How We Score Compliance
Last updated: May 21, 2026
We don't inflate scores. We don't hide methodology. Every number we give you traces back to a specific legal standard with a citation you can verify. If a regulation changes, we track it and proactively notify you before it affects your compliance status.
Our Scoring Framework
Every CC3PO compliance score is a weighted combination of five categories, each mapped to specific legal standards and industry benchmarks:
| Category | Weight | Legal Standard | Why |
|---|---|---|---|
| Accessibility | 40% | WCAG 2.1 AA + DOJ Final Rule | Highest litigation risk, clearest legal standard |
| HIPAA * | 30% | 45 CFR Part 164 Subpart C | Federal law, OCR enforcement, $100K+ penalties |
| Security | 15% | OWASP + Mozilla Observatory | Prevents data breaches, supports HIPAA |
| Performance | 10% | Google Core Web Vitals | UX impact, SEO ranking |
| Mobile | 5% | Responsive design standards | Accessibility baseline |
* HIPAA scoring only applies to websites and portals that handle electronic Protected Health Information (ePHI). A general business website is not subject to HIPAA.
1. Accessibility β WCAG 2.1 AA
What We Score
Accessibility of web pages for people with disabilities β visual, auditory, motor, and cognitive.
Legal Authority
- ADA Title II (State & Local Governments): DOJ Final Rule (April 24, 2024) requires WCAG 2.1 AA. 89 FR 31298
- 2026 IFR Extension: Compliance dates extended β entities with 50K+ population: April 26, 2027; under 50K: April 26, 2028. 91 FR 30143
- ADA Title III (Private Businesses): No specific federal technical standard yet, but courts consistently use WCAG 2.1 AA as the benchmark
- California Unruh Civil Rights Act (Cal. Civ. Code Β§ 51): Statutory damages of $4,000+ per violation. Applies to websites associated with businesses that have physical locations. CA Civil Rights Dept. FAQ
How We Test
We use Google Lighthouse (open-source, maintained by the Chrome team) which runs automated audits against WCAG 2.1 AA success criteria through the Axe-core accessibility engine.
What Lighthouse Checks
| Lighthouse Check | WCAG Criterion | What It Tests |
|---|---|---|
| Image alt text | 1.1.1 | Non-text content has text alternatives |
| Link name | 2.4.4, 4.1.2 | Links have discernible text |
| Heading order | 1.3.1, 2.4.6 | Headings follow logical hierarchy |
| Color contrast | 1.4.3, 1.4.6 | 4.5:1 (normal) / 3:1 (large) ratio |
| Form labels | 1.3.1, 4.1.2 | Form elements have associated labels |
| ARIA attributes | 4.1.2 | ARIA roles and states are valid |
| Skip links | 2.4.1 | Bypass blocks available |
| Landmarks | 1.3.1, 2.4.1 | Main/navigation landmarks present |
| Document title | 2.4.2 | Pages have descriptive titles |
| Touch target size | 2.5.5 | Interactive elements meet minimum size |
What Automated Testing Does NOT Cover
Lighthouse covers most WCAG success criteria detectable by automation. These require manual testing:
- Screen reader compatibility (JAWS, NVDA, VoiceOver)
- Keyboard-only navigation completeness
- Cognitive accessibility (plain language, consistent navigation)
- Video/audio content accessibility
- Content readability level
- Focus management in dynamic content (modals, dialogs)
We offer manual testing as an add-on for clients who need comprehensive coverage.
Score Interpretation
| Score | Status | Meaning |
|---|---|---|
| 95β100 | β Compliant | Passes all automated checks. Strong baseline accessibility. |
| 90β94 | β οΈ Minor Issues | Likely still defensible, but should be addressed. |
| 80β89 | πΆ Noticeable Gaps | Risk of ADA/Unruh claims increases. Fix within 30 days. |
| Below 80 | π΄ High Risk | Significant accessibility issues. Immediate remediation needed. |
2. HIPAA β Healthcare Data Protection
What We Score
Security and privacy controls for websites that handle electronic Protected Health Information (ePHI).
Legal Authority
- HIPAA Security Rule β 45 CFR Β§ 164.302β318 (administrative, physical, and technical safeguards)
- HIPAA Privacy Rule β 45 CFR Β§ 164.502β534 (use and disclosure of PHI)
- HIPAA Breach Notification Rule β 45 CFR Β§ 164.400β414
- HHS NPRM (January 2025) β Proposed updates requiring encryption at rest, MFA, vulnerability scanning every 6 months, penetration testing annually, and 72-hour recovery objective. 80 FR 904
What We Check
| HIPAA Control | CFR Citation | What We Verify |
|---|---|---|
| Access controls | Β§ 164.312(a)(1) | Unique user IDs, role-based access, emergency access |
| Authentication | Β§ 164.312(d) | MFA for admin, strong passwords, session timeout |
| Encryption (transit) | Β§ 164.312(e)(1) | TLS 1.2+ on all pages with ePHI |
| Encryption (at rest) | Β§ 164.312(a)(2)(iv) | Database and storage encryption |
| Audit controls | Β§ 164.312(b) | Login logs, access logs, change logs |
| Integrity controls | Β§ 164.312(c)(1) | ePHI not improperly altered or destroyed |
| Business associate agreements | Β§ 164.314(a) | BAAs with all vendors handling ePHI |
| Security management | Β§ 164.308(a)(1) | Risk analysis, risk management plan |
Important: HIPAA only applies to websites that handle ePHI. A general business website that doesn't collect patient data is not subject to HIPAA. Our HIPAA scoring only applies to healthcare clients whose websites or portals process protected health information.
