When marketing wants a referral program or product adds biometric auth, /compliance-check tells you which regulations apply before it ships. — Claude Skill
Run GDPR, CCPA, and DPA reviews on any new initiative — proceed or escalate.
- Frameworks: GDPR, CCPA/CPRA, LGPD, POPIA, PIPEDA, PDPA, PIPL, UK GDPR
- DPA Article 28 checklist: sub-processors, breach notification, audit rights
- Data subject request handler: 30-day GDPR / 45-day CCPA timelines
- Cross-border transfer mechanisms: SCCs (June 2021), adequacy, BCRs, UK addendum
- Verdict: Proceed / Proceed with conditions / Requires further review
Para quién es
Run GDPR/CCPA/DPA reviews on every new initiative without becoming the bottleneck for marketing and product
Ver skills para este rolContinuous compliance monitoring instead of quarterly audits — catch regulatory risk before it lands in the boardroom
Ver skills para este rolQué hace
Marketing pings you on Friday: launch is Monday. /compliance-check returns applicable regulations (state sweepstakes laws, FTC endorsement guides, GDPR if EU users), required approvals, and risk areas — so you respond same-day instead of becoming the bottleneck.
Biometric data is special category under GDPR and Illinois BIPA. /compliance-check flags lawful basis requirements, DPIA trigger, retention limits, and the 5 specific approvals needed before launch.
Instead of reading 22 pages of legalese, /compliance-check runs the Article 28 checklist — sub-processor authorization, 24-48h breach notification, audit rights, SCCs version, transfer impact assessment — and lists the 6 redlines to negotiate.
/compliance-check identifies CCPA/CPRA requirements: 10-business-day acknowledgment, 45-day substantive response, applicable exemptions (litigation hold, retention obligations), and the right-to-know vs right-to-delete handling path.
Cómo funciona
Describe the initiative, feature, or inquiry in plain English
Skill identifies applicable regulations across the user's jurisdictions
Runs requirement checklist with status: Met / Not Met / Unknown
Flags risk areas with severity and mitigation
Returns verdict with required approvals and recommended next steps
Ejemplo
We want to launch a referral program with $50 cash rewards, available in US and EU markets, targeting existing customers.
Proceed with conditions — 4 approvals needed, 2 risk areas, GDPR consent flow required for EU
GDPR (EU): lawful basis = consent for marketing emails, data subject rights CCPA/CPRA (California): right to opt out of sharing FTC Endorsement Guides (US): material connection disclosure for referrers State sweepstakes laws: cash rewards may trigger registration in NY, FL, RI
HIGH: GDPR consent quality — must be specific, freely given, unbundled from ToS MEDIUM: Referrer disclosure — needs visible 'I was referred' label per FTC
Privacy team — GDPR consent flow review Finance — 1099 reporting threshold ($600/year per referrer) Marketing legal — FTC disclosure copy Product — opt-out mechanism in user settings
Métricas que mejora
Funciona con
¿Listo para instalar Compliance Review?
Elige cómo empezar.
Instala y ejecuta este plugin localmente en tu computadora.
Abre una terminal en tu computadora y pega este comando:
Esto descarga el plugin con todos sus archivos en tu computadora:
Añade -g al final para tenerlo disponible en todos tus proyectos.
Inicia Claude Code, luego escribe el comando:
/compliance-check -- Compliance Review
If you see unfamiliar placeholders or need to check which tools are connected, see CONNECTORS.md.
Run a compliance check on a proposed action, product feature, marketing campaign, or business initiative.
Important: This command assists with legal workflows but does not provide legal advice. Compliance assessments should be reviewed by qualified legal professionals. Regulatory requirements change frequently; always verify current requirements with authoritative sources.
