Skip to content

Early Access opens July 12 · $99/mo · all suites during the launch window · price locked through Q1 2027 · Join the waitlist →

Resources · ADA Title II Final Rule · Operator's Guide · 2026 Edition

The complete ADA Title II Final Rule compliance guide for public entities — 28 CFR Part 35.

acipta · Agent-based defensibility platform — workflow-grounded.

A 2,500-word operator's guide for the public-entity team that owns ADA compliance. WCAG 2.1 AA as federal technical standard. Who's covered. What's required. What the demand letter looks like — and the response playbook your legal counsel will ask for. Built from 4,605 federal ADA lawsuits filed in 2024 and the post-April-24-2026 enforcement environment.

Deadline status · 2026-05-15 Large public entities (50K+ population): deadline passed April 24, 2026 · 21 days into the exposure window.
Small public entities: deadline is April 24, 2027 · 11 months remaining to demonstrate good-faith conformance.

What's in this guide

  1. The Final Rule, in one paragraph
  2. Who is covered — and who isn't
  3. Deadlines that already passed (and the ones still ahead)
  4. WCAG 2.1 AA — the technical standard
  5. Demand-letter response playbook — 5-step
  6. Common findings and the remediation patterns that work
  7. Audit-defensibility checklist for legal counsel

§1The Final Rule, in one paragraph

The Department of Justice's ADA Title II Final Rule — published April 2024, codified at 28 CFR § 35.200–35.203 — adopts WCAG 2.1 Level AA as the federal technical standard for web content and mobile applications used by state and local government entities. The rule does not invent new accessibility requirements; Title II of the ADA has prohibited disability discrimination by public entities since 1990. What the Final Rule does is specify the technical floor: a measurable, third-party-defined standard that converts "accessible" from a posture into a per-success-criterion conformance test.

The shift, plainly: Before April 2024, "accessible" was a defensible-in-court posture about good-faith effort. After April 2024, "accessible" is 50 WCAG 2.1 success criteria, audited per-criterion, with no procedural reasonableness defense for missing the technical standard once the deadline has passed.

§2Who is covered — and who isn't

Covered (Title II)

Not covered by Title II (but covered separately)

Why this matters for procurement
If you're a private vendor selling into the public sector, your customers are now bound by the Final Rule. Their procurement contracts will increasingly require Title II-aligned VPAT 2.5s from vendors — even when your company itself isn't a "covered entity." Vendor accessibility evidence has become a Title II compliance input.

§3Deadlines — what passed, what's coming

Entity classificationPopulation thresholdCompliance deadlineStatus (2026-05-15)
Large public entity50,000+ populationApril 24, 2026PASSED — 21 days ago
Small public entityUnder 50,000 populationApril 24, 202711 months remaining
Special-purpose districtsServing 50K+ populationApril 24, 2026PASSED
Special-purpose districtsServing < 50KApril 24, 202711 months remaining

Public K-12 districts and post-secondary institutions follow their own enumeration logic — but most major districts and state university systems fell into the April 2026 deadline. The functional default for any large public-facing entity in 2026 is: the deadline has passed, and the question is whether the entity can demonstrate good-faith conformance plus a documented remediation plan for any non-conforming surface.

§4WCAG 2.1 AA — the technical standard

The Final Rule references Web Content Accessibility Guidelines (WCAG) 2.1, Level AA, published by the W3C in 2018. WCAG 2.1 AA = all 50 success criteria at Level A and Level AA. The criteria organize under four POUR principles:

The legal floor is WCAG 2.1 AA — but most procurement contracts and Section 508 VPAT 2.5 submissions now reference WCAG 2.2 AA (published October 2023, backward compatible with 2.1 plus 9 new criteria). The practical posture for a public entity in 2026 is to target WCAG 2.1 AA for federal-mandate defensibility and layer WCAG 2.2 AA on top for forward compatibility. See our WCAG 2.1 AA compliance page and WCAG 2.2 AA enhancements guide for the per-criterion breakdown.

Read this if you're an attorney: The standard is per-success-criterion, not per-page. A page that fails one criterion is a non-conforming page. Conformance evidence must be produced per criterion — a "we scanned the site and it looked clean" attestation is not defensible at deposition. This is where the audit trail matters: every verdict, every page, every criterion, signed at write time.
3 sections behind the form · ~1,500 words

Get the demand-letter response playbook + audit-defensibility checklist.

The remaining 3 sections — §5 the 5-step demand-letter response playbook, §6 common findings with remediation patterns, §7 the audit-defensibility checklist your legal counsel will ask for — are what you'll want printed and on the desk when the certified letter arrives. Send to a work email and we'll deliver the full PDF + monthly Title II enforcement update (unsubscribe anytime).

