Cookie Banners and Accessibility
What is a cookie?
Cookies are small text files created by a website that is stored in the user’s computer either temporarily (session cookie) or permanently (persistent cookie). Cookies provide a way for websites to keep track of your preferences.
What types of cookies exist?
Cookie type tells you who is setting the cookie.
Cookie length tells you how long the cookie will exist.
The average site has 23 cookies, most of them third-party and persistent.
Cookie type
First-party Cookies: Set by the website being visited.
Third-party Cookies: Set by domains OTHER than the website being visited.
Length of time cookies hang around.
Session Cookies: Usually first-party cookies expire after the browser is closed. Session cookies keep track of whether you are logged in and what is in your shopping cart, for example.
Persistent Cookies. Cookies that hang around between browser sessions. Persistent cookies are starting to lose favor in the internet marketplace and are starting to be limited by browsers.
What is a cookie banner?
There is any number of proposed and enacted privacy regulations about cookies, including General Data Protection Regulation (GDPR), California Consumer Privacy Act, Vermont Act 171 of 2018 Data Broker Regulation, Brazilian General Data Protection Law (LGPD), India Personal Data Protection Bill, Chile Privacy Bill Initiative, and the New Zealand Privacy Bill.
Each privacy regulation has its own rules about consent to data collection, and that is where the cookie banner comes in. A cookie banner appears across an entire screen or webpage. It asks the user to consent to the data being collected and the purposes for which it is being collected. Cookie banners typically have links to the full terms and conditions, which contain detailed legalese that very few people ever read in-depth.
Where do cookie banners visually appear?
Anecdotally, I have seen cookie banners showing up more and more at the bottom of the page.
This approach may be shifting from the desire to put “READ THIS NOW” notices at the top, including things like COVID's impact on business operations (shipping, store closures, cleaning procedures, etc.). The top is also more valuable real estate for advertising deals on e-commerce sites.
Does your cookie banner contain a focus trap?
Some cookie banners are modal dialogs that prevent you from entering the main webpage content until you have accepted or declined the cookie collection. This type of modal dialog acts as a focus trap. If the cookie banner is the first object in the DOM, the user has to figure out how to exit the cookie banner by going through the following acceptance process.
Where does the cookie banner show up in the tab order?
There are no regulations about where within the tab order the buttons within the cookie banner appear. I have seen each of the following tab order locations for cookie banners visually appearing at the bottom of pages.
Skip link, cookie banner activatable components, and rest of elements.
Cookie banner activatable components, skip link, rest of elements.
Skip link, rest of elements, cookie banner activatable components.
If you want your cookie banner to be a focus trap/modal dialog where the user cannot proceed before accepting/customizing cookies, the only valid tab order is #2.
Approach #3 means keyboard-only users may never see the cookies (if they leave the page before they get to the bottom)
Approach #1 means that keyboard-only users may skip to the main content elements bypassing the cookie section.
Type of Acceptance
Explicit Opt-in
Requires clicking on “accept” or checking an “OK box” to accept terms
Implicit Opt-in by behavior
If you do anything on the page at all, you have been deemed to have accepted the terms. Note this approach is not always allowed by local laws (GDPR for example) so please check any regulations applicable to your organization carefully.
Explicit Opt-out
Decline all or disable all are usually the terms used when opting out of cookies.
Customize
Some sites allow you to customize your cookie consent — you could, therefore, agree to session cookies but not anything that can be sold to a third party.
But my cookie banner comes from a third party?
It doesn’t matter — if you contracted with the vendor, you are liable for its inaccessibility.
There are more third-party consent vendors than you can shake a stick at. Many of them do not satisfy the WCAG 2.1 Level AA guidelines required by the California Consumer Privacy Act. The fact that the consent code came from a third-party vendor may give your organization a fantastic cause of action in a cross-complaint. A cross-complaint is the term for when someone gets sued, and they put up their hands and say “Not my fault, they did it.” They then turn around and sue the party who they believe is to blame and link the two lawsuits together. However, the fact that the cookie inaccessibility problems come from a third-party vendor isn’t going to insulate you from getting named in the original suit. It also won’t protect you from all of the expenses and headaches associated with defending that suit. This article discusses in detail why companies need to monitor the accessibility of their third-party content (tl;dr If you like living dangerously, by all means, ignore the accessibility of your third-party content). This one discusses all of the costs associated with being a party to such a suit.
Don’t know if your proposed cookie vendor is accessible?
