Website & platform compliance

The U.S. Department of Justice's 2024 rule under Title II of the Americans with Disabilities Act requiring state and local governments to make their websites and mobile apps accessible to people with disabilities. It adopts WCAG 2.1 Level AA as the technical standard and sets phased compliance deadlines based on population size. It applies to public entities including state agencies, cities, counties, public colleges, and K–12 school districts — as well as to third-party EdTech and software vendors whose content or services are offered through those entities.

Prohibits discrimination on the basis of disability by places of public accommodation. Courts are split on whether websites qualify, but plaintiffs continue to pursue website accessibility claims — the practical standard is WCAG 2.1 AA.

Sets rules for commercial email and gives recipients the right to opt out. Requires honest subject lines, clear sender identification, a functional unsubscribe mechanism, and a valid physical postal address in every commercial message.

Governs the collection of personal information from children under 13. Requires verifiable parental consent before collecting, using, or disclosing a child's data — any site or service directed at children or with actual knowledge of child users must comply.

Provides immunity to online platforms from liability for third-party content. The foundational law enabling user-generated content platforms, review sites, social networks, and any platform that hosts content created by others. Not absolute — does not protect platforms from federal criminal law, IP claims, or content the platform itself creates or materially contributes to. Under active legislative scrutiny — the scope of Section 230 immunity has narrowed through case law and remains politically contested.

The federal anti-hacking statute. Criminalizes unauthorized access to computer systems and creates a civil cause of action companies use against former employees and competitors who misuse credentials or exceed authorized access.

Establishes safe harbors for online service providers against liability for user-uploaded infringing content, provided they implement notice-and-takedown procedures. Critical for any platform hosting user-generated content.

Prohibits unfair or deceptive acts or practices in commerce. The FTC's primary enforcement tool against privacy violations, misleading marketing, security misrepresentations, and dark patterns — applies to nearly every business.

A government-wide program establishing security assessment standards for cloud services used by federal agencies. Not a law but effectively mandatory if you want to sell cloud services to the federal government. Authorization is expensive and time-consuming but creates a significant competitive moat — relatively few cloud providers have full authorization. Managed by GSA. Authorization levels: Low, Moderate, High corresponding to sensitivity of data processed.

Gives any person the right to request access to federal agency records. Heavily used by businesses, law firms, and lawyers to obtain government data about competitors, regulatory proceedings, enforcement actions, and agency decision-making. Official portal: foia.gov.

Any tech company building health apps, handling patient records, operating as a business associate of a covered entity, or processing protected health information must understand HIPAA. The Privacy Rule, Security Rule, and Breach Notification Rule each impose distinct obligations. HIPAA's definition of "covered entity" and "business associate" is broader than most tech founders assume — a SaaS platform that processes health data on behalf of a hospital is a business associate and must have a signed BAA. HHS Office for Civil Rights actively enforces, particularly against tech companies following data breaches.

A voluntary framework — not a law — but practically functions as a de facto compliance standard. Referenced in state breach notification laws (Tennessee), required or strongly encouraged for federal contractors, and used by courts and regulators to assess reasonableness of cybersecurity programs. CSF 2.0 released February 2024 adds a new "Govern" function to the original five (Identify, Protect, Detect, Respond, Recover). Any tech company should understand this framework before claiming to have "reasonable" security.

Not a single law but a critical compliance area. Open source licenses create legally binding obligations when you use, modify, or distribute open source software. Key license families: Permissive (MIT, Apache 2.0, BSD — few obligations, allow proprietary use); Weak Copyleft (LGPL, MPL — share-alike requirements apply only to the licensed component); Strong Copyleft (GPL, AGPL — require distributing source code of the entire combined work). AGPL is particularly significant for SaaS companies — network use may trigger copyleft obligations even without distributing software. Every tech company needs an open source policy.

Requires federal agencies to make their electronic and information technology accessible to people with disabilities. Directly applicable to any tech company selling to the federal government — your product must meet Section 508 standards or you cannot win federal contracts. Standards align with WCAG 2.1 AA for web content. Enforced through the Access Board and federal procurement requirements.

