Legal & Compliance
Global Privacy & GDPR
172 Countries Have Data Privacy Laws
Graham Greenleaf (UNSW law professor, April 2025) counted 172 countries with data privacy laws as of March 2025, adding 12 new laws in 2023/24 at an average rate of 5.4 per year since 2020. The IAPP 2026 Global Privacy Law and DPA Directory reports 98% of developed nations are covered. Regional breakdown: Europe 98%, Africa 77%, North America 75%, Asia 72%, South America 71%, Oceania 35%. A few countries still lack even draft bills. No business is too small to be caught.
GDPR Fines Are Intensifying
Cumulative fines reached approximately 7.1 billion EUR across 2,900+ enforcement actions by early 2026 (Kiteworks GDPR Fines tracker).
Spain's AEPD is the highest-volume enforcer with 1,021+ fines by September 2025, issuing hundreds in the 1K-10K EUR range against small businesses for surveillance, marketing consent, and breach failures. Ireland's DPC leads by value at roughly 4.04B EUR cumulatively, driven by Big Tech fines (Meta 1.2B EUR, TikTok 530M EUR, LinkedIn 310M EUR).
Romanian Individual: ~200 EUR
Posted another person's pay slip and personal data on Facebook and paper flyers without a legal basis.
Austrian Individual: 600 EUR
Disclosed another person's health data (a disability claim) to a public institution without a legal basis.
Spanish Individual: 10K EUR
Shared images of minors on Instagram without consent.
Polish Company (Bisnode): ~220K EUR
Failed to inform millions of people, whose data it processed, of their GDPR rights under Article 14. A warning for anyone processing third-party data.
Voodoo Games (CNIL)
French mobile game developer fined 3M EUR for reading an advertising identifier without consent. Directly relevant to app developers.
Clubhouse: 2M EUR
Italy fined them for lack of transparency and storing audio without consent.
UK GDPR Post-Brexit
Fewer fines but dramatically higher amounts in 2025.
The Data (Use and Access) Act 2025 (DUAA) received Royal Assent June 19, 2025. Key changes: raised PECR penalty caps from 500K GBP to match UK GDPR maximums (17.5M GBP or 4% of global turnover), new requirements for data subjects to complain directly to organizations before escalating to the ICO, broadened legitimate interest basis, and reframed automated decision-making restrictions.
Practical difference from EU GDPR: The ICO is far less aggressive in volume (single-digit annual enforcement versus hundreds from Spain's AEPD). Commissioner John Edwards has argued that fines are not always the most effective enforcement tool, particularly against public-sector bodies. The UK has no equivalent of the EU AI Act.
US & International Privacy Laws
20 States With Comprehensive Privacy Laws
Twenty US states have comprehensive consumer privacy laws in effect as of 2026; no comprehensive federal privacy law exists or appears imminent.
California
Only state with a dedicated agency (CPPA), broadest scope, and the only private right of action for data breaches.
Texas
No revenue threshold at all. Applies to any entity doing business in the state.
Maryland
Strictest data minimization. Bans the sale of sensitive data entirely.
Rhode Island
One of the lowest thresholds at 35,000 consumers, matched by New Hampshire and Delaware. Montana's base threshold is 50,000 (dropping to 25,000 for businesses earning 25%+ of revenue from selling data).
CCPA/CPRA Enforcement
Fines assessed per affected consumer, compounding to massive totals.
Tractor Supply Co.
$1.35MCPPA's largest fine (Sept 2025). Ineffective opt-out, failure to honor GPC signals, privacy policy not updated since 2021. Investigation started from a single consumer complaint.
Healthline Media
$1.55MLargest AG CCPA settlement (Jul 2025). Failed to honor opt-outs for targeted ads, shared health condition data with third parties.
Jam City
$1.4MNo in-app CCPA opt-outs across 21 mobile games. Sold teen data without opt-in consent.
Todd Snyder, Inc.
$345K40-day delay processing opt-outs. Required photo ID for opt-out requests, classified as a dark pattern.
