Are You Accidentally Breaking the Law? 5 Common Mistakes Small Founders Make
Most founders don’t set out to break the law. They set out to build something. And in that rush the late nights, the first customers, the scramble to get a product live legal compliance becomes the thing you’ll “deal with later.” Except later has a way of arriving suddenly, usually in the form of a cease-and-desist letter, an IRS notice, or a lawsuit from a former contractor who now claims they were actually an employee all along.
The uncomfortable truth is that most legal trouble in early-stage companies doesn’t come from bad actors. It comes from founders who genuinely didn’t know what they didn’t know. The law doesn’t grade on effort or intent. And some of the most common mistakes are so embedded in startup culture that they’ve started to look like normal behavior.
Here are five of them.
Treating Contractors Like Employees (or Vice Versa)
This one is probably the most widespread and the most financially dangerous. The contractor-versus-employee distinction isn’t something you get to decide based on what’s convenient for your budget. It’s determined by a set of legal and tax criteria that vary by state and the IRS has its own tests on top of that.
The classic founder mistake: bring on someone to work30 hours a week, give them a company email address, assign them tasks in your project management tool, hold them to your schedule, and then pay them as a1099 contractor because it’s cheaper and simpler. On paper they’re a contractor. In practice, under most legal frameworks, they’re an employee and you’ve been misclassifying them for months.
The consequences aren’t hypothetical. California alone has levied hundreds of millions of dollars in penalties against companies for worker misclassification. The federal government can hold founders personally liable for unpaid payroll taxes. And the worker in question can file a claim retroactively for benefits they were owed: overtime, health coverage contributions, unemployment. The audit risk compounds every month you continue the arrangement.
If someone is doing work that’s integral to your core business, on your schedule, using your tools, with little autonomy over how the work is done they’re probably not a contractor regardless of what your agreement says.
Skipping the Founder Agreement
Earlyco-founder relationships tend to run on trust, enthusiasm, and a shared vision. That’s fine. What’s not fine is letting that be the only thing holding the company together when things get complicated and they always get complicated.
A properly structured founder agreement covers equity vesting schedules, what happens when a founder leaves, who owns what IP, and how decisions get made. Without one, aco-founder who leaves after six months can walk away owning a third of your company with no continuing obligations. Or you can end up in a deadlock situation where two equalco-founders disagree on a major strategic decision and there’s no mechanism to resolve it.
The irony is that most founders who skip this conversation do it because they don’t want to seem like they distrust their co-founder. But a well-drafted founders’ agreement is exactly what you’d want if you do trust each other because it forces you to have the hard conversations while you’re still aligned, rather than after something has gone sideways.
Standard four-year vesting with a one-year cliff has become the default for good reason. It protects everyone.
Assuming Your IP Belongs to Your Company
This one has derailed funding rounds. An investor’s legal team does due diligence, looks at the codebase, and asks: who wrote this, and is there documentation that it was properly assigned to the company?
If a founder wrote the core technology before the company was formally incorporated, or if a contractor wrote critical code without a proper IP assignment clause in their agreement, or if a co-founder contributed work under a separate entity that IP may not actually belong to your startup. It belongs to an individual or another entity. And you can’t raise a serious round, get acquired, or license your technology without clear IP ownership.
The fix is usually straightforward, but it requires doing the paperwork. Every founder should sign an IP assignment agreement at incorporation. Every contractor agreement should include an explicit IP assignment clause. Any IP created before the company was formed should be formally transferred, in writing, to the company.
A lot of founders operate on the assumption that if they created something while working for their company, the company owns it automatically. In many jurisdictions, that assumption is wrong.
Neglecting Privacy Compliance
There’s a tendency among early-stage founders to think privacy law is a big-company problem. GDPR is for Facebook. CCPA is for companies with millions of users. You’re just a small startup with a few hundred signups.
That framing is wrong, and increasingly so.
GDPR applies to any company processing the personal data of EU residents, regardless of where the company is incorporated or how many users it has. If someone in Germany signs up for your SaaS product and you store their email address, you’re subject to GDPR obligations a privacy policy written in plain language, a lawful basis for processing data, mechanisms for users to request deletion of their data, and breach notification requirements if your systems are compromised.
California’s CCPA applies to businesses that meet certain thresholds, but the California Privacy Rights Act (CPRA) has expanded the scope, and other states have followed with their own frameworks. The patchwork is getting more complex every year, not less.
Small companies have been fined under GDPR. The amounts are generally lower than the nine-figure penalties that make headlines, but a €10,000 fine and the legal costs of responding to a regulatory inquiry can be existential for a company running lean.
The minimum viable approach: a properly written privacy policy, clarity on what data you’re collecting and why, and some internal process for responding to data requests. It’s not glamorous work, but it’s table stakes for any product that touches user data.
Not Protecting Your Brand Before You Launch
Building a brand and then discovering someone else owns the trademark for your name is a specific kind of painful. You’ve already built customer recognition, printed materials, created social profiles, maybe even raised a round. Now you either negotiate a license, rebrand entirely, or fight a legal battle you may not win.
Trademark rights in the U.S. are complicated by the fact that common-law rights accrue through use, not registration. But registration gives you substantially stronger protections nationwide priority, the ability to use the ® symbol, and the right to register the mark with customs to prevent counterfeit goods. Filing an intent-to-use application before you launch lets you lock in a priority date even before the product ships.
The other piece founders miss: even if you check the USPTO database and don’t find a direct conflict, there may be similar marks in adjacent categories that create risk. This is genuinely an area where a few hours with a trademark attorney before launch is worth far more than the same money spent on litigation afterward.
Domain registration and social handles do not equal trademark rights. A lot of founders conflate the two.
There’s a pattern in all five of these mistakes. None of them happen because founders are reckless. They happen because building something is an all-consuming process that makes everything else feel secondary. Legal structure is boring. IP assignment paperwork is tedious. Trademark clearance searches aren’t part of the product roadmap.
But the companies that scale without blowing up are almost always the ones where someone, early on, decided that “we’ll figure it out later” was the most expensive thing they could say.
