There is a moment in the life of every app when the build is finished, the demo works, and someone says the fatal words: "Let's ship it tomorrow." That sentence has launched a thousand lawsuits. Writing the code is the easy part — the code does what you tell it; the law does not. The moment your app collects an email address, charges a card, shows an ad, talks to a child, or simply sits on the store, it walks into a thicket of federal statutes, state consumer-protection laws, platform contracts you never negotiated, and open-source licenses you may not have read. The good news: almost all of it is manageable if you take it in order and start before launch. Work this checklist roughly from "will sink the company" to "will generate a nasty letter."

Phase 1 — Foundations: Entity and Ownership

  • Form a limited-liability entity (LLC or, for a venture you will raise on, a Delaware C-corporation) and have that entity own the app, sign the developer agreements, and contract with users — before the app touches a single user
  • Respect the corporate formalities (separate bank account, no commingling, adequate capitalization, real records) so the veil holds
  • Start an insurance conversation early: technology E&O, often bundled with cyber-liability
  • Paper any co-founder relationship (equity, vesting, departure)
  • Collect a signed, present-tense IP assignment from every developer and contractor ("Contractor hereby irrevocably assigns... all right, title, and interest..."), with both a work-made-for-hire clause and a backup assignment plus "further assurances"
  • Have employees sign a proprietary-information-and-inventions-assignment (PIIA) on day one
  • Build a bill of materials for every third-party and open-source component and confirm you have the right to use each

Here is the fact that surprises almost everyone: if you hired an independent contractor to build your app, you probably do not own the code — the contractor does — unless you got a written assignment. Software is not one of the enumerated categories that can be a "work made for hire" by commission, so absent a signed agreement the contractor owns the copyright and you have at most an implied, non-exclusive license. The Supreme Court drew the employee/contractor line in Community for Creative Non-Violence v. Reid, 490 U.S. 730 (1989). Picture the buyer's lawyers in a future acquisition discovering that the freelancer who built your engine never signed anything and now smells money. Get the assignments now, while everyone is friendly and the code is worth nothing.

Phase 2 — The Gatekeepers: Apple and Google

  • Read and comply with the Apple and Google developer agreements and the program guidelines for your categories (health/wellness and kids' content face extra rules)
  • Understand the commission structure (classically 30%, often 15% for small developers and post-first-year subscriptions) and the platform's right to reject or remove your app
  • Adopt the platform-required EULA pass-through and third-party-beneficiary terms
  • Design for rejection: build privacy disclosures, age ratings, and metadata to satisfy review the first time
  • Decide your steering strategy: in the U.S., post-Epic, you may steer users to a cheaper web checkout; in the EU, the Digital Markets Act permits alternative stores, sideloading, and third-party payments — a multi-country strategy question
  • Do not attempt an Epic-style breach stunt; comply first, strategize second

The platforms treat your app as content distributed under their contract, and the developer agreements are functionally non-negotiable adhesion contracts of real legal force. Epic Games, Inc. v. Apple Inc. mostly lost on antitrust (67 F.4th 946 (9th Cir. 2023); cert. denied Jan. 2024), leaving Apple's model intact, but Epic won an injunction against Apple's anti-steering rules under California's Unfair Competition Law — and in 2025 the district court held Apple in contempt for grudging compliance, ordering it to stop charging commissions on external-link purchases. Your rights now genuinely differ between San Francisco, Brussels, and Seoul.

Phase 3 — The Documents the Law Makes You Write

  • Draft a EULA that grants a limited, revocable, non-exclusive, non-transferable license, withholds everything else, and houses warranty disclaimers, limitation of liability, and the platform third-party-beneficiary clause
  • Draft terms of service covering acceptable use, user-content licenses, payment, dispute resolution (arbitration/class waiver), governing law, and termination (may be merged with the EULA)
  • Deliver assent through a conspicuous, logged clickwrap ("By tapping Continue, you agree to our Terms and Privacy Policy," both as live links), capturing timestamp, version, and IP
  • Publish a privacy policy that accurately matches your data practices and your store privacy labels (Apple App Privacy/ATT; Google Play Data Safety)
  • Scale privacy obligations to what you collect and who your users are (CCPA/CPRA, state laws, GDPR, sector rules) and bake in data minimization and storage limitation now

How the user agrees determines whether any of it is enforceable. Courts routinely enforce clickwrap (ProCD, Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir. 1996)) but frequently refuse browsewrap the user never had reasonable notice of (Nguyen v. Barnes & Noble Inc., 763 F.3d 1171 (9th Cir. 2014); Specht v. Netscape, 306 F.3d 17 (2d Cir. 2002)). The privacy policy is often legally mandatory (CalOPPA) and required by both stores — and a policy that lies about your practices is a deceptive act under FTC Act § 5 (15 U.S.C. § 45). A mismatch between the policy and the store privacy label is not a paperwork foot-fault; it is FTC-grade deception.