Google “VendorName accessibility” where the VendorName is the name of the vendor you are considering, such as “cookie bot accessibility”. If you get no meaningful results from the Google search, chances are your cookie vendor isn’t accessible. Otherwise, once you get past all of the sponsored posts, there should be a link to the accessibility statement for the cookie vendor you are evaluating.
That’s a Google query that could save you hundreds of thousands of dollars in legal fees.
If a website leaves a cookie without the user accepting the cookie terms, is it a trespass?
There is litigation pending over this exact issue, of course. If cookie terms are inaccessible, there is no way to prove that a user who relied on assistive technology had adequate access to provide consent. Going somewhere you don’t have permission to go is a trespass. Going somewhere you didn’t have permission to go digitally is a digital trespass.
Why is cookie banner accessibility in California such a big deal?
The California Consumer Privacy Act specifically calls out that to be compliant, privacy notices must follow WCAG. We are already past the deadline when this law has taken effect (January 1, 2020) and when enforcement actions are beginning (July 31, 2020). Fines can be up to $7500 per violation!
Because this is the “California Consumers” privacy act, it doesn’t just affect companies that are based in California. It affects companies doing business in California, which is, in effect, almost everyone in the US, unless you specifically block viewers with IP addresses known to be in California.
Who does the CCPA Apply to?
Unlike the Unruh Act, which leverages ADA requirements, the CCPA has its own guidelines. It is mostly intended to apply to larger companies. Organizations that must comply with the CCPA include those that:
Have $25 million or more in annual revenue; or
Possess the personal data of more than 50,000 “consumers, households, or devices” or
Earn more than half of its annual revenue selling consumers’ personal data.
The California legislature also exempted a few types of companies, including Health providers, insurers, banks, financial institutions, and credit reporting agencies, which are already covered by more strict laws.
CCPA Fine Print
999.308. Privacy Policy The privacy policy shall be designed and presented in a way that is easy to read and understandable to an average consumer. The notice shall: a. Use plain, straightforward language and avoid technical or legal jargon. b. Use a format that makes the policy readable, including on smaller screens, if applicable. c. Be available in the languages in which the business, in its ordinary course, provides contracts, disclaimers, sale announcements, and other information to consumers. d. Be accessible to consumers with disabilities. At a minimum, provide information on how a consumer with a disability may access the policy in an alternative format. e. Be available in an additional format that allows a consumer to print it out as a separate document.
Use plain straightforward language.
There are many studies on the average reading grade level in the US. Most of these studies place the average between 6th and 8th grade. Basic contract legalese isn’t going to work here. If flowery, complex language is used, most consumers won’t understand what they just agreed to. Read this article on how complicated language is discriminatory, and how to make it more accessible to all.
Make the policy readable
“Readable” in this part of the regulation pertains to actually being able to perceive the text, not understand it. To satisfy this part of the regulation:
Zoom/Magnification *must* work. Both built-in (pinch-to-zoom and <Ctrl-+> and external (Zoomtext) should work
HTML must be responsive (not explicitly stated, but the call out of “small screens” really strongly implies it)
Icons and other interactive components must be big enough to easily use
Icons and other interactive components must have enough contrast to be easily seen
Be accessible to consumers with disabilities
California case law has repeatedly identified WCAG 2.0 Level AA as the applicable standard in determining whether or not a website or mobile app is accessible. However, in specifically calling out “small screens” in 999.308(b) above, the CCPA has implicitly triggered three WCAG 2.1 standards (responsive, non-text contrast, and touch target size), and the touch target size guideline is a WCAG 2.1 AAA standard.
Nothing has been said in the CCPA about automatic screen reorientation when the privacy policy is buried in a native app. However, I suspect if someone with a wheelchair using a device in a fixed frame said they couldn’t access a privacy policy because it was in an app and didn’t automatically reorient, they would have a fairly good case for a CCPA violation.
Provide Alternate Formats
The types of alternate formats that can be requested include but probably aren’t limited to:
Audio
Braille
Captions. FYI, captions are a Level A WCAG guideline, so if you aren’t already doing this, you are likely out of compliance.
Descriptive audio. Another Level A WCAG guideline.
Large print
Electronic text
ASL interpretation for pre-recorded video soundtracks
Some of these alternate formats (Braille and Large Print, for example) have their own strict requirements in California in terms of how they are produced.
If you are searching for vendors when the request for an alternate format comes in, chances are you are NOT going to provide the information in the requested format in a commercially reasonable time frame. The time to start setting up these relationships, especially for larger companies, is now.