Battle of the Legislations: GDPR VS ADA — Braille Works
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that mandates how an organization should handle personal data. It has been on the business scene since May 25, 2018. And, it’s taught us something: People care about their data and privacy. And some people don’t want their information, pictures, or viewing history sold to the highest bidder. It’s like one day we all wisened up and said we want to know what it is you’re doing with our data and who has access to it? We don’t want to be in the dark or treated as second class citizens to our basic liberties. A sentiment people with disabilities have echoed long before the GDPR.
If your business sells to, provides services to, or employs citizens of the European Union, then the GDPR affects you. And since the GDPR is enforceable, organizations must have measures in place that satisfy its requirements. We’ve seen businesses go above and beyond to understand this law and enforce it. This concerns us because the ADA (30-year-old legislation) is still not followed by many.
The Americans with Disabilities Act, or the ADA, is the primary civil rights law that covers people with disabilities in the United States. The ADA allows everyone access to public spaces and protects the rights of people with disabilities. The ADA helps people who need accommodations or accessibility to have equal access to goods, services and communication.
Understanding the opponents
How are the GDPR and ADA related? They both prioritize privacy, acknowledgment, and independent decision making. Businesses everywhere collect information and serve a diverse group of customers. So, it’s the two legislations most organizations have heard of. As you prioritize everyone’s ability to decide how their information is shared with your organization, consider the subset of users who never saw your privacy statement, who can’t check or uncheck your request because it’s not accessible, and who’s information you manage.
It would be nice to see the businesses give the same attention to ADA compliance that they are giving to GDPR compliance. Is it because there’s more to lose with GDPR? Does GDPR affect more people? Or, can we chalk this up to GDPR being the new kid on the block? Either way, we took some time to compare the two and see the similarities, differences, and distinctions found in both laws.
Round 1: Not buried in small print
According to the GDPR, the data you collect in pop-ups, chat boxes, or subscription prompts, must have a note informing users about the data you collect and for what purpose. You cannot bury your notice in “small print.”
GDPR says “full disclosure, we’re collecting this information,” while the ADA says “full disclosure isn’t enough because a substantial subset of the population can’t read your disclosure.”
Did you know standard print is “small print” to 2.2 billion people who have a vision impairment or blindness? (WHO) That’s because some read with their eyes while others read with their hands, ears, assistive technology, etc. Don’t bury important information in small print and consider that if you don’t provide information in large print (an ADA provision), it’s probably still small print.
Round 2: Services, partners, and plug-ins are significant
If you collect information with a 3rd party service, they need to be GDPR compliant. To be GDPR compliant, you can no longer leave that “opt-in” box automatically checked. Besides, clearly stating what you are collecting and why, if you are storing data on your systems, you need to tell the public how long you are storing it, how you keep it safe, how they can request a copy, how they can have it removed, and how you’ll notify them if ever compromised.
The ADA (via WCAG) takes it a step farther by saying a pop up “opt-in” box should be accessible. Don’t know if it is? Just try exiting out of it with the “Esc” or “Tab” key. If you can’t, it’s a barrier, and people with assistive technology cannot access the rest of your site.
Round 3: Work on it, not around it
If any company fails to meet GDPR, they may see exorbitant penalties (we’re talking millions of Euros). It’s no wonder we already see workarounds. One solution we’ve seen is that companies create separate websites for addressing the privacy requirements of different countries. This isn’t surprising because we’ve seen people act similarly since the Winn Dixie case, taking down forms, online documents, and PDFs.
And while we’re at it, can we tackle a commonly used loophole? Your company size is not a loophole for compliance for either the ADA or GDPR. The GDPR is about the data, not the number of employees or you have. It affects companies of all sizes, even sole proprietors. With the ADA, if you meet any of the following criteria, it applies to you: (1) all local, county, state, and federal government agencies, (2) any business that relies on and serves the public, and (3) privately run companies that have 15 or more employees. So, chances are you fit in one of the three criteria and should address your ADA compliance. In this case, and most others, avoidance doesn’t work as well as working on it.
Round 4: Privacy
Do you save copious amounts of passwords on a Word Document titled “Logins & Passwords”? Keeping customer data on a spreadsheet without password protection won’t meet GDPR standards. Check the protections and firewalls on your databases and cloud-based storage data, especially when it comes to passwords and privacy.
Similarly, giving out usernames, passwords, and personal identification numbers to get help is not wise or safe. Most institutions remind customers not to share their password and to change if they believe it has been or could be compromised. Unfortunately, we have heard of people giving out PINs, security questions, and statements. They do this because the organization did not offer their communication in braille, large print, audio, and accessible PDFs. People with disabilities should not have to have a family member, friend, or proxy, have access to their health, utilities, or financial services because your organization didn’t make their website or physical location accessible to people with disabilities. We have to have tough questions regarding the privacy of all people. You shouldn’t have anyone’s passwords written down. You also shouldn’t expect anyone to write their password down and hand it to someone else for better customer service.
Not a knockout
Customers, employees, and clients are becoming more aware of the importance of data privacy and now expect a company or organization to respect that privacy. Programs provide you with the tools to achieve and maintain GDPR compliance without a massive upheaval to your business, and Braille Works can help with your ADA compliance. If you have prioritized GDPR compliance and are now realizing you haven’t done the same for the ADA, we can help!
This post was written by Clerise Phillip Samuel.
Originally published at https://brailleworks.com on June 11, 2020.