Long-form pieces on the legal questions every vibe coder eventually runs into. Lawsuit data, enforcement patterns, court rulings on AI code, copyleft mechanics. We try to write each one so you can hand it to a non-lawyer founder and they’ll get it.
Open-source licenses range from "use freely, even commercially" to "if you ship this on the network, your entire app's source must be public." AI coding tools reproduce code from all of them with no license headers attached. The license obligations travel with the code anyway. This is the cheat sheet you can reference when something flags in a scan or shows up unexpectedly in a dependency tree.
An SBOM is a machine-readable inventory of every software component in your application — direct dependencies, transitive dependencies, versions, licenses, suppliers. Procurement teams at large enterprises and the US federal government now require them; the EU's Cyber Resilience Act will require them for products sold in the EU starting late 2027. The good news: generating one for a JS or Python app takes minutes with the right tool.
If you vibe-coded a tool that drafts contracts, files small-claims paperwork, or answers legal questions, the question isn't whether UPL law applies to you — it's whether you've crossed the line your state's bar uses to decide. Here's the actual test, the language that gets investigated, and the mitigations the legal-tech category has converged on.
Mental-health software has a regulatory stack that's deeper than founders usually realise. State psychology licensing boards police diagnosis and treatment claims. The FTC enforces against deceptive data-sharing. The FDA regulates anything that diagnoses or treats — even via chatbot. And both major app stores now require crisis-resources disclosure. Here's the enforcement record, the four-layer compliance stack, and what to ship before traffic scales.
The line between a 'financial information tool' and an 'unregistered investment adviser' is narrow and the SEC has been actively enforcing it against AI-flavoured retail products. The Investment Advisers Act's three-part test (advice, securities, compensation) catches a lot of products founders didn't think were in scope. Here's the test, the Marketing Rule, the enforcement record, and the registration-vs.-disclaimer decision every operator has to make.
The European Accessibility Act is the EU's parallel to ADA Title III — but more prescriptive, more proactive, and now actively enforced. Most US founders building consumer apps have never heard of it. EU regulators have started sending advisory letters to non-compliant operators, and a handful of countries have already issued fines. Here's what changed in June 2025 and what to do.
The HHS Office for Civil Rights and the FTC have made tracking pixels on health apps a top enforcement priority since 2023. The math is brutal because the violations are per-affected-user — a single Meta Pixel firing on a checkout page that mentions a medication can produce a six- or seven-figure settlement. Here's the pattern, the recent cases, and what to actually check.
If you're remediating an app for ADA or EAA compliance in 2026, the question is which WCAG version to target. WCAG 2.1 is what most current law references explicitly. WCAG 2.2 is what the next round of regulations and standards will reference. Doing the work twice is wasteful; doing 2.2 first costs almost nothing extra. Here's the differential.
If you're operating a SaaS or consumer app from anywhere in the world, you probably need to comply with both GDPR and CCPA — they reach you based on customer location, not company location. The good news: the requirements overlap significantly, and a single compliance architecture can satisfy both. Here's what triggers each, what they actually require, and where they diverge.
The EU AI Act is the most comprehensive AI regulation in any major market. It's law as of August 2024 with obligations phasing in through 2027 — and the penalty regime is more severe than GDPR's. Most founders building AI-touched SaaS apps will land in the "limited-risk" or "transparency" tier, which means a manageable disclosure-and-labeling regime. A minority will hit high-risk obligations that materially change what they can ship. Here's the operative framework.
You shipped fast. Now ship safely. This is the complete pre-launch checklist for an AI-built web app — what to set, what to check, what to watch for the day you go live. Each item is one or two sentences of plain English. Skip nothing on the P0 list.
Search engines need help understanding what your app is and who it's for. This is the 12-step setup any indie founder can run through in under 90 minutes — no SEO expertise required, no agency, no shady backlink buying.
When someone asks ChatGPT 'what's the best compliance scanner for Lovable apps?' you want your answer to be the one it cites. This is how AEO and GEO actually work — practical tactics evidence-based on what gets cited, not marketing fluff.
Receiving an ADA accessibility demand letter is alarming the first time. It is also routine — roughly 30,000–60,000 are sent in the US each year and the response playbook is well established. This is what to do, in order, before you do anything you can't take back.