Phase 4 — Money and the Auto-Renewal Trap (ROSCA and State Law)

  • If you use a negative-option/auto-renewing subscription, comply with ROSCA (15 U.S.C. §§ 8401–8405): clearly disclose all material terms (recurring charge, amount, frequency, cancellation deadline) before taking billing information, obtain express informed consent, and provide a simple cancellation mechanism
  • Build to the strictest state automatic-renewal law (California's, Cal. Bus. & Prof. Code § 17600 et seq.) — clear disclosure in visual proximity to consent, affirmative consent to renewal, an acknowledgment with cancellation instructions, and online click-to-cancel — and apply it everywhere
  • Capture and log the user's affirmative consent (e.g., a "Start Free Trial" tap); send a confirmation email restating terms and cancellation
  • Make cancellation obvious and functional without a phone call (note the platform manages in-store subscriptions; web flows are entirely on you)
  • If you process payments directly, use a compliant processor and keep cardholder data out of your systems (PCI DSS)

The fastest way for a legal app to attract a regulator is to charge people in a way that surprises them. Note the date: the FTC's 2024 "Click to Cancel" Rule was vacated by the Eighth Circuit in July 2025 on procedural grounds — but do not relax. ROSCA itself still requires simple cancellation, the FTC still brings negative-option cases under ROSCA and Section 5, and the state laws (several with private rights of action and statutory damages) already demand exactly what the vacated rule embodied. The safe design is to build to the strictest state and apply it nationwide.

Phase 5 — Specialized Obligations: Accessibility, Kids, Advertising

  • Run an accessibility audit against WCAG 2.2 Level AA, use native iOS/Android accessibility features (screen-reader labels, contrast, captions/transcripts for audio), publish an accessibility statement, and offer a barrier-reporting path
  • If your app is directed to children under 13 or you have actual knowledge of collecting their data, build the COPPA machinery: clear notice, verifiable parental consent before collection, data minimization, no third-party ad tracking on kids' content, and parental review/deletion — and apply for the platforms' kids programs
  • Note that COPPA "personal information" includes geolocation, voice recordings, and persistent identifiers; the FTC tightened the COPPA Rule in 2025; state age-appropriate-design codes add more
  • Make advertising claims true and substantiated; disclose influencer material connections (FTC Endorsement Guides) and avoid fake/AI-generated reviews; watch health claims (FDA line) and clear-and-conspicuous mobile disclosures
  • Apply CAN-SPAM to commercial email and the TCPA to push/SMS marketing
  • Pick an honest age rating during store submission

Accessibility blindsides developers because it is invisible until a demand letter arrives. The law is genuinely unsettled — Robles v. Domino's Pizza, LLC, 913 F.3d 898 (9th Cir. 2019), applied the ADA to a website and app tied to a physical business, while other circuits disagree about purely online businesses — but thousands of suits are filed yearly, so designing to WCAG 2.2 AA both reduces exclusion and undercuts the "we never tried" narrative. Children's data is where "we'll deal with it later" turns into a six- or seven-figure penalty: COPPA penalties run per violation, and "actual knowledge" is exactly the kind of thing internal emails reveal in discovery. Decide deliberately whether to be a "kids' app."

