On August 4, 2023, the U.S. Department of Justice (DOJ) published in the Federal Register a Notice of Proposed Rulemaking (NPRM) on Accessibility of Web Information and Services of State and Local Government Entities.  The DOJ Fact Sheet is at  Fact Sheet: Notice of Proposed Rulemaking on Accessibility of Web Information and Services of State and Local Government Entities, and includes links to the NPRM.  Comments are due October 3, 2023. Final regulations could be issued within three to six months. The new rules will have a great impact on public entities, including all public colleges and universities. They are also likely to be the blueprint for Section 504 regulations on website accessibility, which will affect virtually all private colleges, many health care providers, and other recipients of federal financial assistance. It is likely that the DOJ will then issue proposed regulations for private businesses covered under ADA Title III that will impose similar technical requirements. These mandates will impose a far greater burden than the DOJ predicts.

What You Need to Know: 

• The DOJ published a Notice of Proposed Rulemaking on Accessibility of Web Information and Services of State and Local Government Entities.
• If the rule is adopted, all content on all websites, and mobile apps used by any public entity for the delivery of any of its programs, services or activities for the general public are required to be accessible. 
• The technical standard proposed by the DOJ is WCAG 2.1, Level AA, the international consensus standard on digital accessibility, issued in 2018.

Introduction

The relatively small group of business lawyers who regularly defend ADA Section 504 and FHA claims are hesitant to "cry-wolf” just because the DOJ has finally issued a Notice of Proposed Rulemaking (NPRM) on website accessibility. We have seen this before. The DOJ issued an Advance Notice of Proposed Rulemaking in 2010, received many comments, but took no action during the Obama administration. Most believe this is because the DOJ did not want to tackle the potential coverage of on-line businesses. The Trump administration pulled all efforts at ADA regulations. The Biden administration has been promising new rules for more than a year. 

For those unfamiliar with this subject, the NPRM starts with Website Accessibility 101, including descriptions of the technology, the widespread use of websites and apps to deliver public services and the history of non-compliance by state and local governments and the private sector. It will not be long before the DOJ’s discussion finds its way into ADA Title II and III complaints. 

The DOJ elected to issue an NPRM under ADA Title II, which applies to all public entities. ADA Title II requires non-discrimination in all “programs, services and activities” of public entities. Title II applies to all state and local governmental entities of every type, including all public colleges and universities. The DOJ has been saying since 1996 that ADA Title II applied to information and services offered on the web. The NPRM suggests, not subtly, that all public entities have been on notice of this issue since then, and especially since 2010; and that the DOJ’s efforts at voluntary compliance and targeted enforcement have failed. In 2003 guidance, the DOJ had suggested that public entities could meet their obligations by equivalent means, such as customer service help lines. The DOJ has now concluded that those are not equally effective, and that a mandate is needed. 

In the NPRM’s introduction, the DOJ explains that it has authority to issue Title II regulations, and also has authority to coordinate and oversee compliance with Section 504. It is pretty obvious that after issuing final regulations under Title II, unless there is a change in the White House, every other federal agency will be told to adopt regulations under Section 504 that are consistent with the new Title II regulations. That will include new Section 504 rules by the Departments of Education, Housing and Urban Development, Health and Human Services (HHS), Transportation, and other federal departments that provide federal financial assistance. The issuance of new Section 504 regulations will have ripple effects. For example, Section 1557 of the Affordable Care Act incorporates theories under Section 504, so it is likely that the HHS rules will be extended to a wide variety of entities. 

Once the DOJ sets the baseline for technical standards and methods of compliance for Title II entities, it is likely ADA Title III regulations will follow, assuming the DOJ finally resolves how to handle on-line businesses and individual commercial transactions.   

Scope of the Proposed Rules

This is simple. Unless one of the exceptions apply (see below), all content on all websites and mobile apps used by any public entity for the delivery of any of its programs, services or activities for the general public are required to be accessible. This includes all mobile apps used by public entities directly to provide or support its services, programs, or activities. It also includes websites or apps of third parties in providing services, programs, or activities. As a simple example, a county or city that uses the Parkmobile app for paid street parking would be required to ensure the Parkmobile app is accessible. The DOJ proposes that web content that public entities make available to members of the public or use to offer services, programs, and activities must be accessible, regardless of whether it is located on the public entity’s own website or elsewhere on the web via a social media platform. Social media sites used by public entities are covered. 