GPC Enforcement Is Top Priority
Businesses must honor browser-based Global Privacy Control signals in a frictionless manner. Multiple states now require universal opt-out mechanism recognition (CA, CO, CT, OR, MT, MN). The California Delete Act launched the DROP (Delete Request and Opt-Out Platform) on January 1, 2026. Starting August 1, 2026, data brokers must access DROP at least once every 45 days and process the deletion requests they find (the 45 days is a check cadence, not a per-request completion deadline).
COPPA Enforcement
The FTC aggressively targets app developers who collect children's data.
Epic Games (Fortnite): $275M
2023. The $275M COPPA penalty was part of a broader $520M FTC settlement (the other $245M covered dark-pattern charges).
Disney: $10M
2025. Enabled unlawful collection of children's data on YouTube videos not labeled "Made for Kids."
NGL Labs: Banned for Under-18s
Jul 2024. First FTC order barring an online service from offering itself to minors at all.
HyperBeard: $150K
Collected children's persistent identifiers via third-party ad SDKs without consent.
January 2025 COPPA Amendments
New rules require separate opt-in consent for sharing children's data with third parties. Embedding third-party SDKs inherits their COPPA violations. Your vendors' COPPA missteps are your own.
FTC Health Breach Notification Rule
Applies to health-adjacent apps, not just HIPAA-covered entities. The HBNR is the primary enforcement threat for vibe coders building health apps.
GoodRx
$1.5MFirst-ever HBNR enforcement (Feb 2023). Shared prescription data with Facebook and Google via tracking pixels.
BetterHelp
$7.8MMar 2023. Shared mental health data with Facebook, Snapchat, and Pinterest for advertising. Misrepresented HIPAA compliance.
Premom (Easy Healthcare)
$200KMay 2023. Fertility app shared health data with third-party SDKs ($100K FTC penalty plus $100K to state AGs).
Context Reveals Conditions
Even sharing an email address can constitute health data disclosure if context reveals health conditions. For example, if a user visits a mental health service and their email is shared with an analytics provider, that context alone may trigger HBNR obligations.
Canada, Australia, Brazil
Canada
PIPEDA still from 2000. Bill C-27 died Jan 2025.
The Privacy Commissioner can recommend but cannot directly impose financial penalties. Maximum penal fine is only $100,000 CAD.
Quebec Law 25 (fully effective Sept 2024) is the critical exception: requires explicit opt-in consent for sensitive data and cookies. The only North American jurisdiction with EU-style opt-in. Penalties reach $25M CAD or 4% of gross worldwide revenue.
Large Canadian companies are aligning with Law 25 nationally since it is the strictest Canadian regime.
Australia
POLA Act passed Dec 2024.
A statutory tort for serious privacy invasions commenced June 10, 2025, allowing Australians to sue for up to AU$478,550 in damages.
The small business exemption (businesses under AU$3M turnover, covering approximately 95% of Australian businesses) still exists but is expected to be abolished in Tranche 2 reforms.
There is no specific cookie consent law in Australia currently. New Privacy Commissioner Carly Kind has signaled more enforcement focus.
Brazil
ANPD issued approximately BRL 98M total.
The first-ever LGPD sanction hit Telekall Infoservice, a micro-company telecom, with BRL 14,400 (~$2,960) for processing data without legal basis and failing to appoint a DPO.
ANPD suspended Meta's use of Brazilian user data for AI training in July 2024, threatening BRL 50,000 per day.
LGPD enforcement is significantly less mature than GDPR. Cumulative US$20M versus GDPR's ~7.1B EUR.
Cookie Consent by Jurisdiction
Default to the highest standard (EU opt-in) when user location is unclear.
EU / UK
Strict Opt-InBlock all non-essential cookies before consent. Granular options required, one-click withdrawal mandatory.
California
Opt-OutDisclose cookie use, provide "Do Not Sell or Share" link, and honor GPC signals.
Brazil
Opt-InFollows GDPR principles. Requires consent before setting non-essential cookies.
Australia
Notice OnlyNo specific cookie law currently. Informational notice is sufficient.
Cookiebot (Usercentrics)
From ~12 EUR/month. Automatic scanning, Google Consent Mode v2 support.
