Zum Inhalt springen (Eingabe drücken)Zur Navigation springen (Eingabe drücken)

Data protection risks of accessibility overlays in relation to the processing of special categories of personal data (Art. 9 GDPR)

Abstract

The use of accessibility overlays to achieve digital accessibility is in direct conflict with the requirements of the General Data Protection Regulation (GDPR). This report shows that the processing of user interactions by the JavaScript code of an overlay already constitutes the processing of health data in accordance with Art. 9 GDPR. As this processing reveals information about the user's physical or mental health, it is generally prohibited without explicit consent. Permanent storage or logging (e.g. in server logs) is not required to constitute a breach of the law.

The analysis emphasizes that overlays are not a technical solution for compliance with accessibility standards (WCAG). In view of the fact that it is possible to check digital accessibility without prior technical knowledge, the elimination of overlays in favour of source code optimization is recommended as a data protection-compliant and technically superior strategy for action.

I. INTRODUCTION AND METHODOLOGY

A. Problem definition

Digital accessibility is a fundamental right that is strengthened by the UN Convention on the Rights of Persons with Disabilities (UNCRPD) and the Web Accessibility Directive (WAD) 1.

In order to achieve supposedly quick compliance with the Web Content Accessibility Guidelines (WCAG), many website operators use JavaScript-based overlays 2, 3. These overlays are third-party solutions that inject code into the Document Object Model (DOM) at runtime and modify the display 2,1. Although they are advertised as a "quick fix", their use results in increased data protection exposure.4

B. Classification as Art. 9 data

The core problem arises because overlays process the user's interaction with the assistance functions provided in order to fulfill their function. This includes the recording of actions such as the activation of screen readers, the use of specific contrast modes or control via specialized keyboard patterns 4,5. The logging of the use of such aids directly indicates physical or mental limitations.6 According to the interpretation of the supervisory authorities, this information falls under the category of health data within the meaning of Art. 9 GDPR 7,8. These data are subject to a general processing prohibition as special categories of personal data.9

II. LEGAL VIOLATION OF PROCESSING (ART. 9 GDPR)

A. Infringement through mere use

The infringement of the GDPR does not only occur in the event of a data leak, storage by means of cookies or other logging in the sense of web server logs. The primary infringement already lies in the processing of sensitive data that takes place simply by using the overlay. The JavaScript code of the overlay collects and processes the data on the use of assistance technologies in order to customize the display or to transmit this data to the third-party provider. This act of processing is generally prohibited by Art. 9 para. 1 GDPR 8,9.

Processing is only permitted if one of the narrow exceptions in Art. 9 para. 2 GDPR applies. As the processing purpose (provision of the overlay) is generally not necessary for vital interests or legal obligations, the permissibility is primarily focused on the explicit consent of the data subject (Art. 9 para. 2 lit. a).10

The decisive factor is:

  • The GDPR is technology-neutral and protects data regardless of how or for how long it is processed.
  • A breach of Art. 9 GDPR does not require permanent storage or logging. The mere act of recording an interaction that allows conclusions to be drawn about a disability is processing.

B. Lack of explicit consent

According to Art. 9 para. 2 lit. a GDPR, consent must not only be informed and unambiguous, but must also expressly (explicitly) refer to the processing of the special categories of personal data.10

  • Violation: Since common cookie consent platforms (CMPs) generally do not query the tracking of assistance technology usage as a separate, sensitive category, the required explicit consent.11
  • Legal consequence: If this legal basis is missing, the entire processing of the Art. 9 data is unlawful (violation of Art. 5 in conjunction with Art. 9 GDPR). This constitutes unlawful processing, regardless of whether the data subsequently leads to a data leak.

 

C. The inference trap: Indirect health data

Data that reveal the use of assistive technologies are considered health data, as they allow conclusions to be drawn about the physical or mental condition of a natural person. According to Art. 9 para. 1 GDPR, the processing of such data is generally prohibited. Since overlays process the interaction at the moment the user activates an accessibility function, sensitive data is processed.

 

D. Liability and risk escalation

The website operator acts as the controller and bears primary liability for the lawfulness of the processing . In the event of an Art. 9 violation, it bears full liability.

  • Severity of the harm: The European Data Protection Board (EDPB) classifies the breach of Art. 9 data (health data) as potential particularly serious harm (risk of discrimination, psychological distress) 13,14.
  • Reporting obligations: This increases the likelihood of reaching the threshold for notification to the supervisory authority (Art. 33) and notification to data subjects (Art. 34).15

Lawful processing would only be possible with explicit consent in accordance with Art. 9 para. 2 lit. a GDPR. Since users generally use the overlay without prior, specific and explicit consent to this sensitive processing step, the website operator is acting without a legal basis.

III. TECHNICAL REQUIREMENTS AND MISCONDUCT

A. Technical inadequacy and source code obligation

Overlays are not an adequate solution for achieving accessibility, as they cannot fix complex problems that affect the WCAG (e.g. missing semantics, unclear link texts).4 Overlays do not fix errors at their source, but try to mask them dynamically, which often leads to interference with native assistive technologies (such as screen readers).5 The best practice remains to fix accessibility problems directly in the source code (accessibility by design) 16,17.

B. Easy verifiability of accessibility

The need to rely on the promises of overlay providers is rendered obsolete by the simple verifiability of digital accessibility. The implementation of accessibility can be checked and demanded by laypersons even without prior technical knowledge.18 This enables clients to easily check compliance with the WCAG criteria at any time and makes the need for error-prone third-party solutions that are risky in terms of data protection obsolete. Implementing accessibility directly in the HTML code is therefore not only the most data protection-compliant, but also the safest and most verifiable method of compliance.

C. Independence of the client

Since the quality of the implementation can thus be measured and tested, clients are not dependent on the often misleading advertising promises of overlay providers. A website whose accessibility is anchored in the source code can be objectively verified, whereas an overlay is merely an uncontrollable "black box" that induces additional legal risks.

 

IV. CONCLUSION AND RECOMMENDATIONS FOR ACTION

The use of web overlays that collect Art. 9 data without demonstrably explicit consent constitutes unlawful processing and thus a high legal risk that arises from the mere use of the overlay.

A. Strategic recommendations

  1. Immediate deactivation: The use of overlays that track assistive technology usage must be stopped immediately in order to end unlawful Art. 9 processing.
  2. Source code priority: Accessibility must beprioritized as Accessibility by Design directly in the source code of the website.16 This is the only sure way to eliminate Art. 9 risks and achieve actual WCAG compliance.
  3. Compliance audit: A data protection impact assessment (DPIA) is mandatory in order to evaluate the processing of Art. 9 data and define suitable safeguards in accordance with Art. 35 GDPR.13
  4. Independent testing: Clients should verify the implementation of their digital offerings themselves using simple test methods instead of relying on automated third-party solutions.