Skip to main content
Skip to content

Last updated on 4 June 2026

Compliance — Empire UI Kit (Base)

This kit ships structural scaffolding for the most common UK, EU, and US regulatory baselines so that buyers can fill in real values and ship a broadly compliant site without re-engineering the legal layer.

You — the buyer — are the compliant party, not the kit author. The kit is sold as source code that you host yourself. Your obligations under UK GDPR, EU GDPR, CCPA / CPRA, ADA, DMCA, Companies Act, DMCC, ePrivacy, etc. attach to your hosted site. The kit cannot give legal advice. Confirm wording with your own legal counsel before publishing.


At a glance — what this kit ships

ConcernFiles / configBuyer must
Accessibility statement/accessibility/ route, footer linkUpdate LAST_REVIEWED date + KNOWN_LIMITATIONS after each audit
WCAG 2.2 AA / WCAG 2.1 AAevery component, design tokens, focus traps, reduced-motionRun their own audit; meet their procurement obligations
Cookie consent bannersrc/components/ui/cookie-consent.tsx, SITE_CONFIG.cookieConsentFlip enabled: true when wiring analytics; gate scripts on getConsent()
Global Privacy Control (GPC)Auto-honoured by the cookie-consent componentVerify their analytics SDK respects getConsent()
Footer registered-entity blocksrc/components/layout/site-footer.tsx, SITE_CONFIG.legalEntityReplace every REPLACE WITH ... placeholder
/privacy/ templatesrc/app/privacy/page.tsx with full UK / EU / US-state rights enumerations + DNT + GPCRe-write with their actual data flows; pass through legal counsel
/terms/ templatesrc/app/terms/page.tsxSame — confirm with legal counsel
/cookie-policy/ templatesrc/app/cookie-policy/page.tsxUpdate cookie list once they wire real cookies
/dmca/ pageDMCA designated agent disclosure (US)Register agent with US Copyright Office, fill SITE_CONFIG.compliance.dmca
/do-not-sell/ pageCCPA / CPRA opt-out (US)Toggle SITE_CONFIG.compliance.ccpa.doNotSell to surface the footer link; build the actual server-side opt-out flow
AI-disclosure labelsVisible "AI-generated" phrasing on every chat / agent / playground / generation surfaceConfirm disclosure wording matches their AI provider's brand-usage rules
Region togglesSITE_CONFIG.regions.{uk,eu,us} drives footer link visibilitySwitch off any region they don't actually serve
Modern Slavery StatementFooter link rendered when compliance.modernSlaveryStatementUrl is setPublish their statement (mandatory if turnover ≥ £36M)
Professional regulator disclosureFooter renders regulator + regulatorNumber when setFill in if they are a regulated profession

Region matrix — what applies where

ts
SITE_CONFIG.regions = {
  uk: true,  // Show UK-specific footer items
  eu: true,  // Show EU-specific items (privacy, AI Act language)
  us: true,  // Show US state-privacy + DMCA links
};

Set the regions you actually serve. Some examples:

  • UK-only SaaS: { uk: true, eu: false, us: false } — shows Modern Slavery link (when set), hides US "Do Not Sell" footer link.
  • US-first AI tool: { uk: false, eu: false, us: true } — surfaces Do Not Sell + DMCA, hides UK Companies Act layout (still renders entity block but you'd customise).
  • Global: { uk: true, eu: true, us: true } — all the things.

UK — what you need

  • Registered company name → SITE_CONFIG.legalEntity.companyName
  • Company registration number → legalEntity.companyNumber
  • Place of registration ("Registered in England and Wales") → legalEntity.placeOfRegistration
  • Registered office address → legalEntity.registeredAddress
  • VAT number (if registered) → legalEntity.vatNumber
  • Direct contact email → SITE_CONFIG.email.legal
  • Regulator + membership number (regulated professions only) → legalEntity.regulator / regulatorNumber

UK GDPR + Data (Use and Access) Act 2025

  • Privacy policy listing the eight rights (access, rectification, erasure, restriction, portability, objection, lodge a complaint, automated decision-making) — already in the /privacy/ template
  • Lawful basis for processing each category of personal data — buyer adds
  • Cookie consent banner with Reject all at parity with Accept all ✓ scaffolded
  • DUAA 2025 relaxation: UK-only sites with strictly-statistical analytics may now omit the cookie banner; advertising/tracking still needs consent. Toggle accordingly.
  • GPC honoured automatically ✓

Consumer Rights Act 2015 / Consumer Contracts Regs (e-commerce only)

  • 14-day right to cancel — buyer adds to /terms/ if selling goods/services
  • Digital goods compatibility statement — buyer adds
  • Default 30-day delivery time — buyer adds
  • Total price upfront (no "drip pricing") — DMCC requirement; audit your /pricing/ page

DMCC Act 2025

  • Fake review verification — kit ships fictional placeholder testimonials. If you replace with real reviews you must take "reasonable steps" to verify each reviewer used the product/service. Posting or paying for fake reviews is a criminal offence.
  • Subscription traps: easy one-click online cancellation, free-trial reminder before charge, contract-renewal reminder. Backend concern — the kit doesn't ship the cancel flow.

