Compliance — UI01 Aria (AI SaaS)
This kit ships structural scaffolding for the most common UK, EU, and US regulatory baselines so that buyers can fill in real values and ship a broadly compliant site without re-engineering the legal layer.
You — the buyer — are the compliant party, not the kit author. The kit is sold as source code that you host yourself. Your obligations under UK GDPR, EU GDPR, CCPA / CPRA, ADA, DMCA, Companies Act, DMCC, ePrivacy, etc. attach to your hosted site. The kit cannot give legal advice. Confirm wording with your own legal counsel before publishing.
At a glance — what this kit ships
| Concern | Files / config | Buyer must |
|---|---|---|
| Accessibility statement | /accessibility/ route, footer link | Update LAST_REVIEWED date + KNOWN_LIMITATIONS after each audit |
| WCAG 2.2 AA / WCAG 2.1 AA | every component, design tokens, focus traps, reduced-motion | Run their own audit; meet their procurement obligations |
| Cookie consent banner | src/components/ui/cookie-consent.tsx, SITE_CONFIG.cookieConsent | Flip enabled: true when wiring analytics; gate scripts on getConsent() |
| Global Privacy Control (GPC) | Auto-honoured by the cookie-consent component | Verify their analytics SDK respects getConsent() |
| Footer registered-entity block | src/components/layout/footer.tsx, SITE_CONFIG.legalEntity | Replace every REPLACE WITH ... placeholder |
/privacy/ template | src/app/privacy/page.tsx with full UK / EU / US-state rights enumerations + DNT + GPC | Re-write with their actual data flows; pass through legal counsel |
/terms/ template | src/app/terms/page.tsx | Same — confirm with legal counsel |
/cookie-policy/ template | src/app/cookie-policy/page.tsx | Update cookie list once they wire real cookies |
/dmca/ page | DMCA designated agent disclosure (US) | Register agent with US Copyright Office, fill SITE_CONFIG.compliance.dmca |
/do-not-sell/ page | CCPA / CPRA opt-out (US) | Toggle SITE_CONFIG.compliance.ccpa.doNotSell to surface the footer link; build the actual server-side opt-out flow |
| AI-disclosure labels | Visible "AI-generated" phrasing on every chat / agent / playground / prompt-builder / model-comparison / brand-voice / generation surface | Confirm disclosure wording matches their AI provider's brand-usage rules |
| Region toggles | SITE_CONFIG.regions.{uk,eu,us} drives footer link visibility | Switch off any region they don't actually serve |
| Modern Slavery Statement | Footer link rendered when compliance.modernSlaveryStatementUrl is set | Publish their statement (mandatory if turnover ≥ £36M) |
| Professional regulator disclosure | Footer renders regulator + regulatorNumber when set | Fill in if they are a regulated profession |
Region matrix — what applies where
SITE_CONFIG.regions = {
uk: true, // Show UK-specific footer items
eu: true, // Show EU-specific items (privacy, AI Act language)
us: true, // Show US state-privacy + DMCA links
};
Set the regions you actually serve. Some examples:
- UK-only SaaS:
{ uk: true, eu: false, us: false }— shows Modern Slavery link (when set), hides US "Do Not Sell" footer link. - US-first AI tool:
{ uk: false, eu: false, us: true }— surfaces Do Not Sell + DMCA, hides UK Companies Act layout (still renders entity block but you'd customise). - Global:
{ uk: true, eu: true, us: true }— all the things.
UK — what you need
Companies Act 2006 §82 (footer disclosures)
- Registered company name →
SITE_CONFIG.legalEntity.companyName - Company registration number →
legalEntity.companyNumber - Place of registration ("Registered in England and Wales") →
legalEntity.placeOfRegistration - Registered office address →
legalEntity.registeredAddress - VAT number (if registered) →
legalEntity.vatNumber - Direct contact email →
SITE_CONFIG.contact.email - Regulator + membership number (regulated professions only) →
legalEntity.regulator/regulatorNumber
UK GDPR + Data (Use and Access) Act 2025
- Privacy policy listing the eight rights (access, rectification, erasure, restriction, portability, objection, lodge a complaint, automated decision-making) — already in the
/privacy/template - Lawful basis for processing each category of personal data — buyer adds
- Cookie consent banner with
Reject allat parity withAccept all✓ scaffolded - DUAA 2025 relaxation: UK-only sites with strictly-statistical analytics may now omit the cookie banner; advertising/tracking still needs consent. Toggle accordingly.
- GPC honoured automatically ✓
Consumer Rights Act 2015 / Consumer Contracts Regs (e-commerce only)
- 14-day right to cancel — buyer adds to
/terms/if selling goods/services - Digital goods compatibility statement — buyer adds
- Default 30-day delivery time — buyer adds
- Total price upfront (no "drip pricing") — DMCC requirement; audit your
/pricing/page
DMCC Act 2025
- Fake review verification — kit ships fictional placeholder testimonials. If you replace with real reviews you must take "reasonable steps" to verify each reviewer used the product/service. Posting or paying for fake reviews is a criminal offence.
- Subscription traps: easy one-click online cancellation, free-trial reminder before charge, contract-renewal reminder. Backend concern — the kit doesn't ship the cancel flow.