WCAG 2.1 Level AA 

The technical standard proposed by the DOJ is also simple. Given various choices, the DOJ is proposing WCAG 2.1, Level AA, which was issued in 2018. If you represent a public entity or Section 504 covered entity and do not know what this is, it is time to learn. WCAG is the international consensus standard on digital accessibility, which is required by law in many countries (but the scope varies). The DOJ leaves open the possibility of updating the standard in the future. Public entities would have to meet all of the criteria in Level A and AA. There are more criteria in WCAG 2.1 than in 2.0. 

The NPRM does not directly address “widgets” or overlays, but touches on the related concept of equivalent but alternative accessible websites. There are many companies selling products that allegedly comply with WCAG by using AI to automatically convert web content so that it is usable by people who use screen readers. However, they do not work as promised, and they do not meet all of the WCAG 2.1 Level AA criteria. Every knowledgeable web accessibility expert or developer understands this. If it sounds too good to be true, it is. The DOJ mandates would require hard fixes, not work-arounds. 

Deadlines

From the time final regulations are published, large entities will have two years to comply, whereas small entities and special purpose districts have three years to comply. A large entity is one that has a population of 50,000 or more, as measured by U.S. Census data. The catch is that with some exceptions (e.g., school districts), coverage is determined by the population of the parent entity. If a community college is considered a county entity, it is the population of the county. Most four-year colleges would be considered entities of the state. So, if the final rule is published by July 1, 2024, most colleges and universities and larger public entities would need to be in “compliance” by July 1, 2026. 

Exceptions 

The DOJ has given considerable thought to “exceptions.” But, as always, the devil is in the details. The DOJ is proposing seven exceptions with some limitations. Here is the brief version:

1. Archived web content. This is a fairly narrow exception for “web content that (1) is maintained exclusively for reference, research, or recordkeeping; (2) is not altered or updated after the date of archiving; and (3) is organized and stored in a dedicated area or areas clearly identified as being archived.” The DOJ repeatedly says entities could not just claim something is in an “archive.” What is noteworthy is that the general rule is so broad that this exception is needed. 
2. Preexisting conventional electronic documents. This is probably the most important exception.  “Conventional electronic documents” are “web content or content in mobile apps that is in the following electronic file formats: portable document formats (PDF), word processor file formats, presentation file formats, spreadsheet file formats, and database file formats.” The exception applies to any of these types of documents that are on websites or mobile apps when the rule takes effect, “unless such documents are currently used by members of the public to apply for, gain access to, or participate in a public entity’s services, programs, or activities.” The DOJ wants public entities to focus their time and resources on making new content accessible and setting up systems to maintain accessibility. However, any existing content that is still being used to provide services, programs, or activities, or is needed in the future, will have to be made accessible. This regulation supplements existing Title II (or Section 504) obligations to provide “effective communication,” including alternative formats on request. 
3. Web content posted by third parties on a public entity’s website. This exception is for content over which the public entity has no control. It would cover anything from public comments on message boards to filings made in court. But the tools or platforms used to post third-party content on a public entity’s website, such as message boards, would need to be accessible. If the public entity chooses to post third-party content on its website, or as part of its services, programs, or activities, that must be accessible (e.g., calendars, scheduling tools, maps, reservations systems, and payment systems that were developed by an outside technology company). Title II already says that a public entity may not delegate away its obligations, and the DOJ would incorporate this. If a public entity uses a contractor or another third party to post content on the entity’s behalf, or conduct services, programs, or activities, that content must be accessible. 
4. Third-party web content linked from a public entity’s website. Similarly, if a public entity posts a link as a benefit to constituents, it is not responsible for the accessibility of the other website (e.g., a college providing links to nearby businesses). But if the links are part of the entity’s own programs, services, or activities, they must be accessible. 
5. Course content on a public entity’s password-protected or otherwise secured website for admitted students enrolled in a specific course offered by a public postsecondary institution. 
6. Class or course content on a public entity’s password-protected or otherwise secured website for students enrolled, or parents of students enrolled, in a specific class or course at a public elementary or secondary school. In these parallel provisions (5 and 6 above), the DOJ proposes that in classes where students are enrolled, and where course content and material is limited to those in the course, none of the content needs to be accessible until there is a student with a disability that needs content in an accessible format. But once the school learns a student in the class needs any web content to be accessible, all web content in that class must be made accessible. This goes beyond existing requirements under the ADA and Section 504 of providing accessible formats for one student on request. The DOJ intends that this approach will gradually lead to the creation of more accessible content that will be available in other courses. If the school learns of a student’s request after the course begins, the DOJ proposes that all course content offered over the web be made accessible within five days. The proposed exception would not apply to any courses open to the general public, or to all students (such as MOOCs). All web content in those courses would need to be accessible.
7. Conventional electronic documents that are about a specific individual, their property, or their account and that are password-protected or otherwise secured. This is a pretty narrow exception. Examples might include a public hospital portal for a patient’s own information, or a customer’s utility account for payment. 

