Start a New Business

Prohibits discrimination on the basis of disability by places of public accommodation. Courts are split on whether websites qualify, but plaintiffs continue to pursue website accessibility claims — the practical standard is WCAG 2.1 AA.

Sets rules for commercial email and gives recipients the right to opt out. Requires honest subject lines, clear sender identification, a functional unsubscribe mechanism, and a valid physical postal address in every commercial message.

Governs the collection of personal information from children under 13. Requires verifiable parental consent before collecting, using, or disclosing a child's data — any site or service directed at children or with actual knowledge of child users must comply.

Provides immunity to online platforms from liability for third-party content. The foundational law enabling user-generated content platforms, review sites, social networks, and any platform that hosts content created by others. Not absolute — does not protect platforms from federal criminal law, IP claims, or content the platform itself creates or materially contributes to. Under active legislative scrutiny — the scope of Section 230 immunity has narrowed through case law and remains politically contested.

The federal anti-hacking statute. Criminalizes unauthorized access to computer systems and creates a civil cause of action companies use against former employees and competitors who misuse credentials or exceed authorized access.

Establishes safe harbors for online service providers against liability for user-uploaded infringing content, provided they implement notice-and-takedown procedures. Critical for any platform hosting user-generated content.

Prohibits unfair or deceptive acts or practices in commerce. The FTC's primary enforcement tool against privacy violations, misleading marketing, security misrepresentations, and dark patterns — applies to nearly every business.

A government-wide program establishing security assessment standards for cloud services used by federal agencies. Not a law but effectively mandatory if you want to sell cloud services to the federal government. Authorization is expensive and time-consuming but creates a significant competitive moat — relatively few cloud providers have full authorization. Managed by GSA. Authorization levels: Low, Moderate, High corresponding to sensitivity of data processed.

Any tech company building health apps, handling patient records, operating as a business associate of a covered entity, or processing protected health information must understand HIPAA. The Privacy Rule, Security Rule, and Breach Notification Rule each impose distinct obligations. HIPAA's definition of "covered entity" and "business associate" is broader than most tech founders assume — a SaaS platform that processes health data on behalf of a hospital is a business associate and must have a signed BAA. HHS Office for Civil Rights actively enforces, particularly against tech companies following data breaches.

A voluntary framework — not a law — but practically functions as a de facto compliance standard. Referenced in state breach notification laws (Tennessee), required or strongly encouraged for federal contractors, and used by courts and regulators to assess reasonableness of cybersecurity programs. CSF 2.0 released February 2024 adds a new "Govern" function to the original five (Identify, Protect, Detect, Respond, Recover). Any tech company should understand this framework before claiming to have "reasonable" security.

Not a single law but a critical compliance area. Open source licenses create legally binding obligations when you use, modify, or distribute open source software. Key license families: Permissive (MIT, Apache 2.0, BSD — few obligations, allow proprietary use); Weak Copyleft (LGPL, MPL — share-alike requirements apply only to the licensed component); Strong Copyleft (GPL, AGPL — require distributing source code of the entire combined work). AGPL is particularly significant for SaaS companies — network use may trigger copyleft obligations even without distributing software. Every tech company needs an open source policy.

Requires federal agencies to make their electronic and information technology accessible to people with disabilities. Directly applicable to any tech company selling to the federal government — your product must meet Section 508 standards or you cannot win federal contracts. Standards align with WCAG 2.1 AA for web content. Enforced through the Access Board and federal procurement requirements.

Requires financial institutions (broadly defined to include many fintechs and money services businesses) to keep records, file reports, and maintain customer identification programs to assist in detecting money laundering and financial crime.

Sweeping financial reform law that created the Consumer Financial Protection Bureau and imposed new obligations on fintech companies, payment processors, and any business offering consumer financial products.

Governs electronic fund transfers involving consumer accounts — ACH, debit cards, and digital wallets. Sets disclosure requirements, error resolution procedures, and liability limits for unauthorized transactions.

Regulates the collection, use, and sharing of consumer credit and background information. Applies to any company using background checks, credit reports, or algorithmic consumer evaluations for employment, housing, or credit decisions.

Requires financial institutions to explain their information-sharing practices and protect sensitive customer data. The Safeguards Rule mandates specific administrative, technical, and physical data security measures.

Governs IP rights in federally funded research. Allows grant and contract recipients to retain patent rights to inventions. Government retains a royalty-free license and march-in rights. Critical for any tech company receiving federal R&D funding or SBIR/STTR grants.

The foundational federal law protecting original works of authorship. Copyright attaches automatically upon fixation; registration is not required for protection but is required before suing for infringement and to recover statutory damages.

Created a federal civil cause of action for trade secret misappropriation. Lets companies sue in federal court and seek injunctions, damages, and — in egregious cases — seizure of misappropriated materials.

DoD-specific supplement to the FAR. Contains stricter requirements on technical data rights, software rights, and cybersecurity (CMMC). CMMC program effective November 2025 requires third-party cybersecurity certifications for DoD contractors.

Establishes safe harbors for online service providers against liability for user-uploaded infringing content, provided they implement notice-and-takedown procedures. Critical for any platform hosting user-generated content.

Not a single law but a critical compliance area. Open source licenses create legally binding obligations when you use, modify, or distribute open source software. Key license families: Permissive (MIT, Apache 2.0, BSD — few obligations, allow proprietary use); Weak Copyleft (LGPL, MPL — share-alike requirements apply only to the licensed component); Strong Copyleft (GPL, AGPL — require distributing source code of the entire combined work). AGPL is particularly significant for SaaS companies — network use may trigger copyleft obligations even without distributing software. Every tech company needs an open source policy.

The federal law governing patents for inventions and designs. Establishes the USPTO, defines patentable subject matter, and creates enforcement rights. Patent eligibility for software remains a contested area post-Alice.

Promotes technology transfer from federal laboratories to the private sector. Relevant for tech companies seeking to license federally developed technology or partner with federal labs.

FAR contract clauses governing government rights in technical data and computer software. Determines whether the government receives unlimited, limited, or government-purpose rights. Negotiating these clauses is one of the most consequential IP decisions when entering government contracting.