California's comprehensive consumer privacy law giving residents rights to know, delete, correct, and opt out of the sale or sharing of their personal information. Applies to businesses meeting revenue or data-volume thresholds processing California residents' data.

Colorado's comprehensive privacy law modeled on the CCPA structure. Grants residents access, deletion, correction, portability, and opt-out rights, and requires data protection assessments for high-risk processing.

Connecticut's comprehensive privacy law providing residents with rights to access, correct, delete, and opt out of targeted advertising, sale of data, and profiling. Enforcement by the attorney general.

Delaware's comprehensive privacy law granting residents standard consumer privacy rights. Applies to businesses processing personal data of 35,000+ Delaware residents. Effective January 2025.

Florida's comprehensive privacy law focused on large tech companies with $1B+ in global revenue. Grants residents rights to access, delete, and opt out of targeted advertising and the sale of data.

Indiana's comprehensive privacy law following the Virginia model. Grants residents access, correction, deletion, and opt-out rights. Effective January 2026.

Iowa's comprehensive privacy law. Provides residents with more limited rights than other state privacy laws (no correction right, no profiling opt-out). Effective January 2025.

Kentucky's comprehensive privacy law modeled on the Virginia framework. Grants residents access, correction, deletion, and opt-out rights. Effective January 2026.

Maryland's comprehensive privacy law — one of the strictest in the US. Imposes data minimization requirements and bans the sale of sensitive personal data without affirmative consent. Effective October 2025.

Minnesota's comprehensive privacy law with strong profiling and automated decision-making provisions. Grants residents access to profiling logic and contestation rights. Effective July 2025.

Montana's comprehensive privacy law following the Connecticut model. Grants standard access, correction, deletion, portability, and opt-out rights.

Nebraska's comprehensive privacy law modeled on the Texas framework. Applies to businesses processing personal data that are not small businesses under the SBA definition.

New Hampshire's comprehensive privacy law granting residents standard consumer privacy rights. Effective January 2025.

New Jersey's comprehensive privacy law. Grants residents access, correction, deletion, portability, and opt-out rights. Effective January 2025.

New York's data security and breach notification law. Requires businesses that own or license private information of New York residents to implement reasonable safeguards and notify affected individuals after a breach.

Oregon's comprehensive privacy law. Grants residents standard consumer privacy rights and includes strong protections for sensitive data, including children's information.

Rhode Island's comprehensive privacy law focused on transparency and notice obligations. Effective January 2026.

Tennessee's comprehensive privacy law. Notable for explicitly providing an affirmative defense for businesses that implement NIST-aligned privacy programs.

Texas's comprehensive privacy law. Applies to any business processing Texas residents' data that is not a small business under the SBA definition — broader applicability than most state privacy laws.

Virginia's comprehensive privacy law — the first to follow the CCPA in 2023. Became the template for many subsequent state privacy laws including CO, CT, UT, and others.

Brazil's "Internet Bill of Rights" establishing principles of net neutrality, privacy, and freedom of expression online. Imposes data retention, user notification, and due process requirements on internet service providers.

Comprehensive EU regulation governing online intermediaries and platforms. Imposes content moderation, transparency, and risk-mitigation obligations — with tiered requirements based on platform size. Very Large Online Platforms face the strictest rules.

French law establishing principles of openness, fairness, and loyalty for digital platforms. Includes provisions on data portability, platform transparency, and algorithmic accountability.

New Zealand law creating civil and criminal remedies for online harassment and digital abuse. Imposes takedown and content-moderation obligations on digital communications providers.

Imposes data protection, security, and user consent obligations on operators of information and communications networks in South Korea. One of Asia's earliest comprehensive internet regulatory frameworks.

UK law imposing duty-of-care obligations on online platforms to protect users — especially children — from illegal and harmful content. Ofcom enforces with fines up to 10% of global turnover.