What is a Fractional General Counsel?

A Fractional GC gives you senior-level legal leadership — the kind of judgment you'd get from a $250K+ in-house hire or $900/hour Big Law partner — on a predictable monthly retainer. You get the expertise without the overhead.

What types of startups do you work with?

We work primarily with venture-backed startups from pre-seed through Series B across SaaS, fintech, healthtech, and emerging technology.

How is this different from a traditional law firm?

Traditional firms bill by the hour, staff junior associates on your work, and take days to respond. Flux provides senior counsel directly, charges a flat monthly fee, and communicates on Slack, email, or video — however your team works.

What does flat-fee pricing include?

Each tier includes a defined scope of legal support. No hourly tracking, no surprise invoices. If something falls outside your plan, we'll tell you upfront before any additional work begins.

Can you help with fundraising?

Yes — from SAFEs and convertible notes to priced equity rounds. We handle investor negotiations, term sheet review, deal documentation, and closing execution for Seed through Series B.

What's the relationship between Flux and Rubicon Law?

Flux is a productized offering powered by Rubicon Law, a boutique firm with 20+ years of experience advising hundreds of startups. You get Rubicon's depth of experience in a streamlined, subscription-based format.

How quickly can I get started?

Book a free intro call. If we're a fit, most clients are onboarded within a week. No lengthy engagement letters or committee approvals.

Website Compliance in 2026: The Practical Guide to ADA and Cookie Laws (Before a Demand Letter Arrives)

There is a well-organized cottage industry of plaintiff attorneys who have built practices around sending demand letters — and sometimes filing lawsuits — targeting two specific areas of website compliance: accessibility under the ADA, and cookie and tracking technology under California privacy law.

Their model works. Most companies that receive a demand letter quietly pay a settlement ranging from a few thousand to tens of thousands of dollars, because the cost of fighting is higher than the cost of paying. The letters often look alarming. They cite federal statutes, describe alleged violations in technical detail, and arrive with a settlement offer attached. Many are form letters sent to hundreds or thousands of companies simultaneously.

This is the context for what follows: not an academic survey of the law, but a practical guide to getting actually compliant in the two areas that create the most demand-letter risk for tech companies in 2026.

Understanding the Two Problems

These are distinct legal areas with different compliance requirements, different plaintiff theories, and different practical fixes. Treating them as one problem leads to half-measures.

ADA website accessibility: Title III of the Americans with Disabilities Act prohibits discrimination in places of public accommodation. Courts have increasingly held that commercial websites are places of public accommodation, making inaccessible websites a potential ADA violation. More than 4,000 ADA website lawsuits were filed in 2024–2025, concentrated in New York, Florida, and California.

Cookie and tracking law: California's Invasion of Privacy Act (CIPA) — a wiretapping statute originally written in 1967 — has been reinterpreted by California courts to cover website tracking tools including Meta Pixel, Google Analytics, session replay software, and similar technologies. Separately, CCPA creates class-action exposure when companies share tracking data without proper notice and consent. Together, these two theories have generated a wave of class action suits targeting companies that use common analytics and marketing tools without appropriate disclosure and consent mechanisms.

Part 1: ADA Website Accessibility

What the Law Actually Requires

Title III of the ADA does not specify technical standards for website accessibility. Courts and the Department of Justice have consistently looked to the Web Content Accessibility Guidelines (WCAG) 2.1, Level AA as the practical benchmark. If your website meets WCAG 2.1 AA, you have a strong compliance position. If it doesn't, you're exposed.

The DOJ issued a final rule in April 2024 formally adopting WCAG 2.1 AA for state and local government websites (Title II). While Title III (private businesses) doesn't have the same formal rule, courts have relied on the same standard in virtually every ADA website case.

What WCAG 2.1 AA Actually Means

WCAG 2.1 AA has 50 success criteria organized around four principles. The practical translation:

Perceivable — users can perceive all content:

All images have descriptive alt text (not "image1.jpg" — actual descriptions)
Videos have captions
Color is not the only way to convey information (color-blind users can still navigate)
Text has sufficient contrast against its background (minimum 4.5:1 ratio for normal text)

Operable — users can navigate and interact:

All functionality is accessible by keyboard (tab, enter, arrow keys) without a mouse
No content flashes more than 3 times per second (seizure risk)
Users can pause, stop, or hide moving content
Page titles and link text are descriptive (not "click here")

Understandable — content is readable and predictable:

Page language is declared in the HTML
Form inputs have labels
Error messages identify what went wrong and how to fix it
Navigation is consistent across pages

Robust — content works with assistive technology:

HTML is valid and properly structured
Custom components (modals, dropdowns, date pickers) work with screen readers
ARIA attributes are used correctly where needed

The Most Common Violations in ADA Lawsuits

Based on the pattern of demand letters and lawsuits filed in 2024–2025, the most commonly alleged violations are:

Missing or inadequate image alt text — the single most frequent issue
Form fields without labels — especially on checkout, signup, and contact forms
Keyboard inaccessibility — menus, modals, or interactive elements that can't be navigated without a mouse
Insufficient color contrast — particularly on calls-to-action, links, and text over images
Missing skip navigation links — screen reader users can't skip repetitive navigation menus
PDF documents that aren't tagged — untagged PDFs are invisible to screen readers

How to Audit Your Website

Step 1: Automated scan. Free tools catch roughly 30–40% of WCAG violations automatically:

WAVE Web Accessibility Evaluator — browser extension, free, shows errors visually on the page
axe DevTools — Chrome extension, developer-friendly, more technical detail
Google Lighthouse — built into Chrome DevTools, includes an Accessibility audit

Run each of these on your homepage, your most-trafficked pages, any forms (signup, checkout, contact), and any PDFs linked from your site.

Step 2: Keyboard navigation test. Open your website and put your mouse aside. Tab through the page. Can you reach every link, button, and form field? Can you activate them with Enter or Space? Is there a visible focus indicator showing where you are? This takes 15 minutes and reveals problems no automated tool will catch.

Step 3: Screen reader test. Download NVDA (free, Windows) or use VoiceOver (built into Mac, iOS). Navigate your site with your eyes closed. Where does the experience break down?

Step 4: Prioritize fixes. Focus on: forms, checkout flows, navigation menus, image alt text, and color contrast. These are where lawsuits actually originate.

What Doesn't Work: Accessibility Overlays

Overlay widgets — JavaScript plugins that claim to make your site accessible with one line of code — are not a compliance solution. The FTC took enforcement action against one of the major providers in January 2025 for deceptive marketing. They do not fix underlying code issues; they layer a band-aid on top of a broken foundation. Courts have not accepted overlay installation as a defense in ADA litigation.

More importantly: using an overlay while your underlying site remains inaccessible tells plaintiffs' attorneys that you're aware of accessibility issues and chose a workaround over a fix. That can make your situation worse, not better.

Fix the code. Use the overlay widgets for testing if you want, but don't rely on them for compliance.

Ongoing Compliance

Accessibility isn't a one-time fix. New pages, new features, and new third-party components (chat widgets, embedded videos, payment processors) introduce new issues. The practical approach:

Add accessibility testing to your development workflow (axe-core can be integrated into CI/CD pipelines)
Designate someone responsible for reviewing new pages before launch
Establish a feedback mechanism — a prominently placed accessibility contact or statement — so users can report issues directly

Part 2: Cookie and Tracking Compliance

The Legal Theory Being Used Against Companies

The wave of CIPA lawsuits uses a theory that would have seemed far-fetched five years ago: that placing common analytics code (Meta Pixel, Google Analytics, session replay tools like FullStory or Hotjar) on your website without proper notice and consent constitutes illegal wiretapping under California's eavesdropping statute.

California courts have allowed these claims to survive motions to dismiss, reasoning that tracking software can function as a "pen register" — a device that records communications — triggering CIPA. The exposure is statutory damages of $5,000 per violation, and with a class of California website visitors, those numbers become significant quickly.

Separately, the CCPA creates class action exposure when companies share users' personal information — including browsing data collected through pixels — without proper disclosure and opt-out mechanisms. Courts have allowed CCPA claims to proceed where companies placed tracking tools that transmitted user data to third parties (Meta, Google) without compliant privacy notices.

What Creates the Most Risk

The highest-risk practices, in order:

Meta Pixel (Facebook Pixel) without consent — this is the primary target. The Pixel transmits user behavior data to Meta even before any purchase or form submission. Without disclosure and opt-out mechanisms, this is the fact pattern underlying hundreds of filed suits.
Session replay tools without disclosure — FullStory, Hotjar, Microsoft Clarity, and similar tools record user sessions (mouse movements, clicks, keystrokes). Without disclosure in your privacy policy and appropriate consent, these are directly in the crosshairs of CIPA claims.
Google Analytics without proper configuration — standard GA4 collects IP addresses and behavioral data shared with Google. Less frequently targeted than Meta Pixel, but exposure exists.
Chat widgets that collect data — third-party live chat tools often collect and transmit data to the vendor. Disclosure is required; consent may be depending on jurisdiction.

