Skip to main content
Skip to content

Last updated on 4 June 2026

Compliance — UI07 Ember (Marketing)

Note for buyers: Ember is a startup / marketing UI kit. The scaffolding below covers the standard UK/EU/US baselines. You are responsible for filling in real values, choosing which regions apply to your audience, and confirming wording with your own legal counsel.

This kit ships structural scaffolding for the most common UK, EU, and US regulatory baselines so that buyers can fill in real values and ship a broadly compliant site without re-engineering the legal layer.

You — the buyer — are the compliant party, not the kit author. The kit is sold as source code that you host yourself. Your obligations under UK GDPR, EU GDPR, CCPA / CPRA, ADA, DMCA, Companies Act, DMCC, ePrivacy, etc. attach to your hosted site. The kit cannot give legal advice. Confirm wording with your own legal counsel before publishing.


At a glance — what this kit ships

ConcernFiles / configBuyer must
Accessibility statement/accessibility/ route, footer linkUpdate LAST_REVIEWED date + KNOWN_LIMITATIONS after each audit
WCAG 2.2 AA / WCAG 2.1 AAevery component, design tokens, focus traps, reduced-motionRun their own audit; meet their procurement obligations
Cookie consent bannersrc/components/ui/cookie-consent.tsx, SITE_CONFIG.cookieConsentFlip enabled: true when wiring analytics; gate scripts on getConsent()
Global Privacy Control (GPC)Auto-honoured by the cookie-consent componentVerify their analytics SDK respects getConsent()
Footer registered-entity blocksrc/components/layout/footer.tsx, SITE_CONFIG.legalEntityReplace every REPLACE WITH ... placeholder
/privacy/ templatesrc/app/privacy/page.tsx with full UK / EU / US-state rights enumerations + DNT + GPCRe-write with their actual data flows; pass through legal counsel
/terms/ templatesrc/app/terms/page.tsxSame — confirm with legal counsel
/cookie-policy/ templatesrc/app/cookie-policy/page.tsxUpdate cookie list once they wire real cookies
/dmca/ pageDMCA designated agent disclosure (US)Register agent with US Copyright Office, fill SITE_CONFIG.compliance.dmca
/do-not-sell/ pageCCPA / CPRA opt-out (US)Toggle SITE_CONFIG.compliance.ccpa.doNotSell to surface the footer link; build the actual server-side opt-out flow
AI-disclosure labelsVisible "AI-generated" phrasing on every chat / agent / playground / generation surfaceConfirm disclosure wording matches their AI provider's brand-usage rules
Region togglesSITE_CONFIG.regions.{uk,eu,us} drives footer link visibilitySwitch off any region they don't actually serve
Modern Slavery StatementFooter link rendered when compliance.modernSlaveryStatementUrl is setPublish their statement (mandatory if turnover ≥ £36M)
Professional regulator disclosureFooter renders regulator + regulatorNumber when setFill in if they are a regulated profession

Region matrix — what applies where

ts
SITE_CONFIG.regions = {
  uk: true,  // Show UK-specific footer items
  eu: true,  // Show EU-specific items (privacy, AI Act language)
  us: true,  // Show US state-privacy + DMCA links
};

Set the regions you actually serve. Some examples:

  • UK-only SaaS: { uk: true, eu: false, us: false } — shows Modern Slavery link (when set), hides US "Do Not Sell" footer link.
  • US-first AI tool: { uk: false, eu: false, us: true } — surfaces Do Not Sell + DMCA, hides UK Companies Act layout (still renders entity block but you'd customise).
  • Global: { uk: true, eu: true, us: true } — all the things.

UK — what you need

  • Registered company name → SITE_CONFIG.legalEntity.companyName
  • Company registration number → legalEntity.companyNumber
  • Place of registration ("Registered in England and Wales") → legalEntity.placeOfRegistration
  • Registered office address → legalEntity.registeredAddress
  • VAT number (if registered) → legalEntity.vatNumber
  • Direct contact email → SITE_CONFIG.contact.email
  • Regulator + membership number (regulated professions only) → legalEntity.regulator / regulatorNumber

UK GDPR + Data (Use and Access) Act 2025

  • Privacy policy listing the eight rights (access, rectification, erasure, restriction, portability, objection, lodge a complaint, automated decision-making) — already in the /privacy/ template
  • Lawful basis for processing each category of personal data — buyer adds
  • Cookie consent banner with Reject all at parity with Accept all ✓ scaffolded
  • DUAA 2025 relaxation: UK-only sites with strictly-statistical analytics may now omit the cookie banner; advertising/tracking still needs consent. Toggle accordingly.
  • GPC honoured automatically ✓

Consumer Rights Act 2015 / Consumer Contracts Regs (e-commerce only)

  • 14-day right to cancel — buyer adds to /terms/ if selling goods/services
  • Digital goods compatibility statement — buyer adds
  • Default 30-day delivery time — buyer adds
  • Total price upfront (no "drip pricing") — DMCC requirement; audit your /pricing/ page

DMCC Act 2025

  • Fake review verification — kit ships fictional placeholder testimonials. If you replace with real reviews you must take "reasonable steps" to verify each reviewer used the product/service. Posting or paying for fake reviews is a criminal offence.
  • Subscription traps: easy one-click online cancellation, free-trial reminder before charge, contract-renewal reminder. Backend concern — the kit doesn't ship the cancel flow.

