Compliance — Empire UI Kit (Base)
Kit-developer note: when you fork UI00-BASE into a new kit, rename this heading to
# Compliance — UI<XX> <KitName>(e.g.# Compliance — UI03 ShieldOps). Buyers reading their kit's COMPLIANCE.md should see their kit's name, not the foundation reference.
This kit ships structural scaffolding for the most common UK, EU, and US regulatory baselines so that buyers can fill in real values and ship a broadly compliant site without re-engineering the legal layer.
You — the buyer — are the compliant party, not the kit author. The kit is sold as source code that you host yourself. Your obligations under UK GDPR, EU GDPR, CCPA / CPRA, ADA, DMCA, Companies Act, DMCC, ePrivacy, etc. attach to your hosted site. The kit cannot give legal advice. Confirm wording with your own legal counsel before publishing.
At a glance — what this kit ships
| Concern | Files / config | Buyer must |
|---|---|---|
| Accessibility statement | /accessibility/ route, footer link | Update LAST_REVIEWED date + KNOWN_LIMITATIONS after each audit |
| WCAG 2.2 AA / WCAG 2.1 AA | every component, design tokens, focus traps, reduced-motion | Run their own audit; meet their procurement obligations |
| Cookie consent banner | src/components/ui/cookie-consent.tsx, SITE_CONFIG.cookieConsent | Flip enabled: true when wiring analytics; gate scripts on getConsent() |
| Global Privacy Control (GPC) | Auto-honoured by the cookie-consent component | Verify their analytics SDK respects getConsent() |
| Footer registered-entity block | src/components/layout/footer.tsx, SITE_CONFIG.legalEntity | Replace every REPLACE WITH ... placeholder |
/privacy/ template | src/app/privacy/page.tsx with full UK / EU / US-state rights enumerations + DNT + GPC | Re-write with their actual data flows; pass through legal counsel |
/terms/ template | src/app/terms/page.tsx | Same — confirm with legal counsel |
/cookie-policy/ template | src/app/cookie-policy/page.tsx | Update cookie list once they wire real cookies |
/dmca/ page | DMCA designated agent disclosure (US) | Register agent with US Copyright Office, fill SITE_CONFIG.compliance.dmca |
/do-not-sell/ page | CCPA / CPRA opt-out (US) | Toggle SITE_CONFIG.compliance.ccpa.doNotSell to surface the footer link; build the actual server-side opt-out flow |
| AI-disclosure labels | Visible "AI-generated" phrasing on every chat / agent / playground / generation surface | Confirm disclosure wording matches their AI provider's brand-usage rules |
| Region toggles | SITE_CONFIG.regions.{uk,eu,us} drives footer link visibility | Switch off any region they don't actually serve |
| Modern Slavery Statement | Footer link rendered when compliance.modernSlaveryStatementUrl is set | Publish their statement (mandatory if turnover ≥ £36M) |
| Professional regulator disclosure | Footer renders regulator + regulatorNumber when set | Fill in if they are a regulated profession |
Region matrix — what applies where
SITE_CONFIG.regions = {
uk: true, // Show UK-specific footer items
eu: true, // Show EU-specific items (privacy, AI Act language)
us: true, // Show US state-privacy + DMCA links
};
Set the regions you actually serve. Some examples:
- UK-only SaaS:
{ uk: true, eu: false, us: false }— shows Modern Slavery link (when set), hides US "Do Not Sell" footer link. - US-first AI tool:
{ uk: false, eu: false, us: true }— surfaces Do Not Sell + DMCA, hides UK Companies Act layout (still renders entity block but you'd customise). - Global:
{ uk: true, eu: true, us: true }— all the things.
UK — what you need
Companies Act 2006 §82 (footer disclosures)
- Registered company name →
SITE_CONFIG.legalEntity.companyName - Company registration number →
legalEntity.companyNumber - Place of registration ("Registered in England and Wales") →
legalEntity.placeOfRegistration - Registered office address →
legalEntity.registeredAddress - VAT number (if registered) →
legalEntity.vatNumber - Direct contact email →
SITE_CONFIG.contact.email - Regulator + membership number (regulated professions only) →
legalEntity.regulator/regulatorNumber
UK GDPR + Data (Use and Access) Act 2025
- Privacy policy listing the eight rights (access, rectification, erasure, restriction, portability, objection, lodge a complaint, automated decision-making) — already in the
/privacy/template - Lawful basis for processing each category of personal data — buyer adds
- Cookie consent banner with
Reject allat parity withAccept all✓ scaffolded - DUAA 2025 relaxation: UK-only sites with strictly-statistical analytics may now omit the cookie banner; advertising/tracking still needs consent. Toggle accordingly.
- GPC honoured automatically ✓
Consumer Rights Act 2015 / Consumer Contracts Regs (e-commerce only)
- 14-day right to cancel — buyer adds to
/terms/if selling goods/services - Digital goods compatibility statement — buyer adds
- Default 30-day delivery time — buyer adds
- Total price upfront (no "drip pricing") — DMCC requirement; audit your
/pricing/page
DMCC Act 2025
- Fake review verification — kit ships fictional placeholder testimonials. If you replace with real reviews you must take "reasonable steps" to verify each reviewer used the product/service. Posting or paying for fake reviews is a criminal offence.
