Section 508 (US federal): website compliance, explained
The Section 508 (US federal) applies to US federal agencies and any vendor selling technology to them; 508 conformance is a procurement requirement, usually documented in a VPAT/ACR. It has been mandatory since the 2018 refresh aligned it with WCAG 2.0 AA.
The technical benchmark is WCAG 2.0 AA via the Revised 508 Standards; agencies increasingly expect 2.1 AA. In practice, that means your site must be perceivable, operable, understandable, and robust for users with disabilities, from screen-reader users to keyboard-only navigation to low-vision users who need sufficient color contrast.
Timeline and current status
Section 508 dates to 1998, and the 2017-2018 'refresh' harmonized it with WCAG 2.0 AA. Since then, agencies have tightened enforcement through procurement: solicitations ask for an Accessibility Conformance Report (ACR, based on the VPAT template), and GSA reports agency-wide 508 maturity to Congress annually, keeping pressure on buyers to reject non-conformant products.
What enforcement actually looks like
Non-conformant bids lose federal contracts. A credible, current accessibility report is table stakes for government sales.
What WCAG requires, in plain terms
WCAG (Web Content Accessibility Guidelines) is organized around four principles: content must be perceivable (e.g. images have text alternatives, text has sufficient contrast), operable (everything works with a keyboard, users have enough time, nothing traps focus), understandable (pages are readable, predictable, and help users avoid mistakes), and robust (markup is parseable by assistive technologies like screen readers). Each guideline has testable success criteria at three levels: A (minimum), AA (the level essentially every law references), and AAA (aspirational). Conformance at AA means meeting all A and AA criteria. The current version is WCAG 2.2, published in October 2023, which added nine criteria to WCAG 2.1, including minimum target sizes for buttons and links, visible focus indicators, and easier authentication.
The violations that actually show up on real sites
Across the millions of pages tested in large-scale studies like WebAIM's annual survey of the top one million homepages, the same handful of failures dominate: low-contrast text (found on roughly four out of five homepages), images missing alternative text, form inputs without labels, empty links and buttons, and missing document language. In our own scans of e-commerce sites, we also routinely find keyboard traps in carousels and mega-menus, focus indicators removed with CSS, modal dialogs that screen readers never announce, and touch targets far below the 24 by 24 pixel minimum WCAG 2.2 requires. Most of these are cheap to fix individually. The expensive part is finding them all and keeping them fixed as the site changes, which is exactly what automated monitoring is for.
Why overlays and widgets don't help
Regulators on both sides of the Atlantic have rejected overlay widgets as a compliance shortcut. The US FTC fined a leading overlay vendor $1M in 2025 for deceptive 'one-line-of-code compliance' claims, and the European Commission has stated overlays do not confer conformance. Compliance means fixing your actual markup, and being able to prove you did.
What a defensible position looks like
Enforcement bodies and plaintiffs' lawyers respond to evidence: a documented scan history, a prioritized remediation log, and visible progress. A site with a timestamped record of continuous scanning and fixing is in a categorically stronger position than one with no paper trail, even at the same level of technical conformance. That evidence trail is also what an accessibility statement, a VPAT, or a response to a demand letter gets built from.
Compliance checklist
- Run an automated WCAG scan of your key pages (home, product/service, checkout or contact)
- Fix critical and serious violations first, since these carry the most legal and usability weight
- Keep a dated log of what was found and what was fixed
- Re-scan on a schedule; every deploy and CMS edit can introduce regressions
- Add a manual audit for the criteria automation can't check (roughly two-thirds of WCAG)
- Publish an accessibility statement describing your conformance status and contact route
Frequently asked questions
- Does the Section 508 (US federal) apply to my business?
- It applies to US federal agencies and any vendor selling technology to them; 508 conformance is a procurement requirement, usually documented in a VPAT/ACR. Section 508 binds federal agencies directly. Private companies are only pulled in when they sell to the government, but at that point conformance documentation is non-negotiable.
- Which WCAG version does the Section 508 (US federal) require?
- The referenced standard is WCAG 2.0 AA via the Revised 508 Standards; agencies increasingly expect 2.1 AA. WCAG versions are backwards-compatible, so building to the current WCAG 2.2 AA satisfies the older versions laws cite and protects you as standards are updated.
- What are the penalties for non-compliance?
- Non-conformant bids lose federal contracts. A credible, current accessibility report is table stakes for government sales.
- Does an accessibility overlay or widget make me compliant?
- No. Overlay widgets inject a script that tries to repair issues in the browser at display time. Regulators and courts have rejected this approach: the US FTC fined a leading overlay vendor $1 million in 2025 for deceptive compliance claims, the European Commission has stated overlays do not confer conformance, and hundreds of US lawsuits in recent years have been filed against sites that were running an overlay at the time. Real compliance means fixing your actual markup and keeping evidence that you did.
- Can an automated scan alone make me compliant?
- Not by itself, and any vendor claiming otherwise is misleading you. Roughly a third of WCAG success criteria can be checked by a machine, though those criteria account for the majority of violations found in real audits by volume. An automated scan is the fastest way to find and fix the bulk of your issues and to prove ongoing diligence, but full conformance also requires human judgment for things like alt-text quality, logical reading order, and form error recovery. The strongest position combines automated monitoring with a periodic manual audit.