Usage
/compliance-check $ARGUMENTS
What I Need From You
Describe what you're planning to do. Examples:
- "We want to launch a referral program with cash rewards"
- "We're adding biometric authentication to our mobile app"
- "We need to process EU customer data in our US data center"
- "Marketing wants to use customer testimonials in ads"
Output
## Compliance Check: [Initiative]
### Summary
[Quick assessment: Proceed / Proceed with conditions / Requires further review]
### Applicable Regulations and Policies
| Regulation/Policy | Relevance | Key Requirements |
|-------------------|-----------|-----------------|
| [GDPR / CCPA / HIPAA / etc.] | [How it applies] | [What you need to do] |
### Requirements
| # | Requirement | Status | Action Needed |
|---|-------------|--------|---------------|
| 1 | [Requirement] | [Met / Not Met / Unknown] | [What to do] |
### Risk Areas
| Risk | Severity | Mitigation |
|------|----------|------------|
| [Risk] | [High/Med/Low] | [How to address] |
### Recommended Actions
1. [Most important action]
2. [Second priority]
3. [Third priority]
### Approvals Needed
| Approver | Why | Status |
|----------|-----|--------|
| [Person/Team] | [Reason] | [Pending] |
### Further Review Recommended
[Areas where outside counsel or specialist review is advised]
Privacy Regulation Overview
GDPR (General Data Protection Regulation)
Scope: Applies to processing of personal data of individuals in the EU/EEA, regardless of where the processing organization is located.
Key Obligations for In-House Legal Teams:
- Lawful basis: Identify and document lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation, vital interest, public task)
- Data subject rights: Respond to access, rectification, erasure, portability, restriction, and objection requests within 30 days (extendable by 60 days for complex requests)
- Data protection impact assessments (DPIAs): Required for processing likely to result in high risk to individuals
- Breach notification: Notify supervisory authority within 72 hours of becoming aware of a personal data breach; notify affected individuals without undue delay if high risk
- Records of processing: Maintain Article 30 records of processing activities
- International transfers: Ensure appropriate safeguards for transfers outside EEA (SCCs, adequacy decisions, BCRs)
- DPO requirement: Appoint a Data Protection Officer if required (public authority, large-scale processing of special categories, large-scale systematic monitoring)
CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act)
Scope: Applies to businesses that collect personal information of California residents and meet revenue, data volume, or data sale thresholds.
Key Obligations:
- Right to know: Consumers can request disclosure of personal information collected, used, and shared
- Right to delete: Consumers can request deletion of their personal information
- Right to opt-out: Consumers can opt out of the sale or sharing of personal information
- Right to correct: Consumers can request correction of inaccurate personal information (CPRA addition)
- Non-discrimination: Cannot discriminate against consumers who exercise their rights
Response Timelines:
- Acknowledge receipt within 10 business days
- Respond substantively within 45 calendar days (extendable by 45 days with notice)
Other Key Regulations to Monitor
| Regulation | Jurisdiction | Key Differentiators |
|---|---|---|
| LGPD (Brazil) | Brazil | Similar to GDPR; requires DPO appointment; ANPD enforcement |
| POPIA (South Africa) | South Africa | Information Regulator oversight; required registration of processing |
| PIPEDA (Canada) | Canada (federal) | Consent-based framework; OPC oversight |
| PDPA (Singapore) | Singapore | Do Not Call registry; mandatory breach notification |
| Privacy Act (Australia) | Australia | Australian Privacy Principles (APPs); notifiable data breaches scheme |
| PIPL (China) | China | Strict cross-border transfer rules; data localization requirements |
| UK GDPR | UK | Post-Brexit UK version; ICO oversight |
DPA Review Checklist
Required Article 28 elements: subject matter and duration, nature/purpose, types of personal data, categories of data subjects, controller obligations.
Processor obligations: process only on documented instructions, confidentiality, security measures, sub-processor authorization, data subject rights assistance, breach assistance, deletion/return on termination, audit rights, breach notification within 24-48 hours.
International transfers: SCCs (June 2021 version), correct module (C2P/C2C/P2P/P2C), transfer impact assessment, supplementary measures, UK addendum if applicable.
Data Subject Request Handling
Request types: access, rectification, erasure, restriction, portability, objection, opt-out (CCPA/CPRA), limit use of sensitive PI (CPRA).
Response timelines: GDPR 30 days (+60), CCPA/CPRA 45 days (+45), LGPD 15 days.
Common exemptions: legal claims defense, legal obligations requiring retention, public interest, freedom of expression (erasure), litigation hold, regulatory retention periods.
Tips
- Be specific — "We want to email all our users" is better than "marketing campaign."
- Include the geography — Compliance requirements vary by jurisdiction.
- Mention the data — What personal data is involved?