Every law, every license, every acronym that affects an AI-built app. Defined the way you’d explain it to a friend who just shipped on Lovable. 22 terms.
A US federal law that says "places of public accommodation" (most commercial websites) must be usable by people with disabilities. Courts have ruled this applies to consumer-facing websites and mobile apps, especially after Robles v. Domino's (9th Circuit, 2019).
Why it mattersIf your AI-built app is a commercial site served to US users, it probably falls under ADA Title III. Plaintiff law firms filed 3,117 federal lawsuits in 2025 against websites for accessibility failures.
An open-source license stronger than GPL. Under §13, if you make software "available over a network" (i.e. as a web service), you must make the source code available to your users — even if you never distribute the software in the traditional sense.
Why it mattersIf your AI assistant imported an AGPL package into your bundle, you may be legally obligated to publish your entire app's source code. Detection is automated; compliance is binary.
The EU's risk-tiered AI regulation. Adopted in 2024, phasing in through 2026–2027. Most relevant clause for vibe-coded apps is Article 50 (transparency obligations): users must be told when they're interacting with an AI system.
Why it mattersAny feature in your app that uses an LLM (chatbot, autocomplete, generation) likely triggers Article 50 disclosure once the relevant phase activates.
The open-source accessibility testing engine from Deque Systems. Implements ~90 automated rules covering WCAG 2.0 / 2.1 / 2.2 violations. Used by Lighthouse, Pa11y, Storybook, and most automated accessibility tools — including Comply Code.
Why it mattersWhen Comply Code reports an accessibility finding, axe-core is the underlying rule engine. Each finding cites the specific rule and links to the canonical definition.
California state law (effective 2020, amended by CPRA in 2023) that gives California residents rights to know what data businesses collect about them, delete it, and opt out of its "sale." Applies to for-profit businesses meeting size or data thresholds.
Why it mattersIf your app has California users and you load tracking pixels (Meta, Google, TikTok), that data-sharing can constitute a "sale" under CCPA. You need a "Do Not Sell" affordance.
US federal law (1998, updated 2013, FTC NPRM 2024) that restricts data collection from users under 13. Requires "verifiable parental consent" for kids' apps and gives the FTC authority to fine violators.
Why it mattersIf your AI-built app could plausibly be used by children (game, chat, social, edtech), you likely need an age gate plus parental-consent flow. Most vibe-coded kids' apps ship neither by default.
A category of open-source licenses (GPL, AGPL, LGPL, MPL, EPL, CDDL) that require derivative works to be released under the same license. The opposite of permissive licenses (MIT, Apache, BSD), which allow proprietary use.
Why it mattersIf AI-generated code reproduces a chunk of copyleft-licensed code, your derivative work may inherit the licensing obligation. For some licenses (AGPL), that means publishing your source.
Class-action lawsuit filed November 2022 in the Northern District of California against GitHub, OpenAI, and Microsoft over GitHub Copilot reproducing licensed code from its training data. Motion to dismiss partially granted in 2023; appeal accepted by the Ninth Circuit December 2024 on the DMCA §1202(b) claim.
Why it mattersThe leading active case on whether AI output inherits licensing obligations from training data. The legal question — "if Copilot reproduces my GPL code into your project, are you bound by GPL?" — is not yet definitively settled.
EU directive (2019/882) requiring digital products and services sold to consumers to meet accessibility standards. Took effect in member states June 28, 2025. Applies to consumer-facing apps from companies with €2M+ revenue or 10+ employees.
Why it mattersIf you sell or operate in the EU above the size threshold, your app must conform to WCAG 2.1 AA. Enforcement is still ramping; the legal exposure exists now.
EU directive that regulates electronic communications and cookies. Article 5(3) is the famous "cookie law": website operators must obtain prior, informed consent before storing or accessing non-essential cookies or tracking technologies.
Why it mattersEvery pre-consent firing of Meta Pixel, Google Ads, or any analytics pixel on an EU-served page is a 5(3) violation. This is what Comply Code's privacy scanner specifically catches.
Within Comply Code, an individual problem detected during a scan — e.g. a missing form label on a signup input. Each finding includes severity, citation, evidence, and (with an unlock) a paste-into-Cursor fix prompt.