CookieYes
From ~$10/month. Affordable alternative with similar feature set.
Privacy Policy Generators Compared
Recommendation: PrivacyPolicies.com at $14 one-time for budget projects. Termly at $10-$14/month for ongoing auto-updates as laws change.
Copyright & Licensing
AI-Generated Code Likely Cannot Be Copyrighted
The US Copyright Office Report, Part 2 (January 29, 2025) established that merely providing prompts is not sufficient for copyright ownership. "Repeatedly entering prompts until the output matches desired expression" is insufficient, described as "like spinning a metaphorical wheel with infinite possibilities." Code generated purely by AI prompts likely falls into the public domain, meaning competitors can freely copy it. However, AI-generated code that a human substantially modifies, arranges, or integrates may be protectable, evaluated case-by-case with no clear-cut threshold. Thaler v. Perlmutter confirmed that human authorship is required: the D.C. Circuit affirmed the Copyright Office's refusal in March 2025 (the 2023 district-court opinion called human authorship a "bedrock requirement" of copyright), and the Supreme Court declined to hear the case, denying certiorari on March 2, 2026 and leaving the human-authorship rule in place.
Open-Source License Contamination Is a Live Legal Risk
The Doe v. GitHub lawsuit (filed November 2022, N.D. Cal., now on appeal to the Ninth Circuit) alleges Copilot was trained on billions of lines of GPL, MIT, and Apache-licensed code and outputs code without required attribution. Plaintiffs floated theoretical DMCA statutory damages in the $9B+ range; this is a plaintiff-side calculation, not a judgment. The DMCA §1202(b)(1) and (b)(3) claims were dismissed with prejudice in July 2024; what survived are the open-source-license and breach-of-contract claims. The dismissal of the DMCA claims is what is now on an interlocutory appeal to the Ninth Circuit (No. 24-6136, accepted December 2024). The case still treats open-source licenses as real, enforceable agreements. By GitHub's own research, fewer than 1% of Copilot suggestions may reproduce training-set code, and its public-code filter blocks matches longer than about 150 characters. You are legally responsible for code you ship regardless of who wrote it. Run license scanners. Understand the difference between permissive (MIT, Apache) and copyleft (GPL, AGPL) licenses.
Accessibility & Data Implementation
94.8% of Top 1M Homepages Fail WCAG 2
WebAIM Million 2025 analysis. AI-generated code is often worse.
Pages using ARIA attributes (which AI generates liberally) averaged 34.2% more accessibility errors than those without.
Most target small businesses
Companies under $25M revenue. That share was about 64% of defendants in 2025, down from roughly two-thirds in prior years (UsableNet). Settlements range $5,000-$75,000 plus attorney fees and redesign costs.
40% of 2025 filings are pro se
Self-represented plaintiffs using AI to draft complaints. Suggests lawsuit volume will continue rising.
accessiBe fined $1M by FTC (Jan 2025)
False advertising about its accessibility overlay widget. 25% of 2024 lawsuits targeted sites using overlay widgets.
DOJ Title II Rule
Requires WCAG 2.1 AA conformance for state and local government sites. DOJ extended the compliance date to April 26, 2027 for large public entities (population 50,000+), and April 26, 2028 for smaller entities.
European Accessibility Act (EAA)
Effective June 28, 2025. Applies to ANY organization providing covered services to EU consumers, regardless of headquarters location.
Micro-enterprise exemption: Fewer than 10 employees AND annual turnover not exceeding 2M EUR (for service providers). There is also an "undue burden" exemption.
Requires compliance with EN 301 549, which incorporates WCAG 2.1 Level AA. Accessibility widgets or overlays alone are not sufficient for conformance.
Penalties must be "effective, proportionate, and dissuasive" and are set individually by each member state, so maximum fines vary widely across the EU. Market-surveillance authorities can also order non-compliant products withdrawn from the market. Enforcement is still ramping up, with few penalties publicly reported as of early 2026.
Privacy Nutrition Labels (App Stores)
Apple requires declaring data across 14 categories with 6 purposes.
