ADA Title II Web Accessibility Rule
ADA Title II
The U.S. Department of Justice's 2024 rule under Title II of the Americans with Disabilities Act requiring state and local governments to make their websites and mobile apps accessible to people with disabilities. It adopts WCAG 2.1 Level AA as the technical standard and sets phased compliance deadlines based on population size. It applies to public entities including state agencies, cities, counties, public colleges, and K–12 school districts — as well as to third-party EdTech and software vendors whose content or services are offered through those entities.
website-platform-compliance
Americans with Disabilities Act Title III
ADA Title III
Prohibits discrimination on the basis of disability by places of public accommodation. Courts are split on whether websites qualify, but plaintiffs continue to pursue website accessibility claims — the practical standard is WCAG 2.1 AA.
website-platform-compliance
Bank Secrecy Act
BSA
Requires financial institutions (broadly defined to include many fintechs and money services businesses) to keep records, file reports, and maintain customer identification programs to assist in detecting money laundering and financial crime.
accepting-payments
CAN-SPAM Act
CAN-SPAM
Sets rules for commercial email and gives recipients the right to opt out. Requires honest subject lines, clear sender identification, a functional unsubscribe mechanism, and a valid physical postal address in every commercial message.
marketing-communicationswebsite-platform-compliance
Children's Online Privacy Protection Act
COPPA
Governs the collection of personal information from children under 13. Requires verifiable parental consent before collecting, using, or disclosing a child's data — any site or service directed at children or with actual knowledge of child users must comply.
collecting-user-datawebsite-platform-compliance
Clayton Antitrust Act
Clayton Act
Prohibits specific anticompetitive practices including price discrimination, tying arrangements, and mergers that substantially lessen competition. It supplements the Sherman Act by giving regulators and private plaintiffs more targeted tools to challenge anti-competitive conduct. Applies to all businesses engaged in interstate commerce.
antitrust-competition
Communications Decency Act Section 230
Section 230
Provides immunity to online platforms from liability for third-party content. The foundational law enabling user-generated content platforms, review sites, social networks, and any platform that hosts content created by others. Not absolute — does not protect platforms from federal criminal law, IP claims, or content the platform itself creates or materially contributes to. Under active legislative scrutiny — the scope of Section 230 immunity has narrowed through case law and remains politically contested.
using-building-aiwebsite-platform-compliance
Computer Fraud and Abuse Act
CFAA
The federal anti-hacking statute. Criminalizes unauthorized access to computer systems and creates a civil cause of action companies use against former employees and competitors who misuse credentials or exceed authorized access.
website-platform-compliancedata-security-breach
Copyright Act
Copyright Act
The foundational federal law protecting original works of authorship. Copyright attaches automatically upon fixation; registration is not required for protection but is required before suing for infringement and to recover statutory damages.
protecting-ip
Cyber Incident Reporting for Critical Infrastructure Act
CIRCIA
Requires critical infrastructure entities to report substantial cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. CISA is developing final implementing rules. Applies to entities in the 16 critical infrastructure sectors — including IT, communications, financial services, and energy. Tech companies operating critical infrastructure or providing services to those that do should monitor CISA's rulemaking.
data-security-breach
Cybersecurity Maturity Model Certification
CMMC
DoD-specific cybersecurity certification requirement for defense contractors and subcontractors. Effective November 2025. Three levels — Level 1 (basic), Level 2 (advanced, requires third-party assessment for most), Level 3 (expert). Any company in the defense industrial base — including software vendors, IT service providers, and cloud providers touching DoD systems — must understand which CMMC level applies. Non-compliance means losing DoD contracts.
using-building-aidata-security-breachgovernment-contracting
DOJ Bulk Sensitive Data Rule
Implements Executive Order 14117 restricting the bulk transfer of Americans' sensitive personal data to countries of concern (China, Russia, Iran, North Korea, Cuba, Venezuela). Effective April 2025. Covers genomic data, biometric data, precise geolocation, health data, financial data, and certain government-related data. Tech companies handling large-scale personal data should evaluate whether their data flows implicate these restrictions.
collecting-user-data
Defend Trade Secrets Act
DTSA
Created a federal civil cause of action for trade secret misappropriation. Lets companies sue in federal court and seek injunctions, damages, and — in egregious cases — seizure of misappropriated materials.
protecting-ip
Digital Millennium Copyright Act
DMCA
Establishes safe harbors for online service providers against liability for user-uploaded infringing content, provided they implement notice-and-takedown procedures. Critical for any platform hosting user-generated content.
protecting-ipwebsite-platform-compliance
Dodd-Frank Wall Street Reform and Consumer Protection Act
Dodd-Frank
Sweeping financial reform law that created the Consumer Financial Protection Bureau and imposed new obligations on fintech companies, payment processors, and any business offering consumer financial products.
accepting-payments
Electronic Communications Privacy Act
ECPA
Governs how the government and private parties can access electronic communications and stored data, covering real-time interception, stored records, and metadata collection. It is the primary federal statute protecting the privacy of digital communications. Applies to any entity that intercepts, accesses, or stores electronic communications.