Why it mattersThe findings list is the primary output of a scan. Severity is weighted against 2025 demand-letter citation patterns — lawsuit-worthy issues rise; pedantic structural rules sink.
The GDPR clause that says processing of personal data is lawful only if the user has given explicit consent. Combined with Article 4(11), "consent" must be a freely given, specific, informed, and unambiguous indication of agreement.
Why it mattersIf your app loads tracking pixels before the user clicks "Accept" — and your users are in the EU — you're operating without a lawful basis. This is the most-cited GDPR clause in enforcement actions.
Family of strong copyleft licenses (GPL-2.0, GPL-3.0). Software using GPL code must be distributed under the same license, including all source code. Versions differ in patent and tivoization clauses.
Why it mattersIf AI-generated code includes verbatim or near-verbatim chunks of GPL source, your derivative work inherits the obligation. Comply Code's bundle fingerprinter detects this.
A HIPAA rule that restricts what counts as "marketing" — communications about a product or service that encourage purchase. Sending Protected Health Information (PHI) to third parties for marketing requires explicit patient authorization and a Business Associate Agreement (BAA).
Why it mattersLoading Meta Pixel on a telehealth page mentioning a specific medication transmits PHI to Meta without authorization. The OCR's $7M settlement with Cerebral (2023) was for this exact pattern.
Legal protection for creations of the mind — including copyright (for code), patents, trademarks, and trade secrets. In the context of Comply Code, "IP" usually refers to copyright in code and the open-source license obligations attached.
Why it mattersIf your AI-generated code isn't copyrightable, you may not own your app's most important asset. If it includes contaminated open-source code, you may owe obligations you didn't agree to.
A weaker form of GPL that includes a "linker exception": software can use an LGPL library without itself becoming GPL, as long as consumers can swap in modified versions of the library.
Why it mattersBundling LGPL code into a minified JS bundle often violates the LGPL because users can't replace the library. Many vibe-coded apps unknowingly bundle LGPL packages without complying.
Anthropic-introduced (Nov 2024) open protocol for AI tools to call external services. Lets agents like Claude Code and Cursor invoke external scanners, databases, and APIs as native tool calls. Comply Code exposes five MCP tools.
Why it mattersAn MCP server means your AI tool can run a Comply Code scan, fetch findings, apply fixes, and verify — all inside the chat where you build.
Term in ADA Title III referring to commercial entities that serve the public. Courts have extended this to websites; most US circuits agree, the 11th remains more restrictive. Internal employee tools and personal blogs are typically out of scope.
Why it mattersWhether ADA applies to your app turns on this classification. Comply Code's classifier returns "yes," "no," or "arguable" based on commercial intent, deployed-app signals, and form structure.
Landmark ADA web-accessibility case. A blind plaintiff could not use Domino's website to order. The 9th Circuit ruled that the ADA's Title III applies to websites integrated with physical places of business. The Supreme Court denied certiorari in October 2019, letting the ruling stand.
Why it mattersThis is the case every plaintiff's law firm cites when sending an ADA demand letter. It's why the 2025 lawsuit count is 3,117 federal filings.
Laws in every US state restricting who can provide legal advice. Software tools that give definitive legal opinions can risk UPL claims. Tools that surface patterns and provide citations (not advice) are generally safe.
Why it mattersComply Code is risk triage, not legal advice — that's a deliberate boundary. The framing on every report makes the distinction explicit.
Federal office that registers copyrights and issues policy guidance. Part 2 of its Artificial Intelligence Report (January 2025) clarified that works without sufficient human authorship are not copyrightable — including most pure AI-generated content.
Why it mattersIf your codebase was generated by Cursor or Lovable without meaningful human creative input, large portions may not be your copyright. This is increasingly checked in M&A diligence.
International accessibility standard from the W3C (October 2023). Defines four principles (Perceivable, Operable, Understandable, Robust) and three conformance levels (A, AA, AAA). Level AA is the legal target in most jurisdictions.
Why it mattersWCAG 2.2 §1.4.3 (color contrast), §1.3.1 (form labels), §1.1.1 (alt text), and §2.4.4 (link names) are the four most-cited criteria in 2025 ADA demand letters — combined ~75% of all citations.