Modern Slavery Act 2015 §54

  • Mandatory only if turnover ≥ £36M
  • Set compliance.modernSlaveryStatementUrl to the published statement; footer link renders automatically

EU — what you need

EU GDPR

  • Same eight rights as UK GDPR — already in /privacy/ template
  • Lawful basis under Art 6 — buyer adds
  • DPO contact (if appointed) — buyer adds to /privacy/
  • SCCs / adequacy decision references for international transfers — buyer adds

EU AI Act (Regulation 2024/1689)

  • AI-system disclosure to users on every generation surface ✓ scaffolded
  • Human-oversight notice on high-risk AI uses — buyer adds if applicable
  • Synthetic-content marking (deepfake / AI-image) — buyer adds if applicable

EU Accessibility Act (EAA, 28 June 2025)

  • WCAG 2.2 AA targeted ✓ kit-wide
  • /accessibility/ statement page ✓ scaffolded
  • Update LAST_REVIEWED annually after re-audit

ePrivacy Directive

  • Cookie consent before non-essential scripts ✓ scaffolded
  • Reject-All at parity with Accept-All ✓ enforced by component

US — what you need

State Privacy Laws (CCPA / CPRA + 19 others as of April 2026)

  • Privacy notice listing the right to know, delete, correct, opt-out of sale/sharing, limit sensitive PI use, and non-discrimination ✓ in /privacy/ template
  • "Do Not Sell or Share My Personal Information" footer link → toggle compliance.ccpa.doNotSell = true (only if you actually sell or share PII for cross-context behavioural ads)
  • "Limit Use of My Sensitive Personal Information" footer link → toggle compliance.ccpa.sensitivePII = true (only if you collect sensitive PII)
  • Verifiable opt-out flow within 15 business days (CPRA) / 45 days (CCPA) — backend concern
  • Honour Global Privacy Control browser signal ✓ done in cookie-consent component

COPPA + COPPA Rule update (April 2026)

  • Verifiable parental consent if directed at children under 13 — buyer adds if applicable
  • Data-retention limits + stricter opt-in for targeted advertising to minors — buyer adds
  • The Children's Code (UK Age-Appropriate Design) overlaps; the kit does no profiling by default

ADA Title III + DOJ April 2026 deadline

  • WCAG 2.1 AA is the US legal benchmark; WCAG 2.2 AA (which the kit targets) is a strict superset and satisfies it
  • /accessibility/ statement reflects this dual standard

DMCA (17 USC §512)

  • Designated Copyright Agent → compliance.dmca.{agentName, agentEmail, agentAddress}
  • /dmca/ page renders the agent contact + notice procedure ✓ scaffolded
  • Register your agent with the US Copyright Office (annual renewal, $6) before publishing user content
  • Footer link auto-renders once agentName is set to a non-placeholder value

CalOPPA — Do Not Track signal disclosure

  • Privacy policy must state how you respond to DNT ✓ section 8 in /privacy/ template

Sales tax / Nexus / PCI DSS

  • E-commerce only — backend / payment-processor concern. The kit doesn't ship checkout.

What you must do before publishing — short version

  1. Fill SITE_CONFIG.legalEntity with your real registered details.
  2. Set SITE_CONFIG.regions to the regions you actually serve.
  3. If you sell/share PII for cross-context advertising, set compliance.ccpa.doNotSell = true.
  4. If you publish user-uploaded content, register a DMCA agent with the US Copyright Office, fill compliance.dmca.*, and the footer link auto-appears.
  5. Update LAST_REVIEWED and KNOWN_LIMITATIONS in src/app/accessibility/page.tsx.
  6. Pass /privacy/, /terms/, /cookie-policy/, /dmca/, /do-not-sell/ through your own legal counsel.
  7. When you wire analytics or marketing scripts, set cookieConsent.enabled = true and gate every script tag on getConsent().
  8. Confirm AI-disclosure label wording matches your AI provider's brand-usage rules.
  9. Verify your build doesn't ship pre-checked marketing-consent boxes (the kit doesn't, but custom additions might).
  10. Audit your /pricing/ page for "drip pricing" — total price + mandatory fees must be visible upfront.

What is NOT covered (full-stack concerns)

  • Data subject access / portability flows — requires a real backend + account data
  • Right-to-erasure / consent withdrawal automation — backend concern
  • UGC moderation pipelines — kit ships no UGC
  • Subscription cancellation flows — backend concern (DMCC §29 requires one-click online cancel)
  • Sales tax calculation / Nexus — checkout / backend concern
  • PCI DSS — payment processor concern
  • Sub-processor list maintenance — buyer-specific
  • Real-time content moderation (UK Online Safety Act) — kit ships no UGC

  • Quality Gate 17 (UK/EU Compliance Disclosures) — the deterministic checks every kit must pass before listing.
  • docs/01_standards/03_compliance.md (org-level) — the full standard with verification commands.
  • DEMO_CONTENT.md — placeholder-replacement checklist (brand, copy, images).

See Template Empire's compliance standards for how every kit is held to — and audited against — these requirements.