Typical Vibe-Coded App (Auth + Analytics)
- Declare email address and user ID as "Data Linked to You" for App Functionality.
- Declare product interaction, crash data, and device ID as "Data Not Linked to You" for Analytics.
- If you use any ad SDK, declare device ID under "Data Used to Track You."
- Google requires explicit "collected" vs. "shared" declarations (Apple implies sharing through tracking).
- Google prominently displays security practices (encryption, data deletion).
- Google has no "optional disclosure" exemption. All collected data must be declared.
- Both require a privacy policy URL.
GDPR Essentials
Total fines exceed 7.1 billion EUR
Consent: Cookie banners must offer equal Reject/Accept options (no dark patterns). Google was fined 150M EUR for making rejection harder than acceptance.
Deletion: "Delete Account" must actually delete data, not just set a deleted: true flag. Drop the rows.
Breach Notification: You have 72 hours to report a data breach to authorities. Document everything.
Data Minimization: Only collect data you actually need. If you don't need a phone number, don't ask for one.
CAN-SPAM & CCPA (US)
CAN-SPAM: Every marketing email needs a working unsubscribe link and a valid physical postal address. Violations cost $53,088 per email. Honor opt-outs within 10 business days.
Google/Yahoo 2024 Rules: SPF/DKIM/DMARC authentication required, one-click unsubscribe header mandatory, complaint rates must stay below 0.3%. Failing these means your emails go straight to spam.
CCPA (California): Applies if you have $25M+ in annual revenue, buy, sell, or share the data of 100,000+ California consumers or households, or make 50%+ of revenue from selling data. Covered businesses that sell or share personal information must provide a "Do Not Sell or Share My Personal Information" option.
Children's Data: COPPA applies if any users are under 13. Requires verifiable parental consent.
What Data to Store (And What Never to Store)
OK to Store
- Email addresses (with consent)
- Hashed passwords (bcrypt/argon2)
- Subscription status
- User preferences
- App-generated content
Minimize Storage
- Full names (only if needed)
- Phone numbers (only if needed)
- IP addresses (anonymize after use)
- Usage analytics (aggregate when possible)
- Location data (use coarse precision)
Never Store
- Plain-text passwords
- Full credit card numbers (let Stripe handle it)
- Government IDs / SSNs
- Health data (HIPAA)
- API keys in your database
"Delete My Account" Done Right
GDPR requires actual deletion, not just setting a flag. Here is the correct cascade order.
// Correct deletion cascade order
1. Delete user's posts, comments, uploads
2. Cancel active Stripe subscription
3. Remove from email provider (Resend, SendGrid)
4. Anonymize analytics data (replace userId with "deleted")
5. Delete auth account (Clerk, Supabase Auth)
6. Delete user row from database
7. Log deletion request for audit trail
Keep Financial Records
Tax law requires retaining financial records for 5-7 years. Anonymize the personal data but keep transaction amounts and dates. Replace user attribution with "[deleted user]" on any content that must be retained.
Generate Your Privacy Policy with AI
"Generate a privacy policy for [app name], a [describe app]. We collect: [list data types]. We use [list services: Supabase, Stripe, Resend, etc.]. We operate in [countries/regions]. Include GDPR, CCPA, and CAN-SPAM compliance sections. Use plain language, not legalese."
Get a Lawyer Review
AI-generated privacy policies are a solid starting point, but have a lawyer review before launch. A basic legal review costs $500-$1,500 and is far cheaper than a GDPR fine. Many startup-focused law firms offer flat-rate packages.
Watch for Phantom Statistics
The commonly cited "89% of apps built on no-code/low-code platforms lack proper consent mechanisms" cannot be verified. Extensive searching across Gartner, Forrester, KPMG, and Deloitte found no credible source. The closest real statistic: Usercentrics (2022) found "90% of apps available in the EU that we looked at were not compliant with the GDPR." Use this with proper attribution instead. Similarly, "67% of low-code apps can't locate all the places personal data is stored" has no credible source. Always verify compliance statistics before citing them.
WCAG 2.1 AA: The Four Principles in Plain English
Every WCAG requirement falls under one of these four principles. Here is what they actually mean for your code.
