WCAG 3.3.4: Error Prevention (Legal, Financial, Data)
A typo in a search box costs a second. A typo in a wire transfer, a signed agreement, or an account deletion can cost far more. For these high-stakes submissions, the criterion demands a safety net: the action must be reversible, or the input checked with a chance to correct it, or the submission reviewed and confirmed before it becomes final. At least one of the three — always.
The success criterion, in full
For Web pages that cause legal commitments or financial transactions for the user to occur, that modify or delete user-controllable data in data storage systems, or that submit user test responses, at least one of the following is true: Reversible: Submissions are reversible. Checked: Data entered by the user is checked for input errors and the user is provided an opportunity to correct them. Confirmed: A mechanism is available for reviewing, confirming, and correcting information before finalizing the submission.
Two scoping facts matter. The criterion applies only to the four named categories of submission — not to every form. And the three options are alternatives: reversible OR checked OR confirmed. Any one of them, done properly, conforms.
Why error prevention matters
All users make input errors, but users with disabilities make more of them and catch fewer. Someone with a motor impairment may hit an adjacent key or trigger a double-submit; someone with dyslexia may transpose the digits of an account number; a screen reader user cannot visually skim a completed form to sanity-check it the way a sighted user does; a user with a memory limitation may not recall what they entered three steps ago.
For most interactions the cost of a slip is trivial — resubmit the search, re-type the comment. The criterion exists for the interactions where it is not: money leaves an account, a contract binds, data is destroyed, an exam is graded. In those cases, an undetected error is not an inconvenience but a genuine harm, and the interface — not the user’s vigilance — must provide the protection.
The safety nets it mandates are ones good commerce sites already use: order review pages, cancellation windows, undo for deletions, validation with a chance to fix. 3.3.4 turns that good practice into a requirement wherever the stakes are legal, financial, or data loss.
Which submissions are covered
3.3.4 does not apply to every form. It applies to pages that cause any of four kinds of consequence:
Legal commitments
Actions with legal effect: e-signing a contract, accepting binding terms, submitting a tax filing or legal declaration.
Financial transactions
Purchases, payments, transfers, trades, bookings with fees — anything that moves the user's money or creates a charge.
Changes to user-controllable data
Modifying or deleting the user's stored data: closing an account, overwriting a saved profile or document, bulk-deleting records in an app's storage.
Test responses
Submitting answers to a test or exam, where responses are final once submitted and errors cannot be repaired afterwards.
A contact form, comment box, or newsletter signup is outside 3.3.4’s scope (its cousins 3.3.1 and 3.3.3 still govern its error messages). The AAA criterion 3.3.6 extends the same protections to all submissions — at AA, focus on the four categories above.
The three ways to conform
Satisfy any one of these for each covered submission:
- 1
Reversible — the action can be undone
Provide a way to reverse the submission after the fact: a cancellation window for orders, a 'trash' stage before permanent deletion with a documented recovery period, an undo for destructive edits. Reversibility is strongest for data operations; genuinely irreversible events (a sent payment, a graded exam) usually need one of the other two options instead.
- 2
Checked — input is validated, with a chance to correct
Check the entered data for input errors — malformed account numbers, impossible dates, missing required fields, amounts outside plausible bounds — and give the user the opportunity to fix them before the action completes. Error messages must satisfy 3.3.1 (identified in text) and ideally 3.3.3 (suggest a correction).
- 3
Confirmed — review before it becomes final
Insert a review step that shows the user exactly what is about to happen — the actual data: items, amounts, recipient, the records to be deleted — with an explicit way to go back and correct it, before a clearly labelled final action ('Place order and pay', 'Permanently delete account').
Pass and fail examples
Checkout with an order review page(passes)
Before payment, the user sees a summary of items, quantities, prices, addresses, and payment method, with 'Edit' links for each section and a final 'Place order and pay' button. Confirmed — passes.
Deletion with a recovery window(passes)
Deleting a project moves it to a trash area where it can be restored for 30 days, and the interface says so. Reversible — passes.
