Why Accessible Websites and Mobile Applications Matter

The Internet is an essential part of life in the 21st century. A 2015 Nielsen study found that people spend an average of 2.5 hours a day using smartphones and PCs to access the Internet.

Look at any website or app and think of how different the experience would be if you couldn’t see it or hear it like everyone else.  The American with Disabilities Act (“ADA”) was enacted in 1990 to ensure Americans with disabilities had equal access to places and things such as government facilities and places of public accommodation.  Soon after the ADA was enacted, a new communications medium arose – the World Wide Web, marking the start of the Second Age of the Internet.  The question soon arose as to what extent websites were “places of public accommodation” requiring reasonable accommodations to allow use by disabled Americans under the ADA.  The Department of Justice has repeatedly delayed its rulemaking on website accessibility guidelines, most recently postponing it to at least 2017.  This may be due to the explosion of apps on the Internet and the corresponding decrease in website usage – a recognition that the landscape of what would be regulated is changing too rapidly at this point.

However, don’t think you’re safe to just wait for the DOJ’s guidance. Even without rules, the DOJ has gone on record stating that the ADA applies to web services. The DOJ has instituted a number of lawsuits against companies which they believe are not meeting accessibility standards, including their websites and apps.  For example, in 2015 the DOJ settled with Carnival Cruise Lines requiring not only improvements in accessibility of its ships, but of its website and mobile application.  Many US companies are unaware that under Section 508 of the United States Workforce Rehabilitation Act of 1973, websites and apps developed by companies receiving federal funds or under contract with a federal agency must meet certain accessibility standards.  Private and government litigants continue to bring actions against companies under federal and state law for inaccessible websites – over 45 in 2015 alone, according to BNA.  There have reportedly been many more demand letters sent to companies concerning digital properties allegedly inaccessible by persons with disabilities.

Despite the uncertain landscape, there is a path forward to minimize the risk that your company’s digital properties will come under scrutiny or attack. All companies, and especially those currently or prospectively doing business with the government, should make accessibility part of the calculus when designing, building, and refreshing websites and mobile applications. Here are some important considerations for companies.

(1) Ensure your web and app developers are familiar with WCAG 2.0 standards and Section 508 requirements. Although the DOJ has not yet released its own rules, they continue to use Version 2.0 of the Web Content Accessibility Guidelines (WCAG 2.0) as a de facto standard.  WCAG 2.0 was released in 2008 and became an ISO standard in 2012. There are 4 core principles for web content under the guidelines:  content must be Perceivable (e.g., alternatives for non-text content, alternative content presentation, separate foreground and background content, etc.); Operable (e.g., make all functionality keyboard-accessible, allow sufficient time to read content, ensure navigation and search are easily usable, etc.); Understandable (e.g., clear text content, predictable operation of web pages, etc.); and Robust (e.g., use standardized and proper tagging; ensure content can be interpreted reliably by varied user agents such as assistive technologies).  While there are 3 levels of conformance with WCAG – A, AA, and AAA – AA is the most common and the one referenced in most litigation and DOJ actions.  Additionally, Section 508 imposes specific obligations on software applications and operating systems and intranet and Internet websites.

It’s very likely a future version of WCAG will form a foundation of the DOJ’s guidance; the DOJ has referred to the WCAG as a recognized international industry web accessibility standard. If the DOJ’s advice aligns with this standard, it will likely mean only minor accessibility adjustments will be required by companies that are already WCAG compliant. If you have international users of your digital properties and/or an international presence, consider whether international standards such as Canada’s Standard on Web Accessibility, the UK’s Disability Discrimination Act, and France’s AccessiWeb impose any obligations above and beyond WCAG 2.0 AA.

(2) Ensure your app developers are also familiar with and OS assistive capabilities such as Google Talkback and VoiceOver for iOS.  Google and iOS both have assistive software.  Apple offers VoiceOver, a gesture-based screen reader integrated with iOS.  Google Talkback similarly enhances Android with spoken, audible and vibration feedback to better enable use of Android devices by visually impaired persons.  Your app developers should understand these and other assistive technologies available for app operating systems so they can utilize them to the fullest extent possible.

(3) Perform an accessibility audit of your digital properties. An accessibility audit will help you understand what accessibility improvements are needed to ensure WCAG 2.0 AA and Section 508 compliance, as well as the cost and resources that will be required for your company to achieve compliance.  Being able to demonstrate the costs of compliance vs. some of the settlements forced by litigants and the DOJ can help add a quantifiable metric to the risk analysis. An internal audit can be helpful to ensure your internal team understands the accessibility requirements, but also consider using third party tools and partners such as SiteImprove, IBM’s Rational Policy Tester Accessibility Edition, ACCVerify, or ComplianceSherriff.

