When marketing wants a referral program or product adds biometric auth, /compliance-check tells you which regulations apply before it ships. — Claude Skill
Claude Code için bir Claude becerisi · Anthropic✓ — çalıştır: /compliance-check (Claude'da)·Güncellendi: 10 Nis 2026
Run GDPR, CCPA, and DPA reviews on any new initiative — proceed or escalate.
- Frameworks: GDPR, CCPA/CPRA, LGPD, POPIA, PIPEDA, PDPA, PIPL, UK GDPR
- DPA Article 28 checklist: sub-processors, breach notification, audit rights
- Data subject request handler: 30-day GDPR / 45-day CCPA timelines
- Cross-border transfer mechanisms: SCCs (June 2021), adequacy, BCRs, UK addendum
- Verdict: Proceed / Proceed with conditions / Requires further review
Kim için
Run GDPR/CCPA/DPA reviews on every new initiative without becoming the bottleneck for marketing and product
Bu rol için becerileri görContinuous compliance monitoring instead of quarterly audits — catch regulatory risk before it lands in the boardroom
Bu rol için becerileri görNe yapar
Marketing pings you on Friday: launch is Monday. /compliance-check returns applicable regulations (state sweepstakes laws, FTC endorsement guides, GDPR if EU users), required approvals, and risk areas — so you respond same-day instead of becoming the bottleneck.
Biometric data is special category under GDPR and Illinois BIPA. /compliance-check flags lawful basis requirements, DPIA trigger, retention limits, and the 5 specific approvals needed before launch.
Instead of reading 22 pages of legalese, /compliance-check runs the Article 28 checklist — sub-processor authorization, 24-48h breach notification, audit rights, SCCs version, transfer impact assessment — and lists the 6 redlines to negotiate.
/compliance-check identifies CCPA/CPRA requirements: 10-business-day acknowledgment, 45-day substantive response, applicable exemptions (litigation hold, retention obligations), and the right-to-know vs right-to-delete handling path.
Nasıl çalışır
Describe the initiative, feature, or inquiry in plain English
Skill identifies applicable regulations across the user's jurisdictions
Runs requirement checklist with status: Met / Not Met / Unknown
Flags risk areas with severity and mitigation
Returns verdict with required approvals and recommended next steps
Örnek
We want to launch a referral program with $50 cash rewards, available in US and EU markets, targeting existing customers.
Proceed with conditions — 4 approvals needed, 2 risk areas, GDPR consent flow required for EU
GDPR (EU): lawful basis = consent for marketing emails, data subject rights CCPA/CPRA (California): right to opt out of sharing FTC Endorsement Guides (US): material connection disclosure for referrers State sweepstakes laws: cash rewards may trigger registration in NY, FL, RI
HIGH: GDPR consent quality — must be specific, freely given, unbundled from ToS MEDIUM: Referrer disclosure — needs visible 'I was referred' label per FTC
Privacy team — GDPR consent flow review Finance — 1099 reporting threshold ($600/year per referrer) Marketing legal — FTC disclosure copy Product — opt-out mechanism in user settings
İyileştirdiği metrikler
Uyumlu araçlar
Compliance Review kurmaya hazır mısınız?
Nasıl başlamak istediğinizi seçin.
Bu eklentiyi bilgisayarınıza yerel olarak kurun ve çalıştırın.
Bilgisayarınızda bir terminal açın ve şu komutu yapıştırın:
Bu, eklentiyi tüm dosyalarıyla bilgisayarınıza indirir:
Tüm projelerinizde kullanılabilir hale getirmek için sona -g ekleyin.
Claude Code'u başlatın, ardından komutu yazın:
/compliance-check -- Compliance Review
If you see unfamiliar placeholders or need to check which tools are connected, see CONNECTORS.md.
Run a compliance check on a proposed action, product feature, marketing campaign, or business initiative.
Important: This command assists with legal workflows but does not provide legal advice. Compliance assessments should be reviewed by qualified legal professionals. Regulatory requirements change frequently; always verify current requirements with authoritative sources.
