ElasticFlow
Legal Pluginby Anthropic

When marketing wants a referral program or product adds biometric auth, /compliance-check tells you which regulations apply before it ships.

Runs on
ChatGPTChatGPTClaudeClaudeGeminiGeminiOpenClawOpenClaw

Run GDPR, CCPA, and DPA reviews on any new initiative — proceed or escalate.

  • Frameworks: GDPR, CCPA/CPRA, LGPD, POPIA, PIPEDA, PDPA, PIPL, UK GDPR
  • DPA Article 28 checklist: sub-processors, breach notification, audit rights
  • Data subject request handler: 30-day GDPR / 45-day CCPA timelines
  • Cross-border transfer mechanisms: SCCs (June 2021), adequacy, BCRs, UK addendum
  • Verdict: Proceed / Proceed with conditions / Requires further review

Who this is for

Corporate Counsel

Run GDPR/CCPA/DPA reviews on every new initiative without becoming the bottleneck for marketing and product

See skills for this role
General Counsel

Continuous compliance monitoring instead of quarterly audits — catch regulatory risk before it lands in the boardroom

See skills for this role

What it does

Marketing wants a referral program with cash rewards

Marketing pings you on Friday: launch is Monday. /compliance-check returns applicable regulations (state sweepstakes laws, FTC endorsement guides, GDPR if EU users), required approvals, and risk areas — so you respond same-day instead of becoming the bottleneck.

Product is adding biometric auth to the mobile app

Biometric data is special category under GDPR and Illinois BIPA. /compliance-check flags lawful basis requirements, DPIA trigger, retention limits, and the 5 specific approvals needed before launch.

DPA arrived from a new vendor processing EU customer data

Instead of reading 22 pages of legalese, /compliance-check runs the Article 28 checklist — sub-processor authorization, 24-48h breach notification, audit rights, SCCs version, transfer impact assessment — and lists the 6 redlines to negotiate.

DSAR landed from a California resident

/compliance-check identifies CCPA/CPRA requirements: 10-business-day acknowledgment, 45-day substantive response, applicable exemptions (litigation hold, retention obligations), and the right-to-know vs right-to-delete handling path.

How it works

1

Describe the initiative, feature, or inquiry in plain English

2

Skill identifies applicable regulations across the user's jurisdictions

3

Runs requirement checklist with status: Met / Not Met / Unknown

4

Flags risk areas with severity and mitigation

5

Returns verdict with required approvals and recommended next steps

Example

Your initiative
We want to launch a referral program with $50 cash rewards, available in US and EU markets, targeting existing customers.
Compliance verdict — 8 minutes
Summary
Proceed with conditions — 4 approvals needed, 2 risk areas, GDPR consent flow required for EU
Applicable Regulations
GDPR (EU): lawful basis = consent for marketing emails, data subject rights
CCPA/CPRA (California): right to opt out of sharing
FTC Endorsement Guides (US): material connection disclosure for referrers
State sweepstakes laws: cash rewards may trigger registration in NY, FL, RI
Risk Areas
HIGH: GDPR consent quality — must be specific, freely given, unbundled from ToS
MEDIUM: Referrer disclosure — needs visible 'I was referred' label per FTC
Approvals Needed
Privacy team — GDPR consent flow review
Finance — 1099 reporting threshold ($600/year per referrer)
Marketing legal — FTC disclosure copy
Product — opt-out mechanism in user settings

Metrics this improves

Compliance Gap Coverage
Continuous compliance monitoring on every new initiative replaces quarterly audits
Legal
DSAR Response Time
Routes DSARs through the right CCPA/GDPR timeline path on first read
Legal
Legal as Business Enabler
Same-day verdicts on marketing and product proposals instead of week-long legal blocks
Legal

Works with

HubSpot
manual

Pulls EU contact records to assess GDPR scope

Salesforce
manual

Identifies California residents in CRM for CCPA/CPRA scope

DocuSign CLM
manual

Reviews DPAs and processing agreements stored in DocuSign CLM

Ironclad
manual

Pulls vendor DPAs from Ironclad for Article 28 review

Part of
9 skills

Legal Plugin

by Anthropic

/compliance-check is one of 9 skills in this plugin.

See all 9 skills

Similar skills

Auto-suggested by attribute overlap. Side-by-side comparison shows what differs.

Compare all 4

Contract & Proposal Writer

by Alireza Rezvani
US, US-CA +5vsUS-DE, EU +2(Jurisdictions)·DPAvsNDA, MSA +5(Document types)·GDPR, CCPA +2vsGDPR(Compliance frameworks)

E-Signature Routing

by Anthropic
US, US-CA +5vsUS, EU +1(Jurisdictions)·DPAvsNDA, MSA +1(Document types)·textvsfile-upload, text(What you provide)

Legal Response from Templates

by Anthropic
US, US-CA +5vsUS, US-CA +3(Jurisdictions)·DPAvsNDA(Document types)·GDPR, CCPA +2vsGDPR, CCPA(Compliance frameworks)
Sorted by attribute overlap × differentiation. Compliance Review shares 16+ attributes with each.
View on GitHub

/compliance-check -- Compliance Review

If you see unfamiliar placeholders or need to check which tools are connected, see CONNECTORS.md.

