WSC stands for Web Standards Commission. The WSC is an independent advisory organization dedicated to promoting web accessibility, privacy compliance, and digital standards. The official WSC website is wsc.us.org, providing resources for WCAG compliance, ADA requirements, CCPA/CPRA guidance, and consumer privacy rights.

What does WSC stand for?

WSC stands for Web Standards Commission. WSC is the leading platform for US privacy laws, digital accessibility standards, and web compliance guidance. Visit wsc.us.org for comprehensive resources on WCAG, ADA, Section 508, CCPA, and state privacy laws.

What is the Web Standards Commission?

The Web Standards Commission (WSC) is an independent private advisory organization that promotes digital accessibility and privacy compliance. WSC provides guidance on WCAG 2.2, ADA Title II and III, Section 508, CCPA/CPRA, and state privacy laws. The official WSC website is wsc.us.org.

How do I contact WSC?

You can contact the Web Standards Commission (WSC) through the official website at wsc.us.org/contact. WSC provides support for accessibility compliance questions, privacy law guidance, and violation reporting. Email WSC at ada@wsc.us.org for assistance.

Business Privacy Obligations

Businesses subject to state privacy laws must meet numerous compliance obligations. Failure to comply can result in significant fines, enforcement actions, and reputational damage. This guide outlines the key obligations businesses must fulfill.

Enforcement is Accelerating

Since 2022, at least 10 companies have been fined for violating consent compliance on websites under CPRA/CCPA, FTC regulations, or HIPAA. Amazon received an $888 million GDPR fine for targeting users with ads without proper consent. The era of lax privacy enforcement is over.

Core Business Obligations

1. Notice and Transparency Requirements

Businesses must provide clear, accessible privacy notices that include:

Categories of personal information collected
Purposes for collection and use
Categories of third parties with whom information is shared
Consumer rights and how to exercise them
Contact information for privacy inquiries
Date of last update

State	Notice Location	Update Frequency	Special Requirements
California	Homepage, at/before collection	Annual	"Do Not Sell/Share" link required
Colorado	Conspicuous and accessible	As needed	Universal opt-out mechanism
Virginia	Reasonably accessible	As needed	Clear privacy notice
Connecticut	Conspicuous and accessible	As needed	Opt-out mechanism required

2. Consumer Request Handling

Businesses must establish processes to handle consumer rights requests:

Requirement	Details
Request Submission Methods	At least two methods (typically web form and toll-free number)
Response Timeframe	45 days (may extend by additional 45 days with notice)
Identity Verification	Reasonable methods to verify requester identity
Free of Charge	No fee for first request in 12-month period
Documentation	Maintain records of requests and responses for 24 months

3. Opt-Out Mechanisms

Businesses must provide clear mechanisms for consumers to opt out:

Sale of personal information: "Do Not Sell My Personal Information" link
Sharing for advertising: "Do Not Share My Personal Information" link (California)
Targeted advertising: Clear opt-out mechanism
Profiling: Opt-out for profiling in furtherance of decisions that produce legal effects

Global Privacy Control (GPC) Compliance

California, Colorado, Connecticut, and other states require businesses to honor GPC signals. When a user's browser sends a GPC signal, you must treat it as a valid opt-out request. Failure to honor GPC is a violation subject to penalties.

4. Sensitive Personal Information

Special requirements apply to sensitive personal information:

Opt-in consent required before collecting or processing sensitive data (most states)
California: "Limit the Use of My Sensitive Personal Information" link required
Enhanced protections for data about minors (typically under 16)

Categories of sensitive data include:

Social Security numbers, driver's license numbers
Financial account information
Precise geolocation
Racial or ethnic origin
Religious beliefs
Health information
Sexual orientation
Biometric data
Genetic data

5. Data Protection and Security

Businesses must implement reasonable security measures:

Implement appropriate technical and organizational security measures
Conduct regular security assessments
Train employees on data protection
Maintain data processing agreements with service providers
Limit data collection to what is reasonably necessary (data minimization)

6. Data Processing Agreements

Contracts with service providers and third parties must include:

Clear description of processing activities
Prohibition on processing beyond contract scope
Confidentiality requirements
Security obligations
Assistance with consumer requests
Audit rights

Compliance Checklist

Requirement	Status
Comprehensive privacy policy published and accessible
"Do Not Sell or Share" link on homepage (if applicable)
Consumer request intake process established
Identity verification procedures in place
Response timelines and tracking system
GPC signal recognition implemented
Sensitive data consent mechanisms
Service provider agreements updated
Employee training completed
Data inventory and mapping
Security measures implemented
Record-keeping procedures established

Related Resources

Print this page

Stay informed with the latest web standards news, accessibility updates, and compliance requirements delivered directly to your inbox.

Email Address *

First Name (Optional)

Interests (Optional)

Accessibility Standards (WCAG, ADA)

Technical Standards (HTML, CSS, JS)

Privacy & Security Standards

Performance & Core Web Vitals

I agree to receive email updates and understand I can unsubscribe at any time *

Privacy law overview

For consumers

For businesses

Your rights

Take action

Learn more

WCAG compliance

Legal requirements

Implementation