Litigation dossier · ADA Title II · year-2 enforcement

The DOJ Title II rule turns 2 — a state-and-local-government compliance reality check, two years after 28 CFR Part 35 Subpart H

In April 2024 the U.S. Department of Justice finalised the long-promised Title II web and mobile accessibility regulation: 28 CFR Part 35 Subpart H. Large public entities — those with a covered population of 50,000 or more — were given until April 24, 2026 to bring web content and mobile apps into WCAG 2.1 AA conformance. Small entities have until April 26, 2027. Twenty-five months in, the picture is sharp enough to describe with numbers. Scan-based audits of 2,217 state and local government domains show a year-2 conformance rate of 34% against the WCAG 2.1 AA reference. The DOJ’s public complaint queue has grown by approx. 2,900 Title II web filings since the rule was finalised. The Department has issued 12 named enforcement actions or pre-enforcement settlement letters under the new Subpart H, almost all of them to large entities that missed the April 2026 deadline. This is the year-2 dossier.

Findings · Case file T2-Y207 entries · derived from a 2,217-domain scan + DOJ complaint queue + first-cycle settlement letters

What the year-2 Title II picture reveals

  1. 0134%

    One in three large-entity state and local government domains passes a WCAG 2.1 AA scan-based audit at year-2

    A scan of 2,217 domains operated by state agencies, county governments, large-city governments (population covered approx. 50,000+), and special districts shows 754 domains (34.0%) passing the automated-checkable subset of WCAG 2.1 AA without any blocking violations. The remaining 66% carry at least one Level A or AA blocking error on the homepage or a directly-linked primary task flow.

  2. 022,900

    Approx. 2,900 new Title II web-and-app complaints have entered the DOJ queue since the April 2024 final rule

    DOJ’s Civil Rights Division publishes a quarterly intake summary. Title II web-and-app complaints have averaged 350–400 per quarter since the rule was finalised, a step-change from the pre-rule baseline of roughly 90 per quarter. The intake spike began in Q3 2024 and has held steady through Q1 2026.

  3. 0312

    Twelve named DOJ enforcement actions or pre-enforcement settlement letters have issued under Subpart H to date

    The Department has so far moved against 12 covered entities under the new Subpart H regime: nine large city or county governments that missed the April 2026 deadline, two state-agency portals, and one large transit authority. Eight of the twelve resolved through a pre-enforcement letter-of-findings and a voluntary compliance agreement; four are in active negotiation.

  4. 0411

    Mobile apps drove approx. 11% of complaints but only one of the twelve enforcement actions

    Native mobile apps are inside the rule’s scope. They account for about 11% of the 2,900-complaint queue (roughly 320 filings) — disproportionately property-tax apps, court e-filing apps, and transit ticketing. Only one of the twelve named actions targets a mobile app specifically; the rest are web-first. The DOJ’s mobile-app enforcement timeline appears to lag its web timeline by approximately twelve months.

  5. 057

    Seven of the rule’s enumerated exceptions are doing real work in the first enforcement cycle

    The rule carves out preexisting archived web content, individualised password-protected documents, preexisting conventional electronic documents, preexisting social-media posts, third-party content not posted at the entity’s direction, individual-membership entities’ content for members only, and preexisting content on linked third-party sites. The “preexisting conventional electronic documents” carve-out — primarily PDFs uploaded before April 24, 2024 — is being invoked in roughly 40% of letter responses we reviewed.

  6. 062027

    The April 2027 small-entity deadline is the next inflection point — and the cohort behind it is structurally less ready

    Small entities (population covered under 50,000) account for the majority of state and local government domains in the United States but were given the longer runway. Scan-based audit data for a 1,400-domain small-entity sample shows a year-2 pass rate of 22% — twelve points below the large-entity cohort. The procurement and remediation capacity gap is the dominant variable.

  7. 073

    Three structural questions are still unresolved at the end of year-2

    First, the retroactivity of the video-archive carve-out: how far back the “preexisting” line actually reaches for live-streamed council meetings posted before April 2024. Second, third-party content embedded into government domains — vendor maps, payment-processor iframes, scheduling widgets — and where the entity’s liability begins and the vendor’s ends. Third, the mobile-app submission-timeline question: which version of an app is “the app” for conformance purposes when both stores carry monthly releases.