(4) Make “accessibility by design” part of your creative development process. Many of the visual design elements we take for granted, such as layouts, have a very different meaning (if any) to a visually disabled person. Audiovisual content is very different to a hearing-impaired individual – if can be very difficult for a captioned video to deliver the nuances of inflection that often go into a vocal performance.  Consider the user experience of someone hearing your copy (not just reading it), or reading your video or narration (not just hearing it).  Consider having your marketing and design teams use screen readers and watch captioned videos for a better understanding of that experience with their content. Include audio captions in videos or narrated presentations to assist hearing-impaired individuals. Look at what features and functionality are available to assist you with enabling accessible creative content.

(5) Make it part of your coding and testing DNA, too. Ensure your web design techniques promote accessibility. Make the WCAG 2.0 AA guidelines, Section 508 requirements, and OS assistive capability support part of your development requirements for any new coding project or project refresh.  When contracting with web and app developers and with web and commerce platform vendors, ask them for examples of projects they’ve done which were assistive technology and guideline compliant, and require them to follow accessibility guidelines. Use web design tools that support and enable accessibility.  When you develop customer profiles for testing, consider adding profiles for visually-impaired and hearing-impaired users.

Website and app accessibility compliance can seem daunting, but it doesn’t have to be. Knowing accessibility requirements and guidelines, and your company’s current implementation of them in their digital properties, is an important first step.  Making a plan to build accessibility into your company’s design and development DNA, and implementing accessibility support and features in your digital properties, can help keep you ahead of both accessibility litigation and future government regulations.

The Fourth Age of the Internet – the Internet of Things

We are now in what I call the “Fourth Age” of the Internet.  The First Age was the original interconnected network (or “Internet”) of computers using the TCP/IP protocol, with “killer apps” such as e-mail, telnet, FTP, and Gopher mostly used by the US government and educational organizations. The Second Age began with the creation of the HTTP protocol in 1990 and the original static World Wide Web (Web 1.0). The birth of the consumer internet, the advent of e-commerce, and 90’s dot-com boom (and bust in the early 2000’s) occurred during the Second Age. The Third Age began in the 2000’s with the rise of user-generated content, dynamic web pages, and web-based applications (Web 2.0). The Third Age has seen the advent of cloud computing, mobile and embedded commerce, complex e-marketing, viral online content, real-time Internet communication, and Internet and Web access through smartphones and tablets. The Fourth Age is the explosion of Internet-connected devices, and the corresponding explosion of data generated by these devices – the “Internet of Things” through which the Internet further moves from something we use actively to something our devices use actively, and we use passively. The Internet of Things has the potential to dramatically alter how we live and work.

As we move deeper into the Fourth Age, there are three things which need to be considered and addressed by businesses, consumers and others invested in the consumer Internet of Things:

  • The terms consumers associate with the Internet of Things, e.g., “smart devices,” should be defined before “smart device” and “Internet of Things device” become synonymous in the minds of consumers.  As more companies, retailers, manufacturers, and others jump on the “connected world” bandwagon, more and more devices are being labeled as “smart devices.”  We have smart TVs, smart toasters, smart fitness trackers, smart watches, smart luggage tags, and more (computers, smartphones and tables belong in a separate category). But what does “smart” mean?  To me, a “smart device” is one that has the ability not only to collect and process data and take general actions based on the data (e.g., sound an alarm), but can be configured to take user-configured actions (e.g., send a text alert to a specified email address) and/or can share information with another device (e.g., a monitoring unit which connects wirelessly to a base station). But does a “smart device” automatically mean one connected to the Internet of Things?  I would argue that it does not.

Throughout its Ages, the Internet has connected different types of devices using a common protocol, e.g., TCP/IP for computers and servers, HTTP for web-enabled devices. A smart device must do something similar to be connected to the Internet of Things. However, there is no single standard communications protocol or method for IoT devices. If a smart device uses one of the emerging IoT communications protocols such as Zigbee or Z-Wave (“IoT Protocols”), or has an open API to allow other devices and device ecosystems such as SmartThings, Wink or IFTTT to connect to it (“IoT APIs”), it’s an IoT-connected smart device, or “IoT device.” If a device doesn’t use IoT Protocols or support IoT APIs, it may be a smart device, but it’s not an IoT device. For example, a water leak monitor that sounds a loud alarm if it detects water is a device.  A water leak monitor that sends an alert to a smartphone app via a central hub, but cannot connect to other devices or device ecosystems, is a smart device.  Only if that device uses an IoT Protocol or support IoT APIs to allow it to interconnect with other devices or device ecosystems is an IoT device.