  • The 5-step demand-letter response playbook (preserve, scope, evidence, posture, settlement)
  • Common findings + the remediation patterns that actually hold under WCAG re-test
  • Audit-defensibility checklist — the artifacts your counsel will ask for in deposition
  • Reciprocal: monthly Title II enforcement digest. Real cases, real cleanup decisions.

No nurture spam. Monthly Title II enforcement digest only. Plus print-friendly PDF. ⌥-P / Ctrl-P to print.

Already on the list? Unlock the rest →

§5Demand-letter response playbook — 5 steps

The post-April-2026 demand letter is no longer rare. It typically arrives from a plaintiff's firm specializing in ADA accessibility litigation, identifies specific WCAG failures on specific URLs (often from automated scan output like axe-core or WAVE), and offers settlement for a defined dollar figure plus attorney's fees and a remediation undertaking. The 5-step response below is what defendable public entities run on day one.

STEP 1

Preserve — within 48 hours of receipt

Litigation hold. Issue a written preservation directive to your IT, communications, and procurement teams. Suspend any planned site re-deploys that would overwrite the URL state plaintiff scanned. Snapshot the disputed pages — HTML, rendered DOM, computed accessibility tree, browser version — and write to immutable storage with timestamps. If you have any signed-evidence platform (acipta or otherwise), capture the per-criterion verdict log for the cited URLs.

Why this matters: The plaintiff's evidence is a scan run at a moment in time. Your defense begins with a byte-identical capture of that moment. Without it, the plaintiff's narrative goes unchallenged.

STEP 2

Scope — re-test under your own audit methodology

Run an independent WCAG 2.1 AA audit of the cited URLs. The plaintiff's automated scan covers an estimated 30-40% of WCAG criteria (the deterministically machine-checkable ones). The remaining 60-70% require human inspection, AT testing, or per-criterion review by accessibility specialists. Your audit produces three buckets per cited finding: (a) confirmed non-conformance, (b) disputed methodology / false positive, (c) already remediated since the scan date.

Don't argue the law. Argue the technical evidence. The Final Rule's standard is unambiguous; your defense is built on what conformance evidence you can produce per criterion, per URL, with timestamps.

STEP 3

Evidence — produce signed conformance records

The decisive artifact is per-success-criterion conformance evidence with provenance — signed at write time, hash-chained, and replayable. For URLs in bucket (c) "already remediated since scan", you produce the signed verdict log showing the criterion now passes and the date it passed. For bucket (b) "disputed methodology", you produce the human-inspection record from your accessibility specialist including AT version, browser, and screen-reader output.

If your stack doesn't produce this evidence at write time — if it's only a dashboard screenshot — your defense leans on attorney narrative rather than per-criterion record. Plaintiffs' firms increasingly know this gap and price it into demand letters.

STEP 4

Posture — frame the response letter

The response letter has three jobs: (1) acknowledge receipt and reference your good-faith Title II compliance program with documented evidence; (2) bucket the cited findings (confirmed / disputed / remediated) with per-finding citations; (3) offer a defined remediation timeline for the confirmed bucket with measurable milestones. This is not a settlement letter — it's the letter that determines whether settlement happens at $30K or $200K.

Tone matters less than evidence. The plaintiff's firm has seen thousands of bluster-and-deny responses. What they haven't seen — and what reframes the negotiation — is per-criterion signed evidence with timestamps. That artifact carries the response.

STEP 5

Settlement — when (and at what dollar) to close

Most Title II demand letters settle. The question is at what dollar and on what remediation terms. The variables: how many confirmed non-conformances remain after your scoping audit (Step 2), what your remediation runway looks like (Step 4), and what monitoring the plaintiff requires post-settlement. A strong defendant typically settles at 20-40% of the initial demand with a 6-12 month remediation window and quarterly self-audit reporting (not third-party monitoring).

The arithmetic that drives settlement down: if 60% of cited findings move from bucket (a) to (b) or (c) under your re-audit, the dollar drops correspondingly. The 60% figure isn't aspirational — it's the typical delta between an automated scan and a per-criterion human-validated audit. The path to it is signed conformance evidence, not better negotiation.

§6Common findings + the remediation patterns that hold

Across the demand letters and consent decrees we've reviewed, the same 10 WCAG criteria account for ~80% of cited findings. Below are those criteria with the remediation patterns that hold under WCAG re-test (and the patterns that get re-flagged six months later).