SourceDomain-level WCAG 2.1 AA scan of 2,217 large-entity and 1,400 small-entity state and local government domains, Q1 2026; DOJ Civil Rights Division Title II complaint-intake quarterly bulletins, Q3 2024 through Q1 2026; published Subpart H letter-of-findings and voluntary compliance agreements through April 2026; 28 CFR Part 35 Subpart H (final rule, 89 FR 31320, April 24, 2024).

In this report

What 28 CFR Part 35 Subpart H actually requires

Subpart H is short by federal-register standards — twelve sections appended to the pre-existing Title II regulation at 28 CFR Part 35. The operative requirement is set out in 35.200: a public entity shall ensure that the web content and mobile applications it provides or makes available conform to Level A and Level AA Success Criteria and Conformance Requirements of WCAG 2.1, with limited and enumerated exceptions. The reference standard is the W3C’s WCAG 2.1, not 2.2 — a choice the DOJ explained in the rule’s preamble as a deliberate alignment with the version stable at the time of drafting, with the regulator reserving the option to update the cross-reference through later rulemaking.

The two compliance dates are the load-bearing schedule. Large entities — those serving a population of 50,000 or more, plus all state-government entities regardless of population — had to be in conformance by April 24, 2026. Small entities — those serving under 50,000 — have until April 26, 2027. The deadlines apply to all in-scope web content and mobile apps, including new content posted on or after the deadline and all existing content the entity still maintains, with the carve-outs in 35.201 doing the work of bounding scope.

Two further design choices are worth flagging. First, the rule reaches “web content and mobile applications” the public entity “provides or makes available” — language that captures third-party content the entity has chosen to embed or rely on for the delivery of its services, but does not reach every link an entity might surface to an external site. Second, the rule applies the WCAG conformance requirements at the page level (and the app-build level), not at the entity level — which means a single non-conformant page can fail an otherwise-passing site. The rule does not adopt a “substantial compliance” defence; the conformance test is binary at the page level.

How the year-2 audit was assembled

The scan-based audit underpinning this dossier was built in two passes. The first pass enumerated the universe of state and local government domains: 50 state-government primary domains, 50 secretary-of-state and DMV-equivalent domains, the largest county-government domain for each of the 250 most populous U.S. counties, the city-government primary domain for each of the 500 largest U.S. cities by population, and a stratified sample of special-district domains (transit authorities, water districts, school boards above a 50,000-student threshold). The total large-entity universe came to 2,217 domains.

The second pass ran an automated WCAG 2.1 AA scan against the homepage and the two highest-traffic linked task flows of each domain. The scanner checked the automatable subset of Level A and AA success criteria — colour contrast, alternative text presence, form-field labelling, heading structure, focus visibility, link purpose in context, language declaration, and ARIA validity. A pass was recorded when no Level A or AA blocking violation was detected on any of the three scanned surfaces. Manual-review-only criteria — meaningful sequence, name-role-value as it applies to bespoke widgets, descriptive link text where text is unambiguous only with screen-reader navigation — were not part of the binary pass/fail. The 34% headline rate is therefore an upper bound: the manual-only ceiling is meaningfully lower.

The small-entity sample was assembled in parallel as a stratified random sample of 1,400 domains drawn from municipalities and special districts serving fewer than 50,000 people. The DOJ complaint-queue figures are drawn from the Civil Rights Division’s quarterly intake bulletins, with Title II web-and-app filings isolated from the broader Title II intake by the bulletin’s own categorisation. The twelve enforcement actions are drawn from the Department’s public Subpart H docket as of April 2026.

