Accessibility Overlays Create Info Privacy Concerns

Screenshot of an accessibility overlay widget, asking the user to identify their disability profile: Seizure safe profile, Vision impaired profile, cognitive disability profile, and three others.

You may already be aware that accessibility overlay problems can create a number of issues and are best avoided. Here’s another significant reason to avoid overlay plugins: they are probably creating data privacy issues that put your site out of compliance with GDPR (General Data Protection Regulation) and/or CCPA (California Consumer Privacy Act).

Overlay plugins gather health information

You can see from the image on this post that overly plugins ask users to self identify with information about seizures, vision impairments, cognitive disabilities and more. Beyond self identifying, many overlay plugins also scan the user’s computer to identify assistive technologies that may be installed or configured on their device. They may additionally gather health information “guesses” based on how the user interacts with the site.

Not only do overlay plugins gather this information, they typically add cookies into the user’s browser. These cookies MAY store persistent data (settings seem to persist across different sites), but they DO send data back to the overlay’s servers. AccessiBe’s Privacy Policy states:

Our servers automatically collect information when you access or use the Website and record it in log files. The log information we collect may include your IP Address, the address of the web page visited before using the Website, browser type and settings, and cookie data.

Accessibe Privacy Policy, 2.d.

That means profiles or settings on the overlay plugin that reveal health information can be matched with other non-health information (like IP address) to gather data that the user has no way to opt out of.

Data Privacy Concerns

Most US citizens are probably familiar with HIPAA (the Health Information Portability & Accountability Act), which requires healthcare providers to protect health information. Website owners are NOT required under HIPAA to protect health information, but at least two data privacy laws DO require website owners to inform users they will collect health related data, get permission to do so, and notify users if that data will be passed to third parties.

GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) both require various levels of notification and opt-ins for users to interact with your site in ways that store or transmit their personal data. And they require that you provide mechanisms for users to remove their data from any storage.

Just like people without disabilities, people with disabilities don’t want to have their personal data sold so that they can be targeted for marketing. For this reason and others, some people with disabilities avoid sites that are running overlay plugins.

Avoid a lawsuit: avoid overlays

Overlay plugins are often marketed as a way to avoid a lawsuit. Ironically, they may be significantly increasing the website owners exposure to a data privacy lawsuit.

Overlay plugins don’t provide any notifications or opt-ins, and since the personal data is sent to the overlay services server, the site owner no longer has a way to provide a mechanism for removal. The overlay plugin service is able to collect quite a bit of personal information, and it’s unclear how trustworthy they will be with safeguarding or not selling that data. All of this means that the site owner using the overlay plugin is at risk for violations of GDPR and CCPA.

You can avoid that risk by simply not using on accessibility overlay plugin, and working to make your site accessible.

Additional Reading

Written by

Categories:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.