CriterionCommon findingPattern that holds
1.1.1 Non-text ContentMissing alt text on images; alt="image" placeholdersPer-image authored alt text + decorative-image audit (alt="" with role="presentation"); CMS-level required-field enforcement at publish time
1.3.1 Info and RelationshipsVisual headings using bold-only without <h> tags; missing form labelsSemantic HTML enforced by linter; visual-vs-semantic mismatch flagged at PR time
1.4.3 Contrast (Minimum)Text-on-background below 4.5:1 (or 3:1 for large text)Design-token-level enforcement; computed contrast at render time, not at design time
2.1.1 KeyboardCustom interactive components (modals, dropdowns) with no keyboard handlerComponent library with keyboard handler in the primitive; lint rule that flags onClick without onKeyDown
2.4.7 Focus Visible:focus styles removed by global outline:none resetMandatory :focus-visible token in design system; CSS reset audit
3.3.2 Labels or InstructionsPlaceholder-only forms (no <label>)Form-component-level enforcement; visible-label-required pattern
4.1.2 Name, Role, ValueDiv-on-click custom controls without ARIAUse semantic HTML first; ARIA second; lint rule against div+onClick patterns
1.4.10 ReflowFixed-width containers breaking at 320px viewportMobile-first responsive; reflow tested at every PR via viewport snapshot
1.4.11 Non-text ContrastUI components (buttons, form fields) below 3:1 against backgroundComponent-state-level contrast enforcement; per-state (default/hover/focus/disabled) check
2.4.4 Link Purpose"Click here" / "read more" links without surrounding contextLinter against ambiguous link text; aria-label fallback for unavoidable cases
The pattern under the patterns: remediations that hold are enforced at the primitive level — design tokens, component library, lint rules, CMS-publish gates. Remediations that fail are page-by-page manual sweeps. The second pattern produces a fix that re-breaks at the next deploy. The first pattern produces a fix that compounds.

§7Audit-defensibility checklist for legal counsel

This is the checklist your inside or outside counsel will work through when a demand letter arrives. It's also the checklist your insurance carrier will run during cyber/E&O underwriting review. If a row says NO, that's a remediation priority before the next deadline cycle.

Section 7A — Conformance evidence

  • Per-success-criterion conformance records exist for all 50 WCAG 2.1 Level A + AA criteria
  • Each record is signed at write time (Ed25519, RSA, or equivalent — not after-the-fact dashboard exports)
  • Each record has a verifiable timestamp (RFC 3161 or equivalent — not server clock)
  • Records are hash-chained or stored in tamper-evident write-once storage
  • VPAT 2.5 is auto-derived from the conformance records (not authored separately)
  • Coverage extends to all production-facing URLs, not just the homepage and top-10 templates

Section 7B — Process evidence (good-faith conformance posture)

  • Written accessibility policy referenced in employee handbook and procurement contracts
  • Named accessibility officer or program owner with documented charter
  • Vendor accessibility requirements in procurement standards (with VPAT requirement for new contracts)
  • Annual third-party WCAG audit on file (independent of internal tooling)
  • Public-facing accessibility statement at /accessibility/ with feedback contact and remediation pipeline
  • Documented remediation pipeline with measurable milestones for any open findings

Section 7C — Replay-ability

  • For any given URL on any given date, you can produce: the exact rendered HTML, the computed accessibility tree, the per-criterion verdict
  • The replay is byte-identical — not a re-scan of today's URL
  • Retention horizon is documented (recommended: 7 years from last publication, aligned to records-management retention schedule)
  • Cryptographic verification of the replay artifact is independently runnable by opposing counsel (i.e., not vendor-locked)

Section 7D — Vendor accessibility

  • Every third-party SaaS or component embedded in the site has a current VPAT 2.5 on file
  • Vendor contracts include WCAG 2.1 AA conformance warranty + remediation cure period
  • Vendor-introduced non-conformances are documented in the entity's remediation pipeline with vendor SLA reference
  • Critical-path vendors (payment, ID verification, content embed) have escalation contacts on file
The defendability test: If a plaintiff's expert ran the same automated scan on the same URL six months apart and the per-criterion verdict log doesn't match the scan output, that's the deposition exhibit you don't want. Conformance evidence and scan output must reconcile.

Replay a verdict. Verify the hash. In 20 minutes.

If a WCAG 2.1 AA criterion fails on your site today and you can't replay the failing artifact with a verifiable timestamp, you're holding scan output — not audit evidence. acipta produces the evidence at write time. Free 20-minute demo: bring a URL, leave with a signed verdict.