Modern Slavery Act 2015 §54
- Mandatory only if turnover ≥ £36M
- Set
compliance.modernSlaveryStatementUrlto the published statement; footer link renders automatically
EU — what you need
EU GDPR
- Same eight rights as UK GDPR — already in
/privacy/template - Lawful basis under Art 6 — buyer adds
- DPO contact (if appointed) — buyer adds to
/privacy/ - SCCs / adequacy decision references for international transfers — buyer adds
EU AI Act (Regulation 2024/1689)
- AI-system disclosure to users on every generation surface ✓ scaffolded
- Human-oversight notice on high-risk AI uses — buyer adds if applicable
- Synthetic-content marking (deepfake / AI-image) — buyer adds if applicable
EU Accessibility Act (EAA, 28 June 2025)
- WCAG 2.2 AA targeted ✓ kit-wide
/accessibility/statement page ✓ scaffolded- Update
LAST_REVIEWEDannually after re-audit
ePrivacy Directive
- Cookie consent before non-essential scripts ✓ scaffolded
- Reject-All at parity with Accept-All ✓ enforced by component
US — what you need
State Privacy Laws (CCPA / CPRA + 19 others as of April 2026)
- Privacy notice listing the right to know, delete, correct, opt-out of sale/sharing, limit sensitive PI use, and non-discrimination ✓ in
/privacy/template - "Do Not Sell or Share My Personal Information" footer link → toggle
compliance.ccpa.doNotSell = true(only if you actually sell or share PII for cross-context behavioural ads) - "Limit Use of My Sensitive Personal Information" footer link → toggle
compliance.ccpa.sensitivePII = true(only if you collect sensitive PII) - Verifiable opt-out flow within 15 business days (CPRA) / 45 days (CCPA) — backend concern
- Honour Global Privacy Control browser signal ✓ done in cookie-consent component
COPPA + COPPA Rule update (April 2026)
- Verifiable parental consent if directed at children under 13 — buyer adds if applicable
- Data-retention limits + stricter opt-in for targeted advertising to minors — buyer adds
- The Children's Code (UK Age-Appropriate Design) overlaps; the kit does no profiling by default
ADA Title II public-entity web rule + Title III procurement risk
- DOJ adopted WCAG 2.1 AA as the technical standard for ADA Title II state and local government web/mobile content. An April 20, 2026 interim final rule extended the compliance dates to April 26, 2027 for public entities with populations of 50,000+ and April 26, 2028 for public entities below 50,000 and special district governments. Confirm current dates at ADA.gov before publishing for a public-entity buyer.
- Private-sector ADA Title III risk is still usually assessed against WCAG 2.1 AA in practice; WCAG 2.2 AA (which the kit targets) is a strict superset and satisfies that benchmark.
/accessibility/statement reflects this dual standard.
DMCA (17 USC §512)
- Designated Copyright Agent →
compliance.dmca.{agentName, agentEmail, agentAddress} /dmca/page renders the agent contact + notice procedure ✓ scaffolded- Register your agent with the US Copyright Office (annual renewal, $6) before publishing user content
- Footer link auto-renders once
agentNameis set to a non-placeholder value
CalOPPA — Do Not Track signal disclosure
- Privacy policy must state how you respond to DNT ✓ section 8 in
/privacy/template
Sales tax / Nexus / PCI DSS
- E-commerce only — backend / payment-processor concern. The kit doesn't ship checkout.
What you must do before publishing — short version
- Fill
SITE_CONFIG.legalEntitywith your real registered details. - Set
SITE_CONFIG.regionsto the regions you actually serve. - If you sell/share PII for cross-context advertising, set
compliance.ccpa.doNotSell = true. - If you publish user-uploaded content, register a DMCA agent with the US Copyright Office, fill
compliance.dmca.*, and the footer link auto-appears. - Update
LAST_REVIEWEDandKNOWN_LIMITATIONSinsrc/app/accessibility/page.tsx. - Pass
/privacy/,/terms/,/cookie-policy/,/dmca/,/do-not-sell/through your own legal counsel. - When you wire analytics or marketing scripts, set
cookieConsent.enabled = trueand gate every script tag ongetConsent(). - Confirm AI-disclosure label wording matches your AI provider's brand-usage rules.
- Verify your build doesn't ship pre-checked marketing-consent boxes (the kit doesn't, but custom additions might).
- Audit your
/pricing/page for "drip pricing" — total price + mandatory fees must be visible upfront.
What is NOT covered (full-stack concerns)
- Data subject access / portability flows — requires a real backend + account data
- Right-to-erasure / consent withdrawal automation — backend concern
- UGC moderation pipelines — kit ships no UGC
- Subscription cancellation flows — backend concern (DMCC §29 requires one-click online cancel)
- Sales tax calculation / Nexus — checkout / backend concern
- PCI DSS — payment processor concern
- Sub-processor list maintenance — buyer-specific
- Real-time content moderation (UK Online Safety Act) — kit ships no UGC
Related references
- Quality Gate 17 (UK/EU Compliance Disclosures) — the deterministic checks every kit must pass before listing.
DEMO_CONTENT.md— placeholder-replacement checklist (brand, copy, images).
See Template Empire's compliance standards for how every kit is held to — and audited against — these requirements.