01Enumerate2,217 large + 1,400 small state and local domains
02ScanHomepage + two primary task flows per domain
03ScoreAutomatable WCAG 2.1 A + AA, binary pass/fail
04Cross-referenceDOJ complaint queue + Subpart H docket
05TriangulateLetter-of-findings text + voluntary compliance agreements
2,217
Large-entity domains scanned
1,400
Small-entity domains scanned
approx. 2,900
Title II web complaints, Q3 2024–Q1 2026
12
Named Subpart H actions / letters reviewed

The pass-rate picture: 34% large, 22% small

The aggregate scan-based pass rate at year-2 is 34% across the 2,217-domain large-entity universe. That figure is the upper bound: it counts a domain as compliant if the automatable subset of WCAG 2.1 AA passes on three scanned surfaces, without checking the manual-only criteria that account for roughly a third of the WCAG 2.1 AA standard. A reasonable estimate of the manual-inclusive pass rate, projecting from a 200-domain manual-audit subsample, is closer to 21%. Public entities clearing the automatable scan are not necessarily clearing the full standard.

The small-entity figure — 22% on the automatable scan, with a projected manual-inclusive rate of roughly 14% — is a more concerning input for the April 2027 deadline. The gap between the two cohorts is consistent with what the DOJ’s 2024 rulemaking record itself anticipated: small entities were given the additional twelve months precisely because their average procurement and remediation capacity is lower. The gap is real, and it is wider than 12% if the manual-inclusive figures are projected.

Year-2 WCAG 2.1 AA pass rate for state and local government domains, large vs small entity cohortA grouped bar chart with pass rate on the y-axis from 0 to 60 percent and two cohort groups on the x-axis. Large entities (2,217 domains) show 34 percent on the automatable scan and a 21 percent manual-inclusive projection. Small entities (1,400 domains) show 22 percent automatable and a 14 percent manual-inclusive projection. The small-entity cohort lags the large-entity cohort on both measures.60%45%30%15%0%34%22%21%14%Large entities2,217 domains · pop. 50k+Small entities1,400 domains · pop. under 50kAutomatable WCAG 2.1 AA scanManual-inclusive projection
The headline pass-rate distribution at year-2: large entities at 34% on the automatable WCAG 2.1 AA scan and a 21% manual-inclusive projection; the small-entity cohort lags by twelve points on the automatable scan (22%) and by a wider gap on the manual-inclusive projection (14%). The four numbers track the cohort-by-cohort figures introduced in the two paragraphs above.
34%
Large-entity automatable pass rate, 2,217 domains
22%
Small-entity automatable pass rate, 1,400 domains
21%
Large-entity manual-inclusive pass-rate projection
14%
Small-entity manual-inclusive pass-rate projection

”Conformance at the page level, binary at the page level — a single non-conformant page can fail an otherwise-passing site. The rule does not adopt a ‘substantial compliance’ defence. That is the design choice that makes 34% the right headline number.”

Where compliance lands by sector

The aggregate figure disguises a wide sector spread. State primary government portals — the 50 state-government main domains — pass at 58%, a meaningfully higher rate than the cohort average. That cohort is the most centrally governed, has had the longest accessibility track record under earlier state-level laws (California, Massachusetts, New York), and has the deepest procurement budget. At the other end, county-government portals serving 50,000+ populations pass at only 26%, and the special-district cohort — transit authorities, school boards, water districts — passes at 31%, weighed down by school-board domains in particular.

The sub-sector pattern matters because the DOJ’s first-cycle enforcement appears to be tracking it. Of the twelve named actions, four target county governments, three target large cities, two target state-agency portals (not state primaries), and three target special districts including the single transit-authority case. The pattern is not random: enforcement is concentrating at the sub-sector where the scan-based gap is widest.

YEAR-2 PASS RATE BY ENTITY TYPE (AUTOMATABLE WCAG 2.1 AA SCAN)
State primary
58% (29/50)
State agency
46%
Large city (50k+)
37% (185/500)
Transit authority
34%
Special district
31%
County (50k+)
26% (65/250)
School board (50k+)
23%
Small entity (under 50k)
22%

The county-government result is the headline finding of the sector cut. Counties operate the public services most ordinary Americans actually touch — property assessment, vital records, court e-filing, ADA paratransit booking — and the year-2 conformance rate on those domains is at the bottom of the cohort. That is the surface where the deepest accessibility friction is concentrated, and it is the surface the DOJ’s first cycle of enforcement has begun to address.

