Every business relationship a tech company enters is defined by a contract — or the absence of one. SaaS agreements, vendor agreements, data processing agreements, employment contracts, contractor agreements, terms of service, privacy policies — each has legal obligations attached and each represents risk if done poorly. The contracts that matter most for tech companies are often the ones that get the least attention: the standard form vendor agreement from a large cloud provider that contains aggressive IP assignment clauses, the contractor agreement that doesn't adequately address who owns the work product, the data processing agreement that doesn't meet GDPR requirements.
Data Processing Agreements (DPAs) deserve specific attention. GDPR and many other privacy laws require a written DPA between a data controller and any processor that handles personal data on their behalf. If you're a SaaS company processing your customers' data, your customers are the controller and you're the processor — your customers may legally require a DPA before they can use your product. If you use third-party tools that process your users' data (analytics, marketing, support), you're the controller and those vendors are processors — you need DPAs with them. Understanding this chain is foundational to GDPR compliance.
Federal
ADA Title II Web Accessibility Rule
ADA Title II — 42 U.S.C. §§ 12131–12165
The U.S. Department of Justice's 2024 rule under Title II of the Americans with Disabilities Act requiring state and local governments to make their websites and mobile apps accessible to people with disabilities. It adopts WCAG 2.1 Level AA as the technical standard and sets phased compliance deadlines based on population size. It applies to public entities including state agencies, cities, counties, public colleges, and K–12 school districts — as well as to third-party EdTech and software vendors whose content or services are offered through those entities.
Last updated May 31, 2026
Federal
Americans with Disabilities Act Title III
ADA Title III — 42 U.S.C. §§ 12181–12189
Prohibits discrimination on the basis of disability by places of public accommodation. Courts are split on whether websites qualify, but plaintiffs continue to pursue website accessibility claims — the practical standard is WCAG 2.1 AA.
Last updated May 31, 2026
Federal
CAN-SPAM Act
CAN-SPAM — 15 U.S.C. §§ 7701–7713
Sets rules for commercial email and gives recipients the right to opt out. Requires honest subject lines, clear sender identification, a functional unsubscribe mechanism, and a valid physical postal address in every commercial message.
Last updated May 31, 2026
Federal
Children's Online Privacy Protection Act
COPPA — 15 U.S.C. §§ 6501–6506
Prohibits unfair or deceptive practices in the online collection of personal information from children under 13. Requires parental consent before collecting, using, or disclosing a child's data. Enforced by the FTC through the COPPA Rule (16 CFR Part 312), which specifies notice, consent, security, and data retention obligations for operators of child-directed websites and services.
Last updated May 31, 2026
Federal
Communications Decency Act Section 230
Section 230 — 47 U.S.C. § 230
Section 230 provides significant immunity to online platforms for third-party content posted by users. It is particularly relevant to AI chat systems, social platforms, marketplaces, moderation systems, and products involving user-generated or AI-assisted content, although important limitations and ongoing legal challenges exist.
Last updated May 31, 2026
Federal
Computer Fraud and Abuse Act
CFAA — 18 U.S.C. § 1030
The federal anti-hacking statute. Criminalizes unauthorized access to computer systems and creates a civil cause of action companies use against former employees and competitors who misuse credentials or exceed authorized access.
Last updated May 31, 2026
Federal
Digital Millennium Copyright Act
DMCA — 17 U.S.C. § 512
Establishes safe harbors for online service providers against liability for user-uploaded infringing content, provided they implement notice-and-takedown procedures. Critical for any platform hosting user-generated content.
Last updated May 28, 2026
Federal
Electronic and Information Technology Accessibility (Section 508)
Section 508 — 29 U.S.C. § 794d
Requires federal agencies to make their electronic and information technology accessible to people with disabilities. Directly applicable to any tech company selling to the federal government — your product must meet Section 508 standards or you cannot win federal contracts. Standards align with WCAG 2.1 AA for web content. Enforced through the Access Board and federal procurement requirements.
Last updated May 31, 2026
Federal
FTC Act Section 5
FTC Act — 15 U.S.C. § 45
Section 5 prohibits unfair or deceptive acts or practices in commerce and serves as the FTC's primary authority for regulating deceptive AI claims, unfair automated systems, and problematic data practices. It applies broadly to technology companies making representations about AI capabilities, automation, security, personalization, or algorithmic decision-making.
Last updated May 31, 2026
Federal
Federal Risk and Authorization Management Program
FedRAMP — 44 U.S.C. §§ 3607–3616
A government-wide program establishing security assessment standards for cloud services used by federal agencies. Not a law but effectively mandatory if you want to sell cloud services to the federal government. Authorization is expensive and time-consuming but creates a significant competitive moat — relatively few cloud providers have full authorization. Managed by GSA. Authorization levels: Low, Moderate, High corresponding to sensitivity of data processed.
Last updated May 31, 2026
Federal
Health Insurance Portability and Accountability Act
HIPAA — 42 U.S.C. §§ 1320d–1320d-9
Any tech company building health apps, handling patient records, operating as a business associate of a covered entity, or processing protected health information must understand HIPAA. The Privacy Rule, Security Rule, and Breach Notification Rule each impose distinct obligations. HIPAA's definition of "covered entity" and "business associate" is broader than most tech founders assume — a SaaS platform that processes health data on behalf of a hospital is a business associate and must have a signed BAA. HHS Office for Civil Rights actively enforces, particularly against tech companies following data breaches.
Last updated May 31, 2026
Federal
NIST Cybersecurity Framework 2.0
NIST CSF
A voluntary framework — not a law — but practically functions as a de facto compliance standard. Referenced in state breach notification laws (Tennessee), required or strongly encouraged for federal contractors, and used by courts and regulators to assess reasonableness of cybersecurity programs. CSF 2.0 released February 2024 adds a new "Govern" function to the original five (Identify, Protect, Detect, Respond, Recover). Any tech company should understand this framework before claiming to have "reasonable" security.
Last updated April 4, 2026
Federal
Open Source Licensing Frameworks
OSS Licenses
Not a single law but a critical compliance area. Open source licenses create legally binding obligations when you use, modify, or distribute open source software. Key license families: Permissive (MIT, Apache 2.0, BSD — few obligations, allow proprietary use); Weak Copyleft (LGPL, MPL — share-alike requirements apply only to the licensed component); Strong Copyleft (GPL, AGPL — require distributing source code of the entire combined work). AGPL is particularly significant for SaaS companies — network use may trigger copyleft obligations even without distributing software. Every tech company needs an open source policy.
Last updated April 4, 2026
Contract law is primarily state law in the US — with significant variation in how courts interpret common provisions like limitation of liability clauses, indemnification, and choice of law. The Uniform Commercial Code (UCC) governs contracts for the sale of goods but software licensing is a gray area. International contracts must address governing law and dispute resolution carefully — US courts may not be enforceable in all jurisdictions, and vice versa. EU contracts also need to address GDPR DPA requirements specifically.
More articles coming soon.