“Organic” began as a term to define natural methods of farming.  However, over time it became overused and synonymous with “healthy.”  Players in the consumer IoT space should be careful not to let key IoT terminology suffer the same fate. Defining what makes a smart device part of the Internet of Things will be essential as smart devices continue to proliferate.

  • Smart devices and IoT devices exacerbate network and device security issues. Consumers embracing the Internet of Things and connected homes may not realize that adding smart devices and IoT devices to a home network can create new security issues and headaches. For example, a wearable device with a Bluetooth security vulnerability could be infected with malware while you’re using it, and infect your home network once you return and sync it with your home computer or device.  While there are proposals for a common set of security and privacy controls for IoT devices such as the IoT Trust Framework, nothing has been adopted by the industry as of yet.

Think of your home network, and your connected devices, like landscaping.  You can install a little or a lot, all at one or over time.  Often, you have a professional do it to ensure it is done right. Once it’s installed, you can’t just forget about it — you have to care for it, through watering, trimming, etc. Occasionally, you may need to apply treatments to avoid diseases. If you don’t care for your landscaping, it will get overgrown; weeds, invasive plants (some poisonous) and diseases may find their way in; and you ultimately have a bigger, harder, more expensive mess to clean up later on.

You need to tend your home network like landscaping, only if you don’t tend your home network the consequences can be much worse than overgrown shrubbery. Many consumers are less comfortable tinkering with computers than they are tinkering with landscaping.  Router and smart device manufacturers periodically update the embedded software (or “firmware”) that runs those devices to fix bugs and to address security vulnerabilities. Software and app developers similarly periodically release updated software. Consumers need to monitor for updates to firmware and software regularly, and apply them promptly once available.  If a device manufacturer goes out of business or stops supporting a device, consider replacing it as it will no longer receive security updates. Routers need to be properly configured, with usernames and strong passwords set, encryption enabled, network names (SSID) configured, etc.  Consumers with a connected home setup should consider a high-speed router with sufficient bandwidth such as 802.11ac or 802.11n.

The third party managed IT services industry has existed since the Second Age. As connected homes proliferate resulting in complex connected home infrastructure, there is an opportunity for “managed home IT” to become a viable business model.  I expect companies currently offering consumer-focused computer repair and home networking services will look hard at adding connected home management services (installation, monitoring, penetration testing, etc.) as a new subscription-based service.

  • Smart device companies need to think of what they can/can’t, and should/shouldn’t, do with data generated from their devices.  IoT devices and smart devices, and connected home technologies and gateways, generate a lot of data.  Smart/IoT device manufacturers and connected home providers need to think about how to store, process and dispose of this data.  Prior to the Internet of Things, behavioral data was gathered through the websites you viewed, the searches you ran, the links you clicked – “online behavioral data.”  The IoT is a game-changer. Now, what users do in the real world with their connected devices can translate to a new class of behavioral data – “device behavioral data.” Smart/IoT device manufacturers, and connected home providers, will need to understand what legal boundaries govern their use of device behavioral data, and how existing laws (e.g., COPPA) apply to the collection and use of data through new technologies. Additionally, companies must look at what industry best practices, industry guidelines and rules, consumer expectations and sentiment, and other non-legal contours shape what companies should and should not do with the data, even if the use is legal.  Companies must consider how long to keep data, and how to ensure it’s purged out of their systems once the retention period ends.

IoT and smart device companies, and connected home service and technology providers, should build privacy and data management compliance into the design of their devices and their systems by adopting a “security by design” and “privacy by design” mindset. Consumers expect that personal data about them will be kept secure and not misused. They must ensure their own privacy policies clearly say what they do with device behavioral data, and not do anything outside the boundaries of their privacy policy (“say what you do, do what you say”). Consider contextual disclosures making sure the consumer clearly understands what you do with device behavioral data.  Each new Age of the Internet has seen the FTC, state Attorneys General, and other consumer regulatory bodies look at how companies are using consumer data, and make examples of those they believe are misusing it. The Fourth Age will be no different. Companies seeking to monetize device behavioral data must make sure that they have a focus on data compliance.