collecting-user-datadata-security-breach
Electronic Fund Transfer Act
EFTA
Governs electronic fund transfers involving consumer accounts — ACH, debit cards, and digital wallets. Sets disclosure requirements, error resolution procedures, and liability limits for unauthorized transactions.
accepting-payments
Export Administration Regulations
EAR
Controls the export and re-export of dual-use items -- commercial goods with potential military applications -- including encryption technology and certain software. Administered by the Bureau of Industry and Security, it requires export licenses for controlled items. Applies to any company exporting technology, software, or technical data outside the United States.
selling-internationally
FTC Act Section 5
FTC Act §5
Prohibits unfair or deceptive acts or practices in commerce. The FTC's primary enforcement tool against privacy violations, misleading marketing, security misrepresentations, and dark patterns — applies to nearly every business.
collecting-user-datamarketing-communicationswebsite-platform-compliance
Fair Credit Reporting Act
FCRA
Regulates the collection, use, and sharing of consumer credit and background information. Applies to any company using background checks, credit reports, or algorithmic consumer evaluations for employment, housing, or credit decisions.
collecting-user-dataaccepting-payments
Federal Risk and Authorization Management Program
FedRAMP
A government-wide program establishing security assessment standards for cloud services used by federal agencies. Not a law but effectively mandatory if you want to sell cloud services to the federal government. Authorization is expensive and time-consuming but creates a significant competitive moat — relatively few cloud providers have full authorization. Managed by GSA. Authorization levels: Low, Moderate, High corresponding to sensitivity of data processed.
website-platform-compliancedata-security-breachgovernment-contracting
Gramm-Leach-Bliley Act
GLBA
Requires financial institutions to explain their information-sharing practices and protect sensitive customer data. The Safeguards Rule mandates specific administrative, technical, and physical data security measures.
collecting-user-dataaccepting-paymentsdata-security-breach
Health Information Technology for Economic and Clinical Health Act
HITECH
Strengthened HIPAA enforcement and extended HIPAA obligations directly to business associates. Introduced tiered civil penalties and required HHS to conduct periodic audits of covered entities and business associates. Relevant to any tech company that is or may become a HIPAA business associate.
collecting-user-datadata-security-breach
Health Insurance Portability and Accountability Act
HIPAA
Any tech company building health apps, handling patient records, operating as a business associate of a covered entity, or processing protected health information must understand HIPAA. The Privacy Rule, Security Rule, and Breach Notification Rule each impose distinct obligations. HIPAA's definition of "covered entity" and "business associate" is broader than most tech founders assume — a SaaS platform that processes health data on behalf of a hospital is a business associate and must have a signed BAA. HHS Office for Civil Rights actively enforces, particularly against tech companies following data breaches.
collecting-user-datawebsite-platform-compliancedata-security-breach
NIST Cybersecurity Framework 2.0
NIST CSF
A voluntary framework — not a law — but practically functions as a de facto compliance standard. Referenced in state breach notification laws (Tennessee), required or strongly encouraged for federal contractors, and used by courts and regulators to assess reasonableness of cybersecurity programs. CSF 2.0 released February 2024 adds a new "Govern" function to the original five (Identify, Protect, Detect, Respond, Recover). Any tech company should understand this framework before claiming to have "reasonable" security.
website-platform-compliancedata-security-breach
Open Source Licensing Frameworks
OSS Licenses
Not a single law but a critical compliance area. Open source licenses create legally binding obligations when you use, modify, or distribute open source software. Key license families: Permissive (MIT, Apache 2.0, BSD — few obligations, allow proprietary use); Weak Copyleft (LGPL, MPL — share-alike requirements apply only to the licensed component); Strong Copyleft (GPL, AGPL — require distributing source code of the entire combined work). AGPL is particularly significant for SaaS companies — network use may trigger copyleft obligations even without distributing software. Every tech company needs an open source policy.
protecting-ipwebsite-platform-compliance
Patent Act
Patent Act
The federal law governing patents for inventions and designs. Establishes the USPTO, defines patentable subject matter, and creates enforcement rights. Patent eligibility for software remains a contested area post-Alice.
protecting-ip
Section 508 of the Rehabilitation Act
Section 508
Requires federal agencies to make their electronic and information technology accessible to people with disabilities. Directly applicable to any tech company selling to the federal government — your product must meet Section 508 standards or you cannot win federal contracts. Standards align with WCAG 2.1 AA for web content. Enforced through the Access Board and federal procurement requirements.
website-platform-compliancegovernment-contracting
Sherman Antitrust Act
Sherman Act
The foundational federal antitrust statute, prohibiting agreements in restraint of trade and monopolization or attempted monopolization of any market. Violations can carry criminal penalties including imprisonment. Applies to all businesses in interstate commerce and is increasingly used to challenge the market power of major technology platforms.
antitrust-competition
Telephone Consumer Protection Act
TCPA
Restricts telemarketing calls, auto-dialed calls, prerecorded voice messages, and unsolicited text messages. It requires prior express consent for most automated contacts and maintains the National Do Not Call Registry. Applies to any business that contacts consumers by phone or text, making it one of the most heavily litigated consumer protection statutes in the country.
marketing-communications
