# Legal Source Map and Source-Validity Notes

> **Template and counsel-review notice.** This document is a website/app integration template, not a legal opinion. Before publication, replace bracketed placeholders, confirm actual data flows, obtain advice from qualified counsel for each jurisdiction and regulated workflow, and approve final wording through privacy, security, product, marketing, health/clinical, and executive stakeholders. Do not promise controls, certifications, response times, retention periods, or legal rights unless they are actually implemented and operationally supported.

**Sources reviewed/accessed:** 2026-07-09. Use official sources first. Secondary trackers were used only to flag issues for counsel review and should not be treated as legal authority.

## Official sources included in this audited release
- **FTC Privacy and Security Business Guidance:** https://www.ftc.gov/business-guidance/privacy-security
- **FTC CAN-SPAM Business Guide:** https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business
- **FTC COPPA Rule guidance and 2025 amendments:** https://www.ftc.gov/business-guidance/privacy-security/childrens-privacy
- **FTC Health Breach Notification Rule:** https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0
- **FTC GLBA Safeguards Rule:** https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
- **FTC Negative Option Rule page:** https://www.ftc.gov/legal-library/browse/rules/negative-option-rule
- **California CCPA official page:** https://oag.ca.gov/privacy/ccpa
- **California CCPA regulations:** https://cppa.ca.gov/regulations/
- **California Global Privacy Control FAQ:** https://oag.ca.gov/privacy/ccpa/gpc
- **HHS HIPAA Security Rule:** https://www.hhs.gov/hipaa/for-professionals/security/index.html
- **HHS HIPAA Privacy Rule:** https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
- **HHS HIPAA Breach Notification Rule:** https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
- **HHS 42 CFR Part 2 final rule fact sheet:** https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-part-2-final-rule/index.html
- **HHS HIPAA and Part 2 Notice of Privacy Practices:** https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html
- **HHS Online Tracking Technologies guidance:** https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html
- **FDA Digital Health Center of Excellence guidance list:** https://www.fda.gov/medical-devices/digital-health-center-excellence/guidances-digital-health-content
- **FDA Medical Device Cybersecurity Guidance:** https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions
- **NIST Cybersecurity Framework 2.0:** https://www.nist.gov/cyberframework
- **NIST Privacy Framework:** https://www.nist.gov/privacy-framework
- **NIST AI Risk Management Framework:** https://www.nist.gov/itl/ai-risk-management-framework
- **NIST Generative AI Profile:** https://airc.nist.gov/airmf-resources/airmf/
- **NIST Post-Quantum Cryptography project:** https://csrc.nist.gov/projects/post-quantum-cryptography
- **NIST FIPS 203 ML-KEM:** https://csrc.nist.gov/pubs/fips/203/final
- **NIST FIPS 204 ML-DSA:** https://csrc.nist.gov/pubs/fips/204/final
- **NIST FIPS 205 SLH-DSA:** https://csrc.nist.gov/pubs/fips/205/final
- **DOJ Data Security Program:** https://www.justice.gov/nsd/data-security
- **DOJ Data Security Program final rule:** https://www.federalregister.gov/documents/2025/01/08/2024-31486/preventing-access-to-us-sensitive-personal-data-and-government-related-data-by-countries-of-concern
- **Colorado ADMT Act / AI rulemaking page:** https://coag.gov/resources/colorado-ai-act/
- **Colorado SB26-189:** https://leg.colorado.gov/bills/sb26-189
- **Washington My Health My Data Act:** https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy
- **Nevada Consumer Health Data law overview:** https://www.leg.state.nv.us/App/NELIS/REL/82nd2023/Bill/10323/Overview
- **Connecticut AG CTDPA consumer health data page:** https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act
- **U.S. Department of Education FERPA:** https://studentprivacy.ed.gov/ferpa
- **U.S. Department of Education FERPA for education technology vendors:** https://studentprivacy.ed.gov/resources/ferpa-education-technology-vendors
- **Apple App Privacy Details:** https://developer.apple.com/app-store/app-privacy-details/
- **Apple Privacy Manifest Files:** https://developer.apple.com/documentation/bundleresources/privacy_manifest_files
- **Apple Required Reason APIs:** https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api
- **Google Play Data Safety:** https://support.google.com/googleplay/android-developer/answer/10787469
- **ADA.gov web and mobile app accessibility rule:** https://www.ada.gov/resources/2024-03-08-web-rule/
- **ADA.gov first steps web accessibility guide:** https://www.ada.gov/resources/first-steps-web-accessibility/
- **W3C WCAG 2.2:** https://www.w3.org/TR/WCAG22/
- **W3C WCAG 2 Overview:** https://www.w3.org/WAI/standards-guidelines/wcag/

## Source-validity audit notes
- FTC materials were used for privacy/security, CAN-SPAM, COPPA, Health Breach Notification Rule, GLBA/Safeguards, and negative-option status checks. The negative-option rule has had 2026 rulemaking/court-action changes; publish subscription language only after counsel confirms the current status.
- California CCPA/CPRA materials were checked against CPPA/OAG sources for 2026 regulations, GPC, sale/share opt-outs, risk assessments, cybersecurity audits, and automated decision-making technology governance. Implementation schedules must be verified by counsel.
- HHS materials were used for HIPAA Privacy/Security/Breach, 42 CFR Part 2, Notice of Privacy Practices updates, reproductive health, and tracking-technology risk. HIPAA tracking guidance has litigation sensitivity; use conservative review gates.
- FDA digital health sources were used for device software, clinical decision support, AI-enabled devices, predetermined change control plans, and medical-device cybersecurity. FDA classification is product- and claim-specific.
- NIST CSF, Privacy Framework, AI RMF, GenAI Profile, and PQC standards were used as governance/security references, not as proof of legal compliance.
- Apple and Google Play materials were used for app privacy labels, privacy manifests, required-reason APIs, Data Safety forms, and deletion disclosures. Actual app behavior must match store disclosures.
- ADA.gov and W3C materials were used for accessibility targets. Title II has specific requirements; private-sector obligations should be confirmed by counsel.