1. Perceivable
Users must be able to perceive all content through at least one sense.
- Every
<img>needs descriptivealttext (oralt=""for purely decorative images) - Videos must have captions and audio descriptions for meaningful visual content
- Color alone must never be the only way to communicate meaning (add icons, text, or patterns alongside color)
- Text must meet a 4.5:1 contrast ratio against its background (3:1 for large text 18px bold or 24px regular)
2. Operable
Users must be able to operate all interface components using any input method.
- Every interactive element must be reachable and usable with keyboard alone (no mouse required)
- No keyboard traps: users must be able to Tab into and out of every component
- Provide a "Skip to main content" link as the first focusable element on each page
- Focus indicators must be clearly visible (never hide them with
outline: noneunless you provide a replacement)
3. Understandable
Users must be able to understand both the content and how the interface works.
- Set the page language with
lang="en"on the<html>element (screen readers use this for pronunciation) - Navigation must be consistent across all pages (same order, same labels)
- Form validation errors must be identified with text descriptions, not just a red border or color change
- Labels and instructions must appear before or alongside form inputs, not only as placeholder text
4. Robust
Content must work reliably across browsers, devices, and assistive technologies.
- Write valid HTML with no duplicate
idattributes (screen readers rely on unique IDs for label associations) - All custom interactive components need appropriate ARIA roles (e.g.,
role="tablist",role="dialog") - Dynamic status messages must use
role="status"(polite) orrole="alert"(urgent) so screen readers announce them - Use semantic HTML elements first (
<nav>,<main>,<header>) before reaching for ARIA attributes
4-Phase Accessibility Audit Process
A structured approach that catches the vast majority of accessibility issues. Run all four phases in order.
Automated Scanning
Catches roughly 30% of issues. Start here because it's fast and free.
Tools
- axe DevTools (Chrome extension, free) - best starting point for most developers
- Lighthouse (built into Chrome DevTools, Audits tab) - includes accessibility scoring
- WAVE (browser extension) - provides visual overlay of issues directly on the page
What They Catch
- Missing alt text on images
- Contrast ratio violations
- Missing form labels
- Invalid ARIA attributes
What They Miss
- Whether alt text is actually meaningful (they only check if it exists)
- Logical focus order and tab sequence
- Whether interactive patterns are understandable to users
Keyboard Testing
Catches roughly 25% of issues. Put your mouse away and Tab through the entire application.
Test These Interactions
- Can you reach every interactive element with Tab?
- Is the focus indicator visible on every focused element?
- Does Enter/Space activate buttons and links?
- Does Escape close modals and popups?
- Do arrow keys navigate within dropdowns, tabs, and menus?
Common Failures
<div onClick>used instead of<button>(divs aren't keyboard focusable by default)outline: noneapplied globally without a visible replacement focus style- Modal dialogs that have no Escape key handler and no focus trap
Screen Reader Testing
Catches roughly 30% of issues. Test with at least one screen reader.
Free Screen Readers
- VoiceOver (macOS and iOS, built-in, free)
- NVDA (Windows, free and open-source download)
- TalkBack (Android, built-in, free)
What to Verify
- Headings announce their correct level (h1, h2, h3) and text
- Form labels are read aloud when the input receives focus
- Buttons and links have descriptive names (not just "button" or "click here")
- Dynamic content changes are announced (toast messages, loading states)
Common AI Failures
- Buttons announced as generic "button" instead of "Submit application"
- Images announced as "image" because alt text is missing or empty on meaningful images
- Form inputs without associated labels (screen reader says "edit text" with no context)
- Dynamic content not announced because
aria-liveregions are missing
Visual and Cognitive Testing
Catches roughly 15% of issues. These are the problems automated tools and keyboard testing overlook.