- Subscription traps: easy one-click online cancellation, free-trial reminder before charge, contract-renewal reminder. Backend concern — the kit doesn't ship the cancel flow.
Modern Slavery Act 2015 §54
- Mandatory only if turnover ≥ £36M
- Set
compliance.modernSlaveryStatementUrlto the published statement; footer link renders automatically
EU — what you need
EU GDPR
- Same eight rights as UK GDPR — already in
/privacy/template - Lawful basis under Art 6 — buyer adds
- DPO contact (if appointed) — buyer adds to
/privacy/ - SCCs / adequacy decision references for international transfers — buyer adds
EU AI Act (Regulation 2024/1689)
- AI-system disclosure to users on every generation surface ✓ scaffolded
- Human-oversight notice on high-risk AI uses — buyer adds if applicable
- Synthetic-content marking (deepfake / AI-image) — buyer adds if applicable
EU Accessibility Act (EAA, 28 June 2025)
- WCAG 2.2 AA targeted ✓ kit-wide
/accessibility/statement page ✓ scaffolded- Update
LAST_REVIEWEDannually after re-audit
ePrivacy Directive
- Cookie consent before non-essential scripts ✓ scaffolded
- Reject-All at parity with Accept-All ✓ enforced by component
US — what you need
State Privacy Laws (CCPA / CPRA + 19 others as of April 2026)
- Privacy notice listing the right to know, delete, correct, opt-out of sale/sharing, limit sensitive PI use, and non-discrimination ✓ in
/privacy/template - "Do Not Sell or Share My Personal Information" footer link → toggle
compliance.ccpa.doNotSell = true(only if you actually sell or share PII for cross-context behavioural ads) - "Limit Use of My Sensitive Personal Information" footer link → toggle
compliance.ccpa.sensitivePII = true(only if you collect sensitive PII) - Verifiable opt-out flow within 15 business days (CPRA) / 45 days (CCPA) — backend concern
- Honour Global Privacy Control browser signal ✓ done in cookie-consent component
COPPA + COPPA Rule update (April 2026)
- Verifiable parental consent if directed at children under 13 — buyer adds if applicable
- Data-retention limits + stricter opt-in for targeted advertising to minors — buyer adds
- The Children's Code (UK Age-Appropriate Design) overlaps; the kit does no profiling by default
ADA Title III + DOJ April 2026 deadline
- WCAG 2.1 AA is the US legal benchmark; WCAG 2.2 AA (which the kit targets) is a strict superset and satisfies it
/accessibility/statement reflects this dual standard
DMCA (17 USC §512)
- Designated Copyright Agent →
compliance.dmca.{agentName, agentEmail, agentAddress} /dmca/page renders the agent contact + notice procedure ✓ scaffolded- Register your agent with the US Copyright Office (annual renewal, $6) before publishing user content
- Footer link auto-renders once
agentNameis set to a non-placeholder value
CalOPPA — Do Not Track signal disclosure
- Privacy policy must state how you respond to DNT ✓ section 8 in
/privacy/template
Sales tax / Nexus / PCI DSS
- E-commerce only — backend / payment-processor concern. The kit doesn't ship checkout.
What you must do before publishing — short version
- Fill
SITE_CONFIG.legalEntitywith your real registered details. - Set
SITE_CONFIG.regionsto the regions you actually serve. - If you sell/share PII for cross-context advertising, set
compliance.ccpa.doNotSell = true. - If you publish user-uploaded content, register a DMCA agent with the US Copyright Office, fill
compliance.dmca.*, and the footer link auto-appears. - Update
LAST_REVIEWEDandKNOWN_LIMITATIONSinsrc/app/accessibility/page.tsx. - Pass
/privacy/,/terms/,/cookie-policy/,/dmca/,/do-not-sell/through your own legal counsel. - When you wire analytics or marketing scripts, set
cookieConsent.enabled = trueand gate every script tag ongetConsent(). - Confirm AI-disclosure label wording matches your AI provider's brand-usage rules.
- Verify your build doesn't ship pre-checked marketing-consent boxes (the kit doesn't, but custom additions might).
- Audit your
/pricing/page for "drip pricing" — total price + mandatory fees must be visible upfront.
What is NOT covered (full-stack concerns)
- Data subject access / portability flows — requires a real backend + account data
- Right-to-erasure / consent withdrawal automation — backend concern
- UGC moderation pipelines — kit ships no UGC
- Subscription cancellation flows — backend concern (DMCC §29 requires one-click online cancel)
- Sales tax calculation / Nexus — checkout / backend concern
- PCI DSS — payment processor concern
- Sub-processor list maintenance — buyer-specific
- Real-time content moderation (UK Online Safety Act) — kit ships no UGC
Related references
- Quality Gate 17 (UK/EU Compliance Disclosures) — the deterministic checks every kit must pass before listing.
docs/01_standards/03_compliance.md(org-level) — the full standard with verification commands.DEMO_CONTENT.md— placeholder-replacement checklist (brand, copy, images).
See Template Empire's compliance standards for how every kit is held to — and audited against — these requirements.