Compliance Standards 

The DOJ saved the best for last—how to determine when an entity is in compliance with the new standard. The DOJ acknowledges that it cannot apply the same principles used to measure compliance with the ADA Standards in New Construction or Alterations, since “unlike buildings, public entities’ websites and mobile apps are dynamic and interconnected, and can contain a large amount of complex, highly technical, varied, and frequently changing content.”  But throughout the discussion of alternatives, the DOJ seems to be unaware that 100% compliance with the WCAG criteria is not only difficult, but virtually impossible, especially with dynamic, changing and interactive websites and apps. Every expert in the field of digital accessibility is in agreement. Hopefully, some of them will take the time to comment.

The DOJ says, with good reasons, that it is not inclined to set some type of numeric level of “compliance” (e.g., 95% or 97%). There are the obvious problems of numerous types of software programs to test accessibility, which seldom measure every WCAG criteria, and variations in manual testing. More importantly, a website can be mostly accessible and still have some issues that prevent a particular individual from accessing services, programs, and activities. And there may be WCAG non-compliance that does not interfere with usability. 

What the DOJ is presenting as possible alternatives might well work together. For example, a provision that would require or permit a public entity to demonstrate that any nonconformance did not have a meaningful effect might not be feasible as a way of measuring compliance across the board, but could be an affirmative defense in an investigation or lawsuit. 

The DOJ does include an option that most accessibility experts say is the only realistic option: to develop and implement robust policies and procedures to test, fix, repeat (accessibility feedback, testing, and remediation). The DOJ provides this illustration:

“A public entity proactively tested its existing web and mobile app content for conformance with WCAG 2.1 Level AA using automated testing on a regular basis (e.g., every 30 days), conducted user testing on a regular basis (e.g, every 90 days), and tested any new web and mobile app content for conformance with WCAG 2.1 Level AA before that content was posted on its website or added to its mobile app. This public entity also remediated any nonconformance found in its existing web and mobile app content after the test (e.g, within two weeks). An entity that took these (or similar) steps on its own initiative could be deemed to have complied with its obligations under the ADA, even if a person with a disability encountered an access barrier or a particular automated testing report indicated noncompliance with WCAG 2.1 Level AA. The public entity would be able to rely on its existing, effectively working web and mobile app content accessibility testing and remediation program to demonstrate compliance with the ADA.”

In a series of settlements with major pharmacies over their COVID-19 vaccine scheduling portals, the DOJ required WCAG “compliance,” but in practice compliance was monitored through the robust testing and remediation practices, and the speed with which critical errors were corrected. In the NPRM, the DOJ also describes “organizational maturity” of an entity’s digital accessibility as a potential measure of compliance, but these are related. No entity, large or small, can execute the robust policies and practices needed to achieve and maintain website accessibility until it has the resources at the technical level for testing and remediation, but also processes for trying to make content accessible before it goes on-line. 

And this is where colleges and universities and most public entities fail because of their decentralized environment, where web content is frequently created and sometimes posted by separate units, departments, divisions, etc. There are few practical options. One is to have many staff trained throughout the organization to do most of the coding and design work up front, and required to do so. The other is to require that all web content be reviewed and made accessible before it can be posted anywhere on the web or social media. Both are time consuming. And this is just on the front end. The organization still needs processes to test, fix and repeat.

This is the most crucial issue the DOJ will have to resolve. It will affect not only how the DOJ enforces Title II, but will be immediately relevant in the defense of all website accessibility claims. 

Conclusion 

The DOJ will be reviewing the hundreds of comments over the coming months. Based upon past rulemakings there will be some modifications, but it is unlikely that there will be changes on the key concepts. Everyone involved in digital accessibility issues for public and private entities should read this proposed rule, and understand that, subject to the 2024 presidential election results, mandates are likely to come much sooner than later.