Gives any person the right to request access to federal agency records. Heavily used by businesses, law firms, and lawyers to obtain government data about competitors, regulatory proceedings, enforcement actions, and agency decision-making. Official portal: foia.gov.
The U.S. Department of Justice's 2024 rule under Title II of the Americans with Disabilities Act requiring state and local governments to make their websites and mobile apps accessible to people with disabilities. It adopts WCAG 2.1 Level AA as the technical standard and sets phased compliance deadlines based on population size. It applies to public entities including state agencies, cities, counties, public colleges, and K–12 school districts — as well as to third-party EdTech and software vendors whose content or services are offered through those entities.
Prohibits discrimination on the basis of disability by places of public accommodation. Courts are split on whether websites qualify, but plaintiffs continue to pursue website accessibility claims — the practical standard is WCAG 2.1 AA.
Sets rules for commercial email and gives recipients the right to opt out. Requires honest subject lines, clear sender identification, a functional unsubscribe mechanism, and a valid physical postal address in every commercial message.
Section 230 provides significant immunity to online platforms for third-party content posted by users. It is particularly relevant to AI chat systems, social platforms, marketplaces, moderation systems, and products involving user-generated or AI-assisted content, although important limitations and ongoing legal challenges exist.
The federal anti-hacking statute. Criminalizes unauthorized access to computer systems and creates a civil cause of action companies use against former employees and competitors who misuse credentials or exceed authorized access.
Establishes safe harbors for online service providers against liability for user-uploaded infringing content, provided they implement notice-and-takedown procedures. Critical for any platform hosting user-generated content.
Electronic and Information Technology Accessibility (Section 508)
Section 508 — 29 U.S.C. § 794d
Requires federal agencies to make their electronic and information technology accessible to people with disabilities. Directly applicable to any tech company selling to the federal government — your product must meet Section 508 standards or you cannot win federal contracts. Standards align with WCAG 2.1 AA for web content. Enforced through the Access Board and federal procurement requirements.
Section 5 prohibits unfair or deceptive acts or practices in commerce and serves as the FTC's primary authority for regulating deceptive AI claims, unfair automated systems, and problematic data practices. It applies broadly to technology companies making representations about AI capabilities, automation, security, personalization, or algorithmic decision-making.
A government-wide program establishing security assessment standards for cloud services used by federal agencies. Not a law but effectively mandatory if you want to sell cloud services to the federal government. Authorization is expensive and time-consuming but creates a significant competitive moat — relatively few cloud providers have full authorization. Managed by GSA. Authorization levels: Low, Moderate, High corresponding to sensitivity of data processed.
Health Insurance Portability and Accountability Act
HIPAA — 42 U.S.C. §§ 1320d–1320d-9
Any tech company building health apps, handling patient records, operating as a business associate of a covered entity, or processing protected health information must understand HIPAA. The Privacy Rule, Security Rule, and Breach Notification Rule each impose distinct obligations. HIPAA's definition of "covered entity" and "business associate" is broader than most tech founders assume — a SaaS platform that processes health data on behalf of a hospital is a business associate and must have a signed BAA. HHS Office for Civil Rights actively enforces, particularly against tech companies following data breaches.
A voluntary framework — not a law — but practically functions as a de facto compliance standard. Referenced in state breach notification laws (Tennessee), required or strongly encouraged for federal contractors, and used by courts and regulators to assess reasonableness of cybersecurity programs. CSF 2.0 released February 2024 adds a new "Govern" function to the original five (Identify, Protect, Detect, Respond, Recover). Any tech company should understand this framework before claiming to have "reasonable" security.
Not a single law but a critical compliance area. Open source licenses create legally binding obligations when you use, modify, or distribute open source software. Key license families: Permissive (MIT, Apache 2.0, BSD — few obligations, allow proprietary use); Weak Copyleft (LGPL, MPL — share-alike requirements apply only to the licensed component); Strong Copyleft (GPL, AGPL — require distributing source code of the entire combined work). AGPL is particularly significant for SaaS companies — network use may trigger copyleft obligations even without distributing software. Every tech company needs an open source policy.
Prohibits unfair or deceptive practices in the online collection of personal information from children under 13. Requires parental consent before collecting, using, or disclosing a child's data. Enforced by the FTC through the COPPA Rule (16 CFR Part 312), which specifies notice, consent, security, and data retention obligations for operators of child-directed websites and services.
Applies to businesses with $25M+ revenue, or processing data of 100,000+ California residents, or deriving 50%+ of revenue from selling personal information. Grants rights to know, delete, correct, and opt out of data sales or sharing. Enforced by the California Privacy Protection Agency.