Usage
/compliance-check $ARGUMENTS
What I Need From You
Describe what you're planning to do. Examples:
- "We want to launch a referral program with cash rewards"
- "We're adding biometric authentication to our mobile app"
- "We need to process EU customer data in our US data center"
- "Marketing wants to use customer testimonials in ads"
Output
## Compliance Check: [Initiative]
### Summary
[Quick assessment: Proceed / Proceed with conditions / Requires further review]
### Applicable Regulations and Policies
| Regulation/Policy | Relevance | Key Requirements |
|-------------------|-----------|-----------------|
| [GDPR / CCPA / HIPAA / etc.] | [How it applies] | [What you need to do] |
### Requirements
| # | Requirement | Status | Action Needed |
|---|-------------|--------|---------------|
| 1 | [Requirement] | [Met / Not Met / Unknown] | [What to do] |
### Risk Areas
| Risk | Severity | Mitigation |
|------|----------|------------|
| [Risk] | [High/Med/Low] | [How to address] |
### Recommended Actions
1. [Most important action]
2. [Second priority]
3. [Third priority]
### Approvals Needed
| Approver | Why | Status |
|----------|-----|--------|
| [Person/Team] | [Reason] | [Pending] |
### Further Review Recommended
[Areas where outside counsel or specialist review is advised]
Privacy Regulation Overview
GDPR (General Data Protection Regulation)
Scope: Applies to processing of personal data of individuals in the EU/EEA, regardless of where the processing organization is located.
Key Obligations for In-House Legal Teams:
- Lawful basis: Identify and document lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation, vital interest, public task)
- Data subject rights: Respond to access, rectification, erasure, portability, restriction, and objection requests within 30 days (extendable by 60 days for complex requests)
- Data protection impact assessments (DPIAs): Required for processing likely to result in high risk to individuals
- Breach notification: Notify supervisory authority within 72 hours of becoming aware of a personal data breach; notify affected individuals without undue delay if high risk
- Records of processing: Maintain Article 30 records of processing activities
- International transfers: Ensure appropriate safeguards for transfers outside EEA (SCCs, adequacy decisions, BCRs)
- DPO requirement: Appoint a Data Protection Officer if required (public authority, large-scale processing of special categories, large-scale systematic monitoring)
CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act)
Scope: Applies to businesses that collect personal information of California residents and meet revenue, data volume, or data sale thresholds.
Key Obligations:
- Right to know: Consumers can request disclosure of personal information collected, used, and shared
- Right to delete: Consumers can request deletion of their personal information
- Right to opt-out: Consumers can opt out of the sale or sharing of personal information
- Right to correct: Consumers can request correction of inaccurate personal information (CPRA addition)
- Non-discrimination: Cannot discriminate against consumers who exercise their rights
Response Timelines:
- Acknowledge receipt within 10 business days
- Respond substantively within 45 calendar days (extendable by 45 days with notice)
Other Key Regulations to Monitor
| Regulation | Jurisdiction | Key Differentiators |
|---|---|---|
| LGPD (Brazil) | Brazil | Similar to GDPR; requires DPO appointment; ANPD enforcement |
| POPIA (South Africa) | South Africa | Information Regulator oversight; required registration of processing |
| PIPEDA (Canada) | Canada (federal) | Consent-based framework; OPC oversight |
| PDPA (Singapore) | Singapore | Do Not Call registry; mandatory breach notification |
| Privacy Act (Australia) | Australia | Australian Privacy Principles (APPs); notifiable data breaches scheme |
| PIPL (China) | China | Strict cross-border transfer rules; data localization requirements |
| UK GDPR | UK | Post-Brexit UK version; ICO oversight |
DPA Review Checklist
Required Article 28 elements: subject matter and duration, nature/purpose, types of personal data, categories of data subjects, controller obligations.
Processor obligations: process only on documented instructions, confidentiality, security measures, sub-processor authorization, data subject rights assistance, breach assistance, deletion/return on termination, audit rights, breach notification within 24-48 hours.
International transfers: SCCs (June 2021 version), correct module (C2P/C2C/P2P/P2C), transfer impact assessment, supplementary measures, UK addendum if applicable.
Data Subject Request Handling
Request types: access, rectification, erasure, restriction, portability, objection, opt-out (CCPA/CPRA), limit use of sensitive PI (CPRA).
Response timelines: GDPR 30 days (+60), CCPA/CPRA 45 days (+45), LGPD 15 days.
Common exemptions: legal claims defense, legal obligations requiring retention, public interest, freedom of expression (erasure), litigation hold, regulatory retention periods.
Tips
- Be specific — "We want to email all our users" is better than "marketing campaign."
- Include the geography — Compliance requirements vary by jurisdiction.
- Mention the data — What personal data is involved?