS, OR ANY INFORMATION PROVIDED ON ANY OTHER PART OF ASURE SOFTWARE, INC.’S WEBSITE OR ANY THIRD-PARTY WEBSITE WHICH MAY BE ACCESSED BY A LINK FROM THIS WEBSITE.
NOTHING PROVIDED BY THE FIRM IS INTENDED TO FORM, AND WILL NOT CREATE, AN ATTORNEY-CLIENT RELATIONSHIP.
THIS POST MAY BE CONSIDERED ATTORNEY ADVERTISING UNDER THE RULES OF SOME STATES. THE HIRING OF AN ATTORNEY IS AN IMPORTANT DECISION THAT SHOULD NOT BE BASED SOLELY UPON ADVERTISEMENTS.
STATEMENT IN COMPLIANCE WITH TEXAS RULES OF PROFESSIONAL CONDUCT: UNLESS OTHERWISE INDICATED IN INDIVIDUAL ATTORNEY BIOGRAPHIES, LAWYERS RESIDENT IN THE FIRM’S VARIOUS OFFICES ARE NOT CERTIFIED BY THE TEXAS BOARD OF LEGAL SPECIALIZATION.