Bank transfer with validation and review(passes)
The transfer form validates the account number format (checked) and then shows a confirmation screen with recipient name, amount, and date before the final 'Send transfer' (confirmed). Passes with margin.
One-click irreversible purchase(fails)
A single tap charges the card immediately: no review step, no validation pause, no cancellation window. None of the three options is true — fails.
Blind 'Are you sure?' before permanent deletion(fails)
'Delete all selected records? OK / Cancel' — without showing which or how many records, and with no recovery. The user cannot meaningfully review or correct, and nothing is reversible. Fails.
Code examples
Direct submit vs. a real review step
The “confirmed” option means showing the user their actual data before the final action — not just interposing a second button.
<!-- ✗ The first click is the final, charging action -->
<form action="/api/checkout" method="post">
…payment fields…
<button type="submit">Buy now</button>
</form>
<!-- ✓ A review page echoes the data, with a way back -->
<main>
<h1>Review your order</h1>
<h2>Items</h2>
<ul>
<li>Ergonomic keyboard — 1 × $89.00</li>
</ul>
<h2>Deliver to</h2>
<p>Jane Doe, 42 Main St, Springfield
<a href="/checkout/address">Edit address</a></p>
<h2>Payment</h2>
<p>Visa ending 4242 — total $96.12
<a href="/checkout/payment">Edit payment</a></p>
<form action="/api/checkout/confirm" method="post">
<button type="submit">Place order and pay $96.12</button>
</form>
<a href="/checkout">Back to checkout</a>
</main>A deletion that is reversible — and says so
For data operations, reversibility is often the cleanest option: a trash stage plus an immediate, focusable undo.
<!-- ✗ Instant, permanent, and vague -->
<button onclick="if(confirm('Are you sure?')) destroyForever(id)">
Delete
</button>
<!-- ✓ Soft delete with a recovery window and announced undo -->
<button type="button" data-action="move-to-trash" data-id="prj_81">
Delete project
</button>
<div role="status" class="toast">
“Marketing site” moved to Trash. Items in Trash are kept
for 30 days.
<button type="button" data-action="undo">Undo</button>
</div>Checked: validate, describe, let the user fix it
The “checked” option pairs validation with an accessible error message and returns control to the user instead of finalizing.
<form action="/api/transfer" method="post" novalidate>
<label for="iban">Recipient IBAN</label>
<input id="iban" name="iban" inputmode="text"
autocomplete="off"
aria-describedby="iban-error" aria-invalid="true" />
<p id="iban-error" class="error">
This IBAN fails its checksum — one digit may be mistyped.
Compare it with the recipient's details and correct it.
</p>
<label for="amount">Amount (USD)</label>
<input id="amount" name="amount" inputmode="decimal" />
<!-- Submission is blocked until errors are corrected;
nothing is transferred while aria-invalid fields remain. -->
<button type="submit">Continue to review</button>
</form>Common failures
- A financial or legal submission that completes on the first click, with no review step, no validation opportunity, and no way to reverse it.
- A confirmation dialog that names nothing — 'Are you sure? OK / Cancel' — so the user confirms an action they cannot actually review or correct.
- Permanent deletion of user data with no trash stage, no undo, and no confirmation that shows what will be destroyed.
- A review page that displays the data but offers no way back to correct it — 'confirming' without the required correcting.
- Validation that silently rejects or 'corrects' input without telling the user, finalizing a submission that differs from what they intended.
- Timed test submissions that auto-finalize mid-answer without warning and without any of the three protections (this also implicates 2.2.1 Timing Adjustable).
How to test for 3.3.4
- 1
Find the covered submissions
Inventory every flow that creates a legal commitment, moves money, modifies or deletes stored user data, or submits test answers: checkout, payments, transfers, plan changes, account closure, bulk deletes, e-signatures, exams.
- 2
Walk each flow to the point of no return
Complete the flow in a test environment and note the exact step where the action becomes final. Everything before that step is where a check or confirmation must live; everything after is where reversal would apply.
- 3
Verify at least one protection exists
For each flow, confirm one of: the finished action can genuinely be reversed (try it); input errors are detected with a real opportunity to correct them; or a review step shows the actual data with a working path back to edit before the final, clearly labelled action.