Contrast
- Use the WebAIM Contrast Checker to verify all text meets 4.5:1 (or 3:1 for large text)
- Check contrast on focus indicators, icons, and form field borders too
Zoom and Reflow
- Zoom the browser to 200% and verify all content remains readable with no overlapping text
- Resize the browser window to 320px wide and verify there's no horizontal scrollbar
Motion and Animation
- Enable "Reduce motion" in your OS accessibility settings
- Verify all animations respect the
prefers-reduced-motionmedia query - No content should auto-play, flash, or move without user control
Fixing Common AI-Generated Accessibility Issues
AI code generators consistently produce these seven patterns. Each one is a WCAG failure and a potential lawsuit trigger.
1. The Div-Soup Problem
AI wraps everything in <div> elements instead of using semantic HTML for interactive controls.
// Bad: div is not a button
<div onClick={handleSubmit}>
Submit
</div>
// Good: semantic button element
<button onClick={handleSubmit}>
Submit
</button>
2. Missing Form Labels
AI uses placeholder text as the only label. Placeholders disappear on focus and aren't announced by all screen readers.
// Bad: no label, placeholder only
<input placeholder="Email" />
// Good: explicit label association
<label htmlFor="email">Email</label>
<input id="email" type="email" />
3. Click Handlers on Non-Interactive Elements
A <div onClick> is invisible to keyboard and screen reader users. If you can't use a <button>, you need three additions.
// Bad: keyboard users cannot activate
<div onClick={toggle}>Menu</div>
// Good: keyboard accessible div
<div role="button" tabIndex={0}
onClick={toggle}
onKeyDown={(e) =>
(e.key === 'Enter' || e.key === ' ') && toggle()
}>Menu</div>
4. Images Without Alt Text
AI omits alt attributes entirely or sets them to the filename. Screen readers will read the full file path instead.
// Bad: no alt attribute
<img src="/team-photo.jpg" />
// Good: descriptive or empty alt
<img src="/team.jpg" alt="Team at 2025 summit" />
// Decorative image: empty alt
<img src="/divider.svg" alt="" />
5. Color-Only Indicators
AI marks errors with red text or borders alone. Users who are colorblind or using monochrome displays can't distinguish these.
// Bad: color is the only indicator
<span style={{color: 'red'}}>
Invalid email
</span>
// Good: icon + text + color
<span role="alert" className="text-red-500">
⚠ Error: Please enter a valid email
</span>
6. Focus Management in Modals
AI creates modal dialogs that lack focus trapping. Keyboard users Tab behind the modal into invisible page content.
// Bad: no trap, no escape, no role
<div className="modal">
<p>Confirm?</p>
</div>
// Good: role, label, escape handler
<FocusTrap>
<div role="dialog"
aria-labelledby="modal-title"
onKeyDown={(e) =>
e.key === 'Escape' && close()
}>
<h2 id="modal-title">Confirm</h2>
</div>
</FocusTrap>
7. Insufficient Contrast
AI selects colors for aesthetics, not accessibility. Light gray on white is a common failure.
// Bad: 2.5:1 ratio (fails WCAG)
color: #999999;
background: #ffffff;
// Good: 7.0:1 ratio (passes AAA)
color: #595959;
background: #ffffff;
// Check: webaim.org/resources/contrastchecker
Accessibility Audit Prompt
Copy this prompt and paste it into your AI assistant alongside your code to get a thorough accessibility review.
"Perform a complete WCAG 2.1 AA accessibility audit on my [framework] application. Test every component and page. For each failure: state the WCAG criterion number and name, the specific element that fails, the exact code fix needed, and priority (critical/high/medium/low). Pay special attention to: div/span elements used instead of semantic HTML, missing form labels, click handlers on non-interactive elements, images without alt text, insufficient color contrast, missing keyboard navigation, missing ARIA labels on custom components, no focus management in modals, and dynamic content that is not announced to screen readers. Group your findings by page and sort by priority within each page."
Four Steps Cover 90% of Accessibility Issues
(1) Run an automated scanner like axe DevTools. (2) Test the entire app with keyboard only. (3) Test with a screen reader (VoiceOver, NVDA, or TalkBack). (4) Check color contrast with WebAIM Contrast Checker. Then use AI to generate fixes for everything you find. This process takes 1-3 hours for a typical application and prevents lawsuits that cost $5,000-$75,000 in settlements.