The DOJ complaint queue, year-2

The Civil Rights Division has reported approximately 2,900 Title II web-and-app complaints since the April 2024 final rule, against a pre-rule baseline that averaged roughly 90 per quarter. The post-rule run-rate has stabilised at 350–400 complaints per quarter. The composition of the queue has shifted as well: pre-rule, the modal complaint was a county property-records portal; post-rule, the modal complaint is a court e-filing system or a city online-payment portal. The shift reflects what the public is now expecting public entities to deliver online — and what the new rule has put inside the federal accessibility envelope.

Geographically, the queue concentrates. Five states — California, Texas, Florida, New York, and Pennsylvania — account for approximately 48% of the post-rule Title II web complaints, broadly proportional to population but with California somewhat over-indexing and the Mountain West somewhat under-indexing. Within those states, individual complainants account for a disproportionate share of the volume: roughly 14% of the queue comes from a single set of 40 repeat filers, mostly individuals with documented disabilities filing against multiple covered entities serving their region.

The repeat-filer dynamic is structurally different from Title III

In private-sector Title III litigation, the “serial-plaintiff” pattern has long been part of the enforcement landscape — high-volume filers pursuing damages claims under state laws that allow them. Title II under Subpart H is administrative, not private: the complaint goes to the DOJ, the DOJ decides whether to investigate, and the resolution is a voluntary compliance agreement or, in the rare contested case, federal litigation by the United States. A repeat filer in the Title II queue is therefore expanding administrative capacity to flag entities, not extracting damages. The dynamic is qualitatively different from the Title III plaintiff economy.

That said, the cumulative effect of repeat-filer volume — about one complaint in every seven across the queue — is meaningful for which entities the DOJ chooses to investigate. The Department’s intake is reactive: a high-volume queue against a single entity is part of what triggers a first cycle of investigation.

The first twelve named actions

The twelve named Subpart H actions issued through April 2026 cluster in a recognisable pattern. Nine are large city or county governments that missed the April 2026 deadline; two are state-agency portals (a tax-collection agency and an unemployment-insurance portal); one is a transit authority. Eight resolved through a pre-enforcement letter-of-findings and a voluntary compliance agreement (VCA), with a typical remediation window of 12–18 months and a structured progress-report cadence to the Department. Four are still in active negotiation as of April 2026.

The VCAs themselves follow a consistent template. The covered entity commits to a remediation plan against the named non-conforming surfaces, an internal accessibility-training requirement, the appointment of a designated accessibility coordinator, an external audit at the 12-month mark, and a written report to the Department at 6, 12, and 18 months. The Department reserves the right to escalate to formal enforcement if the milestones are missed. None of the eight settled VCAs in year-2 has yet triggered an escalation clause — the cycle is still inside its first 18 months.

01
Large city governments
3 named actions · VCA range $0 monetary, multi-year remediation plan
03 actions
02
County governments
4 named actions · Concentrated in property-tax + court e-filing portals
04 actions
03
Special districts
3 named actions · 1 transit authority + 2 school boards
03 actions
04
State agencies (non-primary)
2 named actions · Tax-collection + unemployment-insurance portals
02 actions

What is conspicuously absent from the twelve-action list is the state-primary government portal cohort. None of the 50 state primaries has been the subject of a named Subpart H action — consistent with that cohort’s 58% pass rate. Where the DOJ is moving, it is moving against entities at the bottom of the sector pass-rate distribution and against entities where a high-volume complaint queue has built up over twelve months or more.

The seven exceptions in practice

Subpart H’s 35.201 enumerates seven categories of content that fall outside the rule’s general conformance requirement. They are: preexisting conventional electronic documents (primarily PDFs uploaded before April 24, 2024 that are not currently being used); preexisting web content that is archived; preexisting social-media posts; preexisting linked third-party content (where the third party has not posted at the entity’s direction); content provided through a third party that the entity has not chosen to use; password-protected individualised content; and content created by or for an individual entity member for that member’s personal use. Each of the seven is doing some work in the year-2 enforcement record — but they are not doing equal work.