Modern Slavery Act 2015 §54

  • Mandatory only if turnover ≥ £36M
  • Set compliance.modernSlaveryStatementUrl to the published statement; footer link renders automatically

EU — what you need

EU GDPR

  • Same eight rights as UK GDPR — already in /privacy/ template
  • Lawful basis under Art 6 — buyer adds
  • DPO contact (if appointed) — buyer adds to /privacy/
  • SCCs / adequacy decision references for international transfers — buyer adds

EU AI Act (Regulation 2024/1689)

  • AI-system disclosure to users on every generation surface ✓ scaffolded
  • Human-oversight notice on high-risk AI uses — buyer adds if applicable
  • Synthetic-content marking (deepfake / AI-image) — buyer adds if applicable

EU Accessibility Act (EAA, 28 June 2025)

  • WCAG 2.2 AA targeted ✓ kit-wide
  • /accessibility/ statement page ✓ scaffolded
  • Update LAST_REVIEWED annually after re-audit

ePrivacy Directive

  • Cookie consent before non-essential scripts ✓ scaffolded
  • Reject-All at parity with Accept-All ✓ enforced by component

US — what you need

State Privacy Laws (CCPA / CPRA + 19 others as of April 2026)

  • Privacy notice listing the right to know, delete, correct, opt-out of sale/sharing, limit sensitive PI use, and non-discrimination ✓ in /privacy/ template
  • "Do Not Sell or Share My Personal Information" footer link → toggle compliance.ccpa.doNotSell = true (only if you actually sell or share PII for cross-context behavioural ads)
  • "Limit Use of My Sensitive Personal Information" footer link → toggle compliance.ccpa.sensitivePII = true (only if you collect sensitive PII)
  • Verifiable opt-out flow within 15 business days (CPRA) / 45 days (CCPA) — backend concern
  • Honour Global Privacy Control browser signal ✓ done in cookie-consent component

COPPA + COPPA Rule update (April 2026)

  • Verifiable parental consent if directed at children under 13 — buyer adds if applicable
  • Data-retention limits + stricter opt-in for targeted advertising to minors — buyer adds
  • The Children's Code (UK Age-Appropriate Design) overlaps; the kit does no profiling by default

ADA Title III + DOJ April 2026 deadline

  • WCAG 2.1 AA is the US legal benchmark; WCAG 2.2 AA (which the kit targets) is a strict superset and satisfies it
  • /accessibility/ statement reflects this dual standard

DMCA (17 USC §512)

  • Designated Copyright Agent → compliance.dmca.{agentName, agentEmail, agentAddress}
  • /dmca/ page renders the agent contact + notice procedure ✓ scaffolded
  • Register your agent with the US Copyright Office (annual renewal, $6) before publishing user content
  • Footer link auto-renders once agentName is set to a non-placeholder value

CalOPPA — Do Not Track signal disclosure

  • Privacy policy must state how you respond to DNT ✓ section 8 in /privacy/ template

Sales tax / Nexus / PCI DSS

  • E-commerce only — backend / payment-processor concern. The kit doesn't ship checkout.

What you must do before publishing — short version

  1. Fill SITE_CONFIG.legalEntity with your real registered details.
  2. Set SITE_CONFIG.regions to the regions you actually serve.
  3. If you sell/share PII for cross-context advertising, set compliance.ccpa.doNotSell = true.
  4. If you publish user-uploaded content, register a DMCA agent with the US Copyright Office, fill compliance.dmca.*, and the footer link auto-appears.
  5. Update LAST_REVIEWED and KNOWN_LIMITATIONS in src/app/accessibility/page.tsx.
  6. Pass /privacy/, /terms/, /cookie-policy/, /dmca/, /do-not-sell/ through your own legal counsel.
  7. When you wire analytics or marketing scripts, set cookieConsent.enabled = true and gate every script tag on getConsent().
  8. Confirm AI-disclosure label wording matches your AI provider's brand-usage rules.
  9. Verify your build doesn't ship pre-checked marketing-consent boxes (the kit doesn't, but custom additions might).
  10. Audit your /pricing/ page for "drip pricing" — total price + mandatory fees must be visible upfront.

What is NOT covered (full-stack concerns)

  • Data subject access / portability flows — requires a real backend + account data
  • Right-to-erasure / consent withdrawal automation — backend concern
  • UGC moderation pipelines — kit ships no UGC
  • Subscription cancellation flows — backend concern (DMCC §29 requires one-click online cancel)
  • Sales tax calculation / Nexus — checkout / backend concern
  • PCI DSS — payment processor concern
  • Sub-processor list maintenance — buyer-specific
  • Real-time content moderation (UK Online Safety Act) — kit ships no UGC

  • Quality Gate 17 (UK/EU Compliance Disclosures) — the deterministic checks every kit must pass before listing.
  • .docs/01_standards/03_compliance.md (org-level) — the full standard with verification commands.
  • DEMO_CONTENT.md — placeholder-replacement checklist (brand, copy, images).

See Template Empire's compliance standards for how every kit is held to — and audited against — these requirements.