w3c / wcag

Web Content Accessibility Guidelines
https://w3c.github.io/wcag/guidelines/22/
Other
1.12k stars 254 forks source link

2.2.6: Timeouts - reference to compliance #421

Closed ghost closed 1 year ago

ghost commented 6 years ago

Success Criterion 2.2.6: Timeouts

Recommendation is to add the word "compliance " to read Compliance and privacy regulations ...". As an example, the Payment Card Industry Data Security Standard includes security standards related to the storage, use and controls associated with credit card information.

awkawk commented 6 years ago

Are you talking about at the start of the Note section for https://www.w3.org/TR/WCAG21/#timeouts?

If so, we won't be able to make that change as it is in the WCAG 2.1 spec, but perhaps you can suggest something for the related understanding document ( https://www.w3.org/WAI/WCAG21/Understanding/timeouts.html)?

ghost commented 6 years ago

Yes, that was the area I was referencing.

I would be happy to make a recommendation regarding this for the understanding document.

awkawk commented 6 years ago

@thaddeus-cambron any suggestions on this for the understanding document?

ghost commented 6 years ago

"Privacy regulations and compliance standards, for example, PCI or HIPAA, may require ..."

alastc commented 6 years ago

I think it needs turning around if it's part of the understanding doc, it shouldn't repeat the SC text.

How about:

Examples of privacy regulations or compliance standards that may require consent and authentication before saving data are PCI (Payment Card Industry) and HIPAA (Health Insurance Portability and Accountability Act of 1996).

(In PR #501)

ghost commented 6 years ago

I am not sure the best wording to be honest with you. For example, CVV cannot be saved at all - even with consent. That is why it is removed from a form if another field is in error. The goal was to add the word "compliance" in addition to "privacy". I trust your judgement on the exact verbiage.

alastc commented 6 years ago

Ok, I'll try this then:

Examples of privacy regulations mentioned in the success criteria note, and related compliance standards, are PCI (Payment Card Industry) and HIPAA (Health Insurance Portability and Accountability Act of 1996).

Without it being mentioned in the SC text it is somewhat tenuous, but hopefluly people get the idea.

fstrr commented 2 years ago

@alastc I don't see any of the text your last comment in the Understanding document. Do you still want to add it or shall I close this?

patrickhlauke commented 2 years ago

if you are going to include @alastc's proposed wording, note that it should say "success criterion" (singular) rather than "success criteria" (plural)