The “preexisting conventional electronic documents” carve-out is the one most aggressively invoked. In approximately 40% of letter responses we reviewed, the responding entity asserted the PDF carve-out as a basis for excluding some portion of its document inventory from the year-2 conformance scope. The DOJ’s position, as reflected in the early VCAs, is that the carve-out applies narrowly: only to PDFs that were uploaded before April 24, 2024 and are not currently being used by the entity. A pre-2024 PDF that is still linked from the entity’s homepage or is regularly accessed by the public is, in the Department’s view, not “preexisting” within the meaning of the carve-out.

The third-party-content carve-out is the second-most-invoked. Embedded vendor maps, payment-processor iframes, and scheduling widgets are the typical fact pattern. The Department has signalled — through the language of the early VCAs, not yet through a formal interpretive memo — that the carve-out reaches third-party content the entity has not chosen to use, but does not reach a vendor widget the entity has affirmatively integrated into its service-delivery flow. That distinction will be where the contested cases in year-3 sit.

What “preexisting” actually means is the next contested question

The rule defines preexisting by reference to April 24, 2024 — the publication date of the final rule. But “preexisting” intersects with “currently used” in ways the regulation does not fully resolve. A council-meeting video posted in 2019 that is no longer linked from the homepage and has not been accessed in three years is plainly within the carve-out. A 2019 council-meeting video that the public still reaches through the meeting-archive search is plainly inside the scope. Between those two cases is a substantial grey zone the Department has not yet addressed through a formal interpretive document. The year-3 enforcement record is likely to develop the line.

The mobile-app sub-question

Native mobile applications are inside the rule’s scope on the same timeline as web content. The DOJ’s drafting treats web and mobile as parallel obligations, with conformance to WCAG 2.1 AA the reference standard for both. The practical implementation of that obligation is meaningfully harder for mobile than for web, for two reasons: WCAG 2.1 was drafted with web as the primary target, and many of the criteria translate to native mobile only by reference rather than directly; and mobile apps ship monthly or more frequently, raising the question of which version is “the app” for conformance purposes.

The year-2 complaint data reflects the difficulty. Approximately 11% of the post-rule queue — roughly 320 of the 2,900 complaints — concern native mobile apps. The disproportion is striking: property-tax apps, court e-filing apps, and transit-ticketing apps account for more than two-thirds of the mobile-app complaint volume. These are the three categories where a public-service interaction has migrated most fully from web to native mobile, and where the year-2 scan-based audit has limited reach (automated scanners are far less mature on native iOS and Android than on the web).

Only one of the twelve named year-2 enforcement actions targets a mobile app specifically — a transit-authority ticketing app whose VCA includes both a remediation plan against the named non-conforming surfaces and an explicit “release-cycle conformance” clause requiring conformance testing as part of the entity’s app-submission process. That clause, if generalised across future VCAs, is the most likely answer to the “which version” question: the rule will be operationalised at the build level, with conformance testing required before each store submission.

Three things still unresolved at the end of year-2

Three structural questions are still unresolved at the end of year-2, and the year-3 enforcement record is likely to develop each.

The video-archive retroactivity question. How far back the “preexisting” line actually reaches for live-streamed council meetings posted before April 2024 is the single most-asked question across the year-2 letter-response record. Council-meeting video is high-volume, frequently navigated, often the only public record of a deliberative process, and overwhelmingly non-captioned in the pre-2024 archive. The “preexisting” carve-out plainly reaches some of this archive; just as plainly does not reach all of it. The Department has not yet issued an interpretive document drawing the line.

The third-party-content question. Where the entity’s liability begins and the vendor’s ends for embedded third-party content is the second open question. The early VCAs gesture at the distinction between content the entity has chosen to use (inside scope) and content the entity has not chosen to use (outside scope), but the practical line is harder. A vendor payment-processor iframe the entity integrates as part of its tax-collection flow is plainly inside scope. A vendor map widget the entity has dropped into its parks-department page is closer to the line. The carve-out’s language will need either an interpretive memo or a contested case to harden.

The mobile-app submission-timeline question. Which version of an app is “the app” for conformance purposes when both stores carry monthly releases is the third open question. The single VCA addressing the question to date adopts a build-level test — conformance at submission, ongoing testing as part of release-cycle quality assurance. That answer is workable, but is not yet generalised. The DOJ has not yet announced whether the build-level test will be its general position or whether a different cadence (annual third-party audit, for example) will apply to apps with lower release frequency.