Run a compliance check on a proposed action, product feature, marketing campaign, or business initiative.

Important: This command assists with legal workflows but does not provide legal advice. Compliance assessments should be reviewed by qualified legal professionals. Regulatory requirements change frequently; always verify current requirements with authoritative sources.

Usage

/compliance-check $ARGUMENTS

What I Need From You

Describe what you're planning to do. Examples:

  • "We want to launch a referral program with cash rewards"
  • "We're adding biometric authentication to our mobile app"
  • "We need to process EU customer data in our US data center"
  • "Marketing wants to use customer testimonials in ads"

Output

## Compliance Check: [Initiative]

### Summary
[Quick assessment: Proceed / Proceed with conditions / Requires further review]

### Applicable Regulations and Policies
| Regulation/Policy | Relevance | Key Requirements |
|-------------------|-----------|-----------------|
| [GDPR / CCPA / HIPAA / etc.] | [How it applies] | [What you need to do] |

### Requirements
| # | Requirement | Status | Action Needed |
|---|-------------|--------|---------------|
| 1 | [Requirement] | [Met / Not Met / Unknown] | [What to do] |

### Risk Areas
| Risk | Severity | Mitigation |
|------|----------|------------|
| [Risk] | [High/Med/Low] | [How to address] |

### Recommended Actions
1. [Most important action]
2. [Second priority]
3. [Third priority]

### Approvals Needed
| Approver | Why | Status |
|----------|-----|--------|
| [Person/Team] | [Reason] | [Pending] |

### Further Review Recommended
[Areas where outside counsel or specialist review is advised]

Privacy Regulation Overview

GDPR (General Data Protection Regulation)

Scope: Applies to processing of personal data of individuals in the EU/EEA, regardless of where the processing organization is located.

Key Obligations for In-House Legal Teams:

  • Lawful basis: Identify and document lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation, vital interest, public task)
  • Data subject rights: Respond to access, rectification, erasure, portability, restriction, and objection requests within 30 days (extendable by 60 days for complex requests)
  • Data protection impact assessments (DPIAs): Required for processing likely to result in high risk to individuals
  • Breach notification: Notify supervisory authority within 72 hours of becoming aware of a personal data breach; notify affected individuals without undue delay if high risk
  • Records of processing: Maintain Article 30 records of processing activities
  • International transfers: Ensure appropriate safeguards for transfers outside EEA (SCCs, adequacy decisions, BCRs)
  • DPO requirement: Appoint a Data Protection Officer if required (public authority, large-scale processing of special categories, large-scale systematic monitoring)

CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act)

Scope: Applies to businesses that collect personal information of California residents and meet revenue, data volume, or data sale thresholds.

Key Obligations:

  • Right to know: Consumers can request disclosure of personal information collected, used, and shared
  • Right to delete: Consumers can request deletion of their personal information
  • Right to opt-out: Consumers can opt out of the sale or sharing of personal information
  • Right to correct: Consumers can request correction of inaccurate personal information (CPRA addition)
  • Non-discrimination: Cannot discriminate against consumers who exercise their rights

Response Timelines:

  • Acknowledge receipt within 10 business days
  • Respond substantively within 45 calendar days (extendable by 45 days with notice)

Other Key Regulations to Monitor

RegulationJurisdictionKey Differentiators
LGPD (Brazil)BrazilSimilar to GDPR; requires DPO appointment; ANPD enforcement
POPIA (South Africa)South AfricaInformation Regulator oversight; required registration of processing
PIPEDA (Canada)Canada (federal)Consent-based framework; OPC oversight
PDPA (Singapore)SingaporeDo Not Call registry; mandatory breach notification
Privacy Act (Australia)AustraliaAustralian Privacy Principles (APPs); notifiable data breaches scheme
PIPL (China)ChinaStrict cross-border transfer rules; data localization requirements
UK GDPRUKPost-Brexit UK version; ICO oversight

DPA Review Checklist

Required Article 28 elements: subject matter and duration, nature/purpose, types of personal data, categories of data subjects, controller obligations.

Processor obligations: process only on documented instructions, confidentiality, security measures, sub-processor authorization, data subject rights assistance, breach assistance, deletion/return on termination, audit rights, breach notification within 24-48 hours.

International transfers: SCCs (June 2021 version), correct module (C2P/C2C/P2P/P2C), transfer impact assessment, supplementary measures, UK addendum if applicable.

Data Subject Request Handling

Request types: access, rectification, erasure, restriction, portability, objection, opt-out (CCPA/CPRA), limit use of sensitive PI (CPRA).

Response timelines: GDPR 30 days (+60), CCPA/CPRA 45 days (+45), LGPD 15 days.

Common exemptions: legal claims defense, legal obligations requiring retention, public interest, freedom of expression (erasure), litigation hold, regulatory retention periods.

Tips

  1. Be specific — "We want to email all our users" is better than "marketing campaign."
  2. Include the geography — Compliance requirements vary by jurisdiction.
  3. Mention the data — What personal data is involved?