What are the potential ramifications if your users with disabilities can’t access consent notice information ?
Number five on my list of ten things to consider when prioritizing accessibility defects for remediation is:
Are the accessibility defects on a page where there are legal implications if the user can’t access something?
Consent rules for data gathering and cookies exist for a reason. There are laws in place and some pretty hefty fines associated with breaking them (GDPR and COPPA especially). You don’t want to be one of those organizations that get hit with millions of dollars in fines (not to mention reputation harm) for collecting data without obtaining the appropriate consent first.
Trespass is a new legal theory being tried out in Florida in digital accessibility lawsuits in addition to the standard ADA claims. According to this article, at least three of these cases have been recently filed (though citations were not included in the article).
What is Computer Trespass?
Trespass in general means “going somewhere you’ve been told not to go”. A person is guilty of computer trespass if s/he intentionally and without authorization accesses, alters, deletes, damages, destroys, or disrupts any computer, computer system, computer network, computer program, or data.
Breaking it down, the definition of “computer trespass” requires that the trespass be done:
- intentionally — yep the organization did it on purpose, it’s not a bug.
- without authorization — if the authorization section of the website or mobile app is inaccessible, how could an assistive technology user have legitimately granted permission? The short answer is “they couldn’t have”.
- access … alter — “accessing” and “altering” is the de-facto definition of reading data from a device to see where else you’ve been visiting, or dropping a cookie on a device.
- data — yep, this means it can be on a mobile device, not just a computer.
While computer trespass was intended to criminalize hacker behavior, a strict reading of the above definition would indicate that it could also apply to sites that modify any bits on your device (laptop or mobile) without your consent.
The only difference between a computer trespass cause of action as it applies to hackers as compared to to companies with inaccessible consent policies is that with hackers, the perpetrator is doing something that they are not supposed to be doing for their own financial gain. Oh wait. That’s true for inaccessible consent policies too 🙂
Three years ago, the US Supreme Court upheld a case involving computer trespass. And that was a criminal case, where the standards are normally much higher, because someone’s freedom is at stake. So there is no reason to believe that the Supreme Court would say that computer trespass is either a) not really a thing; or b) not a thing when only financial damages are alleged.
Why Include Trespass in a Cause of Action?
There most likely reason a plaintiff (or their lawyer) might want to include trespass as a cause of action in a digital accessibility lawsuit is to allege damages.
In many jurisdictions, ADA lawsuits come without the right to financial damages. Some states (California is one) have augmented the ADA and added a right to damages under a parallel law. But most states have not. Since legal fees are frequently based on the damages awarded, the higher the damages, the more the lawyers make. So the lawyers are motivated to do this in addition to the plaintiffs.
Another reason is that the drive-by lawsuits have created a backlash against ADA lawsuits. Many legislative attempts have been made to modify the ADA by requiring the plaintiff to give notice to the defendant, along with a statutory period of time for the defendant to “cure” (which is just a fancy legal term that means fix) whatever ADA violation(s) exists. So far these attempts to gut the ADA have all failed. If any succeeded some day, the trespass cause of action would be independent of the requirement to provide notice and allow time to cure for the ADA violation.
What about third party consent vendors?
There are more third party consent vendors than you can shake a stick at and most of them are inaccessible. The fact that the consent code came from a third party vendor may give your organization a great cause of action in a cross-complaint (which is the term for when someone gets sued, and they put up their hands and say “not my fault, they did it” and turn around and sue the party who they believe is to blame, linking the two lawsuits together). However, it isn’t going to insulate the organization from getting named in the original suit or all of the expenses and headaches associated with defending that suit. This article discusses in detail why companies need to monitor the accessibility of their third party content (tl;dr If you like living dangerously, by all means, ignore the accessibility of your third-party content) and this one discusses all of the costs associated with being a party to such a suit.
Until the message is clearly received by business owners that websites need to be accessible, lawyers are going to continue to come up with creative ways to sue over inaccessibility. Whistleblower suits and trespass causes of action are just the latest shift in that trend.