What Actually Needs to Happen

1. Audit your tracking stack. List every third-party JavaScript tag on your website. Your browser's Network tab will show everything loading on page load. Common sources of exposure: Meta Pixel, LinkedIn Insight Tag, Twitter/X Pixel, TikTok Pixel, Google Ads conversion tags, session replay tools, chat widgets, A/B testing platforms.

2. Implement a consent management platform (CMP). A real CMP (not a fake cookie banner that does nothing) intercepts all non-essential JavaScript until the user consents. This means:

Analytics and marketing pixels don't fire until a user accepts them
The site loads and functions without those scripts if the user declines
Consent is logged with a timestamp and version

Reputable CMPs include OneTrust (enterprise), Cookiebot (mid-market), and Termly or CookieYes (startup-friendly, lower cost). A CMP that actually blocks scripts before consent is materially different from a banner that just discloses what's running. The former prevents the violation; the latter just acknowledges it.

3. Update your privacy policy. Your privacy policy must specifically disclose:

Each tracking technology in use by name or category
What data each tool collects
Who receives the data (Meta, Google, etc.)
How users can opt out

"We use cookies to improve your experience" is not sufficient. Courts have found that vague cookie disclosures don't satisfy CCPA's notice requirements.

4. Add a cookie consent banner with real functionality. The banner must:

Appear before non-essential scripts run (not after)
Offer a genuine "Decline" or "Reject All" option that actually stops tracking
Be as easy to decline as to accept
Not use dark patterns (pre-checked boxes, deceptive button colors, confusing language)

5. Respect Global Privacy Control (GPC). California regulations require that websites honor the GPC signal — a browser-level setting users can turn on to automatically opt out of data sales. If a user has GPC enabled, your site must treat them as having opted out of cookie-based tracking without requiring them to interact with a banner. Most CMPs handle this automatically if configured correctly.

6. Meta Pixel: configure or remove. If you're using the Meta Pixel, configure it using Meta's "Advanced Matching" and "Aggregated Event Measurement" tools, which limit individual-level data transmission. Consider using a server-side implementation (Conversions API) instead of a browser-side pixel — this gives you more control over what data is sent and reduces CIPA exposure. If you're not actively running Meta ads, remove the pixel entirely. The compliance and litigation risk isn't worth passive data collection.

When You Receive a Demand Letter

Most ADA and cookie demand letters are not preludes to serious litigation. They're volume operations designed to generate settlements.

What to do immediately:

Don't ignore it — the deadline in the letter is usually real for settlement purposes, and ignoring it can lead to an actual filing
Don't respond impulsively — a panicked reply can lock you into positions you don't want
Assess the letter — is it a form letter with your company name filled in? Are the alleged violations specific to your site, or generic? Is the plaintiff a serial litigant? (Search the plaintiff's name in PACER — you'll often find dozens of identical suits)
Begin remediation — fixing the issues immediately, before any response, improves your negotiating position materially
Get counsel — demand letters in this area have specific response strategies; an experienced attorney can often resolve them at a fraction of the initial settlement ask

What not to do:

Don't respond directly to opposing counsel without your own lawyer
Don't make admissions in writing about your compliance status
Don't pay without understanding what you're settling (the release language matters)

The Compliance Checklist

ADA / Accessibility

Cookie and Tracking

Complete inventory of all third-party scripts and pixels on site
CMP installed and configured to block scripts before consent
Meta Pixel configured or removed
Session replay tools disclosed and gated behind consent
Privacy policy updated to name specific tracking tools and recipients
Cookie consent banner offers genuine Reject All option
Global Privacy Control (GPC) signal honored
Consent logs stored with timestamps
Data Processing Agreements signed with all third-party vendors

The practical reality is that getting compliant on both of these is not technically complicated or expensive. A focused audit, a real CMP, and some front-end fixes will get most companies to a defensible position in a matter of weeks. The cost of doing it right is a fraction of even a nuisance settlement — and it means you're building on solid ground rather than waiting to find out how aggressive the next round of plaintiffs' attorneys decides to be.

Flux Law works with tech companies on privacy, compliance, and website legal infrastructure. Learn more →