Applies to businesses processing data of 100,000+ Colorado residents, or 25,000+ if deriving revenue from data sales. Grants access, deletion, correction, portability, and opt-out rights. Requires data protection assessments for high-risk processing.
Applies to businesses processing data of 100,000+ Connecticut residents, or 25,000+ if deriving revenue from data sales. Grants access, correction, deletion, portability, and opt-out rights for targeted advertising, data sales, and profiling.
Applies to businesses processing data of 35,000+ Delaware residents, or 10,000+ if deriving revenue from data sales. Grants standard consumer privacy rights. One of the lower applicability thresholds among state privacy laws.
Applies to businesses with $1B+ in global revenue that process data of 50,000+ Florida residents. One of the highest thresholds in the US — primarily targets large tech companies. Grants access, deletion, and opt-out rights.
Applies to businesses processing data of 100,000+ Indiana residents, or 25,000+ if deriving revenue from data sales. Grants access, correction, deletion, and opt-out rights. Follows the Virginia model. Effective January 2026.
Applies to businesses processing data of 100,000+ Iowa residents, or 25,000+ if deriving revenue from data sales. More limited than most — no correction right and no profiling opt-out.
Applies to businesses processing data of 100,000+ Kentucky residents, or 25,000+ if deriving revenue from data sales. Follows the Virginia framework. Grants access, correction, deletion, and opt-out rights. Effective January 2026.
Applies to businesses processing data of 35,000+ Maryland residents, or 10,000+ if deriving revenue from data sales. One of the strictest state privacy laws — bans the sale of sensitive data without affirmative consent and imposes data minimization requirements.
Applies to businesses processing data of 100,000+ Minnesota residents, or 25,000+ if deriving revenue from data sales. Includes strong protections around profiling and automated decision-making, with rights to access profiling logic and contest decisions.
Applies to businesses processing data of 50,000+ Montana residents, or 25,000+ if deriving revenue from data sales. Follows the Connecticut model. Grants access, correction, deletion, portability, and opt-out rights.
Applies to businesses that are not small businesses under the SBA definition and process Nebraska residents' data. Modeled on the Texas framework — broader applicability than most state privacy laws. Grants standard consumer privacy rights.
Applies to businesses processing data of 35,000+ New Hampshire residents, or 10,000+ if deriving revenue from data sales. Grants standard consumer privacy rights.
Applies to businesses processing data of 100,000+ New Jersey residents, or 25,000+ if deriving revenue from data sales. Grants access, correction, deletion, portability, and opt-out rights. AG enforcement only.
New York's data security and breach notification law. Requires businesses that own or license private information of New York residents to implement reasonable safeguards and notify affected individuals after a breach.
Applies to businesses processing data of 100,000+ Oregon residents, or 25,000+ if deriving revenue from data sales. Includes strong protections for sensitive data and children's information. No revenue threshold — smaller companies may be covered.
Rhode Island Data Transparency and Privacy Protection Act
RIDPA — R.I. Gen. Laws §§ 6-48.1-1–6-48.1-13
Applies to businesses processing data of 35,000+ Rhode Island residents, or 10,000+ if deriving revenue from data sales. Focused on transparency and notice obligations. Effective January 2026.
Applies to businesses processing data of 100,000+ Tennessee residents, or 25,000+ if deriving revenue from data sales. Provides an affirmative defense for businesses that implement NIST-aligned privacy programs.
Applies to any business processing Texas residents' data that is not a small business under the SBA definition — no revenue or volume threshold beyond that, making it broader than most state privacy laws. Grants standard consumer privacy rights.
Applies to businesses processing data of 100,000+ Virginia residents, or 25,000+ if deriving revenue from data sales. The first state to follow CCPA (effective 2023) and became the template for CO, CT, UT, and many others. AG enforcement only.
Brazil's "Internet Bill of Rights" establishing principles of net neutrality, privacy, and freedom of expression online. Imposes data retention, user notification, and due process requirements on internet service providers.
Comprehensive EU regulation governing online intermediaries and platforms. Imposes content moderation, transparency, and risk-mitigation obligations — with tiered requirements based on platform size. Very Large Online Platforms face the strictest rules.
French law establishing principles of openness, fairness, and loyalty for digital platforms. Includes provisions on data portability, platform transparency, and algorithmic accountability.
New Zealand law creating civil and criminal remedies for online harassment and digital abuse. Imposes takedown and content-moderation obligations on digital communications providers.
Act on Promotion of Information and Communications Network Utilization and Information Protection
Network Act — Act No. 19310
Imposes data protection, security, and user consent obligations on operators of information and communications networks in South Korea. One of Asia's earliest comprehensive internet regulatory frameworks.
UK law imposing duty-of-care obligations on online platforms to protect users — especially children — from illegal and harmful content. Ofcom enforces with fines up to 10% of global turnover.