Phase 6 — Components You Didn't Write, and Export Controls

  • Run a software-composition-analysis scan, generate an SBOM, identify every license, and confirm nothing copyleft (GPL/AGPL) has crept into your distributed binary in a way that is not isolated and complied with
  • Satisfy the easy obligations — attribution notices for MIT/BSD/Apache components, typically surfaced in an "Open Source Licenses" settings screen
  • Audit commercial third-party agreements too (analytics SDK, maps, push, fonts); a single misbehaving advertising SDK has been the root cause of more than one FTC action
  • Confirm your encryption is standard, publicly available, and qualifies for the relevant EAR license exception (most mass-market apps do, with at most a self-classification)
  • Do not distribute to sanctioned/embargoed destinations or to prohibited parties, and keep a one-page export-classification record

Open-source software is free as in freedom, not free of obligations. Copyleft licenses are designed to be "viral": incorporate GPL code into a distributed app the wrong way and you may be obligated to release your own source. Violating an open-source license can be copyright infringement, not just breach (Jacobsen v. Katzer, 535 F.3d 1373 (Fed. Cir. 2008)), and the AGPL closes the "we only run it on a server" loophole. Putting an app on a global store is exporting software: most apps using standard encryption qualify for an exception easily, but a security tool, privacy messenger, or crypto-wallet doing something novel should get specific advice.

The Pre-Launch Sequence

First, the foundations that are hard to fix retroactively: an operating entity owns everything; signed IP assignments from every developer and contractor; clean title to all third-party and open-source components. Second, the gate and the contracts: comply with the developer agreements; stand up a real EULA/terms with a conspicuous, logged clickwrap; publish a privacy policy that matches your store labels. Third, the consumer-law layer that draws regulators: the ROSCA/state auto-renewal flow, compliant payments, substantiated advertising. Fourth, the obligations triggered by what your app does: COPPA and kids-category compliance, ADA/WCAG accessibility, CAN-SPAM/TCPA hygiene, and export/encryption. Throughout, document your decisions (consent logs, version histories, an SBOM, an accessibility audit, an export classification) and keep counsel close for the moving parts — privacy law, the platform-commission wars, ROSCA rulemaking, accessibility cases, and COPPA amendments are all in flux in 2026.

Common Mistakes

  • Shipping as a person rather than behind an entity and insurance, exposing the founder's house and savings.
  • Assuming that paying for development means owning the IP — for a contractor, it usually does not, absent a signed assignment.
  • Clicking "I agree" to the developer agreements without reading the rules that govern your commission, content, and removal.
  • Delivering terms via browsewrap or a buried settings link, producing a "wish" rather than a contract.
  • Letting the privacy policy and the Apple/Google privacy labels disagree, which is FTC-grade deception.
  • Relaxing on auto-renewal because the "Click to Cancel" Rule was vacated — ROSCA and the state laws still require easy cancellation.
  • Ignoring accessibility, COPPA, or an advertising SDK's data appetite until a demand letter or consent decree arrives.

Primary Authority

  • IP ownership: 17 U.S.C. §§ 101, 201; Community for Creative Non-Violence v. Reid, 490 U.S. 730 (1989).
  • Platforms: Epic Games, Inc. v. Apple Inc., 67 F.4th 946 (9th Cir. 2023), cert. denied (Jan. 2024); EU Digital Markets Act, Regulation (EU) 2022/1925.
  • Online contracts: ProCD, Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir. 1996); Specht v. Netscape Communications Corp., 306 F.3d 17 (2d Cir. 2002); Nguyen v. Barnes & Noble Inc., 763 F.3d 1171 (9th Cir. 2014).
  • Privacy/advertising: FTC Act § 5, 15 U.S.C. § 45; CalOPPA; CCPA/CPRA; GDPR; FTC Endorsement Guides.
  • Subscriptions: ROSCA, 15 U.S.C. §§ 8401–8405; FTC Negative Option Rule, 16 C.F.R. Part 425 (the 2024 "Click to Cancel" amendment vacated, 8th Cir. 2025); California Automatic Renewal Law, Cal. Bus. & Prof. Code § 17600 et seq.
  • Accessibility: ADA Title III, 42 U.S.C. § 12182; Robles v. Domino's Pizza, LLC, 913 F.3d 898 (9th Cir. 2019); WCAG 2.2 AA.
  • Children: COPPA, 15 U.S.C. §§ 6501–6506; COPPA Rule, 16 C.F.R. Part 312 (amended 2025).
  • Open source: Jacobsen v. Katzer, 535 F.3d 1373 (Fed. Cir. 2008). Export: the Export Administration Regulations (EAR). Verify current commission terms, penalty amounts, and rule status at official sources.

Related Resources

This checklist provides general information only and is not legal advice. The law governing mobile apps — privacy, platform rules, consumer protection, accessibility, and children's data — is complex, varies by state and country, and is changing quickly; consult qualified counsel about your specific situation.