The cookie banner is the most-implemented and most-wrong piece of vibe-coded compliance. Either you don't have one and you're loading Meta Pixel on page-1 (GDPR violation), or you have one but it doesn't actually block tracking until consent (also GDPR violation). Here's the actual rule, the actual setup, and the cookieless option that skips the whole problem.
About 1 in 4 vibe-coded apps we scan has at least one credential leaked in the client bundle — usually a Stripe key, an OpenAI token, or a Supabase service-role key. The AI didn't mean to leak it; it just didn't know which keys are safe to expose. Here's how to find yours and fix it before someone else does.
There is no federal US privacy law. Instead, there are 19 state laws as of 2026, each with its own thresholds, definitions, and consumer rights. Most indie SaaS founders ignore everything outside California and Texas — and most are missing real obligations. Here's the actual map of who you need to comply with, in plain English.
If you build with AI and never document the human authorship, you can't prove copyright when it matters — at acquisition diligence, in a competitor-cloning dispute, or when you want to enforce your code against a copier. The fix is cheap if you do it from day one and very expensive to retrofit. Here's the documentation trail to build proactively.
The acquirer's diligence team has a checklist. Most of it didn't exist three years ago because AI-built apps weren't being acquired. Now they are, and the questions are specific: which AI tools did you use, what percentage of the codebase, whose IP is it, what compliance posture do you ship in. This is the actual checklist from the buyer's side — and how to prepare yours before the acquisition email arrives.
Two different questions get conflated all the time: "does GitHub own this?" (a contract question — answered no in their TOS) and "does anyone own this?" (a copyright question — increasingly answered "maybe not" by the US Copyright Office). The first one is settled. The second is what acquirers and litigators are starting to ask.
Analytics is the single most common place EU privacy law trips up SaaS founders. The rule is simpler than it looks: if your analytics involves reading or writing to the user's device (cookies, localStorage, fingerprinting) or processing personal data, you need consent before it fires. Here's the actual law, the narrow exceptions, and what regulators have done about it.
AGPL is the strongest copyleft license in mainstream use. It's specifically designed to cover network services, which means deploying an app — not just shipping a binary — can trigger the source-disclosure requirement. AI coding tools occasionally reproduce AGPL-licensed code from their training data. Here's what happens when those two facts collide.
If you built your app with Lovable / Cursor / Bolt / Replit and you're heading into a fundraise or acquisition, the diligence questions are different than they were two years ago. The Wix-Base44 deal in 2025 introduced "AI code provenance" as a standard line item. JP Morgan's founder guide makes it explicit. Here's what's on the checklist and how to be ready.
Lovable's default output is fast but not legal-by-default. The model has clear preferences — placeholder-only inputs, GA4 on first load, Stripe keys in NEXT_PUBLIC_*, permissive Supabase RLS — that show up in almost every production scan we run. Here's what to check, in what order, with what each one costs if it fires.
Unlike Lovable or Bolt, Cursor doesn't generate apps from a single prompt — it edits a real codebase, file by file, on your filesystem. That means more dev control, more variation in output, and a different failure profile. Most Cursor projects look professional. Most also ship with two or three of these issues hiding in plain sight.
Bolt.new's WebContainer model is impressive engineering — you watch the app build, test, and deploy from a browser tab. The compliance issues are similar to Lovable's, plus two Bolt-specific patterns: staging URLs leaking before consent flows exist, and "Continue" iterations silently regressing earlier fixes.
Replit's Agent is the most full-stack of the vibe-coding tools. In one flow it provisions a database, sets up auth, configures secrets, and deploys to Replit's hosting. That breadth is the value — and it also means more compliance surface than apps built on tools that just hand you a frontend.
If you operate a commercial website in the US, the odds of getting a demand letter went up again in 2025. Here's the actual data — federal filings, demand-letter estimates, state breakdown, the WCAG rules lawyers cite most, and what it costs to settle.
AI-built apps ship fast. The legal review that traditional dev teams used to do at handoff — accessibility, privacy, IP — usually doesn't happen. Here are the five risks that show up the most when we scan vibe-coded apps in production.