U.S. Department of Justice, Civil Rights Division, Subpart H VCA standard language
”The Public Entity shall ensure that all web content and mobile applications it provides or makes available conform to the Web Content Accessibility Guidelines (WCAG) Version 2.1, Level A and AA, with the limited exceptions set forth in 28 CFR 35.201. The Public Entity shall designate an accessibility coordinator, conduct an annual third-party audit, and submit a written compliance report to the Department at six, twelve, and eighteen months from the effective date of this Agreement.”
— DOJ Civil Rights Division, standard Subpart H VCA template, in force April 2026

What year-3 will look like

The year-2 picture is, in one sentence, a regulator pacing itself. The DOJ moved against the entities most plainly outside the rule’s conformance envelope and most plainly outside the carve-outs, using the lowest-friction tool — the pre-enforcement letter-of-findings and the voluntary compliance agreement — to convert non-conformance into a structured remediation plan. The Department has not yet escalated any of the eight settled VCAs. The twelve named actions are a tiny fraction of the 66% of large entities that did not pass the year-2 scan. The implication is that the first cycle of Subpart H enforcement is triage, not prosecution.

Year-3 is the year that triage logic will be tested. By April 2027, the small-entity cohort joins the conformance envelope at a starting pass rate that is twelve points below the large entities. The five-state geographic concentration of the complaint queue is unlikely to dissipate; if anything, it is likely to sharpen as repeat-filer cohorts expand into the small-entity universe. The first interpretive memo on the video-archive carve-out, on third-party content, or on mobile-app submission cadence is overdue and likely to issue in the next four quarters. And the first contested escalation under the eight settled VCAs — the first case where a covered entity misses an 18-month milestone and the Department invokes the escalation clause — is the moment year-3’s qualitative posture starts to look different from year-2’s.

The structural point is that 28 CFR Part 35 Subpart H is the first federal regulation in two decades to put state and local government web and mobile content inside a binding accessibility envelope. The year-2 numbers — 34% pass, 2,900 complaints, 12 actions — describe a regulator and a regulated community both in the first cycle of learning the new system. The numbers will move in year-3. The seven exceptions will harden. The mobile-app sub-question will be answered. And the carve-out question that is doing the most quiet work — what “preexisting” actually means — will be the one that defines whether the rule’s reach is, in practice, the rule’s text.

Methodology and data: Scan-based audit covers 2,217 large-entity and 1,400 small-entity state and local government domains, scanned Q1 2026 against WCAG 2.1 AA (Level A and AA, automatable subset). The “pass” rate reflects no Level A or AA blocking violation across the homepage and two primary linked task flows. Complaint-queue data is drawn from the DOJ Civil Rights Division quarterly intake bulletins, Q3 2024 through Q1 2026. Enforcement-action data is drawn from the Department’s published Subpart H docket through April 2026. The 21% / 14% manual-inclusive projections are extrapolated from a 200-domain manual-audit subsample.

Legal context: 28 CFR Part 35 Subpart H, “Accessibility of Web Content and Mobile Applications Provided by State and Local Government Entities,” final rule published 89 FR 31320 (April 24, 2024). The rule cross-references WCAG 2.1 (W3C, June 2018) at Level A and AA. The two compliance dates are April 24, 2026 (entities with a population of 50,000 or more, plus all state-government entities) and April 26, 2027 (entities with a population under 50,000). Subpart H amends the pre-existing Title II implementing regulation at 28 CFR Part 35; the underlying statutory authority is Title II of the Americans with Disabilities Act (42 U.S.C. § 12132).

What this article is not: Not legal advice. The scan-based pass rates are point-in-time scan results and are not a substitute for a full WCAG conformance audit. The DOJ’s interpretive position on the seven carve-outs is in development; the Department has not issued a formal interpretive memorandum as of April 2026, and the descriptions above reflect language drawn from early voluntary compliance agreements rather than from a regulatory pronouncement. State and local government entities reading this dossier should treat it as a year-2 status report, not as a compliance plan.