- 4
Test the protection with assistive technology
Run the review or error step with a screen reader and keyboard only. The summary must be readable in sequence, error messages must be announced and associated with their fields (3.3.1), and the 'go back and edit' path must be keyboard-operable.
- 5
Probe the edge cases
Deliberately submit wrong data: a bad account number, an implausible amount, a double-click on the final button. Confirm the system catches it or the mistake is recoverable — and that the promised reversal window actually works.
This is flow-level, manual testing — no scanner can judge whether an order is reversible. Audit it alongside the rest of Guideline 3.3 in the full WCAG 2.2 checklist.
Frequently asked questions
What does WCAG 3.3.4 Error Prevention (Legal, Financial, Data) require?
For web pages that cause legal commitments or financial transactions for the user, that modify or delete user-controllable data in data storage systems, or that submit user test responses, at least one of three things must be true: submissions are reversible; data entered by the user is checked for input errors and the user is given an opportunity to correct them; or a mechanism is available for reviewing, confirming, and correcting information before finalizing the submission. It is a Level AA success criterion introduced in WCAG 2.0 and unchanged in WCAG 2.1 and 2.2.
Which pages does 3.3.4 apply to?
Only high-stakes submissions — the criterion names four categories. Legal commitments: signing a contract, agreeing to binding terms, submitting a legal declaration. Financial transactions: placing an order, paying a bill, transferring money, booking a non-refundable ticket. Modifying or deleting user-controllable data in data storage systems: deleting an account, overwriting a saved profile, bulk-removing records. And submitting test responses: exams and assessments where the answers are final. An ordinary contact form or newsletter signup is not covered by 3.3.4 — though 3.3.1 and 3.3.3 still apply to its error handling.
Do I need all three of reversible, checked, and confirmed?
No — the normative text says 'at least one of the following is true'. Reversible: the submission can be undone, like a cancellation window for an order or a trash folder for deleted records. Checked: input is validated for errors and the user can correct them before the action completes. Confirmed: the user gets a review step that shows what is about to happen, with a way to correct it, before final submission. Pick the mechanism that fits the interaction; many robust checkouts implement two or all three, but one is sufficient to conform.
Does a confirmation dialog ('Are you sure?') satisfy 3.3.4?
It can satisfy the 'confirmed' option if it genuinely lets the user review, confirm, and correct the information — meaning it shows what is about to be submitted or deleted, and offers a real path back to fix mistakes. A bare 'Are you sure? OK / Cancel' before deleting 'item 4832' is weak: the user cannot see what item 4832 is. A good confirmation step summarizes the actual data (the order contents and total, the account being closed, the records being deleted) and provides an explicit way to go back and edit.
Who benefits from 3.3.4?
Everyone makes mistakes, but the criterion exists because some users cannot easily detect theirs. People with motor disabilities hit adjacent keys or double-submit; screen reader users cannot skim a whole form at a glance to spot a slip; users with dyslexia transpose digits in account numbers; people with cognitive or memory limitations may lose track mid-process. For low-stakes actions a mistake is an annoyance. For a wire transfer, a legal agreement, or an irreversible deletion, it can be serious harm — which is why the serious cases get a safety net.
How does 3.3.4 relate to 3.3.1, 3.3.3, and 3.3.6?
They form the error-handling ladder in Guideline 3.3 Input Assistance. 3.3.1 Error Identification (A) requires detected errors to be identified and described in text. 3.3.3 Error Suggestion (AA) requires suggesting corrections when known. 3.3.4 (AA) adds the reversible/checked/confirmed safety net, but only for legal, financial, data-modifying, and test submissions. 3.3.6 Error Prevention (All) (AAA) extends that same safety net to every page that requires the user to submit information, not just the high-stakes ones.
Related Success Criteria
Input errors are automatically detected and described to the user.
Labels or instructions are provided when content requires user input.
Input error suggestions are provided when errors are detected.
Context-sensitive help is available.
All user input can be checked and confirmed before submission.