3. Security Headers & HTTPS
Legal Authority
OWASP Secure Headers Project Β· owasp.org/www-project-secure-headers
Mozilla Observatory Β· observatory.mozilla.org
RFC 6797 (HSTS) Β· RFC 7034 (X-Frame-Options)
What We Check
- Strict-Transport-Security β Forces HTTPS (RFC 6797)
- Content-Security-Policy β Prevents XSS, clickjacking (OWASP)
- X-Frame-Options β Prevents clickjacking (RFC 7034)
- X-Content-Type-Options β Prevents MIME sniffing (OWASP)
- Referrer-Policy β Controls referrer data (W3C)
- Permissions-Policy β Limits browser features (W3C)
4. Performance & Core Web Vitals
Legal Authority
Google Core Web Vitals β web.dev/vitals
While not a legal requirement, Core Web Vitals directly impact user experience, SEO rankings, and accessibility for users on slow connections.
What We Check
| Metric | Good | Needs Work | Poor |
|---|---|---|---|
| LCP (Largest Content Paint) | β€2.5s | 2.5β4s | >4s |
| INP (Interaction to Next Paint) | β€200ms | 200β500ms | >500ms |
| CLS (Cumulative Layout Shift) | β€0.1 | 0.1β0.25 | >0.25 |
5. State-Level Risk Assessment
| State | Risk Level | Key Law | Exposure |
|---|---|---|---|
| California | π΄ Highest | Unruh Civil Rights Act (Cal. Civ. Code Β§ 51) | $4,000+ per violation |
| New York | π High | NY Human Rights Law + ADA Title III | Major filing jurisdiction |
| Florida | π High | ADA Title III (federal) | 2nd most active state for web suits |
| Illinois | π‘ Moderate | ADA Title III (federal) | No Unruh-equivalent statutory damages |
| Colorado | π‘ Moderate | ADA Title III (federal) | Lower litigation volume |
Regulatory Changelog
We track every regulatory change that affects your compliance status. When the rules change, we notify you before it affects your score.
2026
| Date | Change | Impact |
|---|---|---|
| Apr 20, 2026 | DOJ extended ADA Title II compliance dates by 1 year | Large entities (>50K): April 26, 2027. Small: April 26, 2028 |
| Jan 2025 | HHS published HIPAA Security Rule NPRM | Proposed: mandatory encryption at rest, MFA, vuln scanning every 6 months, 72-hour recovery |
2024
| Date | Change | Impact |
|---|---|---|
| Apr 24, 2024 | DOJ published ADA Title II Final Rule | WCAG 2.1 AA now required for state/local government websites and mobile apps |
Upcoming (Watching)
| Expected | Change | Impact |
|---|---|---|
| 2026 | HIPAA Security Rule final rule expected | Mandatory encryption at rest, MFA, 72-hour recovery |
| Apr 26, 2027 | ADA Title II compliance deadline (large entities) | State/local governments >50K must be WCAG 2.1 AA compliant |
| Apr 26, 2028 | ADA Title II compliance deadline (small entities) | State/local governments <50K must be WCAG 2.1 AA compliant |
| TBD | ADA Title III web accessibility rule | No federal standard for private businesses yet; DOJ may issue rule |
Our Commitment
We sell compliance services. If we're not transparent about how we score, we're doing the exact thing we help clients avoid β operating in a black box.
Every number we give you traces back to a law, a regulation, or an industry standard. You can verify every citation. And when the rules change, we track it and proactively notify you before it affects your compliance status.
This is what trust looks like in compliance.
Source links:
- WCAG 2.1: w3.org/TR/WCAG21
- DOJ Final Rule: ada.gov/resources/2024-03-08-web-rule
- 2026 IFR Extension: federalregister.gov/2026-07663
- HIPAA Security Rule: ecfr.gov/title-45/part-164
- HHS HIPAA NPRM (2025): federalregister.gov/2024-30983
- CA Unruh Act FAQ: calcivilrights.ca.gov/Unruh-FAQ.pdf
- OWASP Secure Headers: owasp.org/www-project-secure-headers
- Core Web Vitals: web.dev/vitals