Control Lookup

California's ABC test (codified in AB5, with 200+ industry-specific exemptions added by AB2257 and Prop 22) is the contemporary standard for worker classification in California and a growing list of o…

Accessibility feedback channels are the operational counterpart to the accessibility statement: the route by which a user who hits an accessibility barrier in production tells the operator about it, a…

The accessibility statement is the public-facing document that says, in regulator-readable form, what the platform's current accessibility posture actually is. Most accessibility regimes (the European…

When a product serves ads to user segments that regulators have placed under heightened protection (minors, sensitive-category profiling targets) the lower-risk path is to serve contextual ads — selec…

Age-rating classification is the process by which a game or interactive product gets a rating from the rating bodies that gate distribution in each market: IARC for global digital storefronts (Google…

Age verification is the operational tier-determinator for products that gate features by age (minor-protection regulations, age-rating regimes, alcohol or gambling regimes, content-moderation duties t…

China's Algorithm Registry filing is one of the more distinctive pieces of the PRC's algorithmic-governance regime: any provider of algorithmic-recommendation services to PRC users with public-opinion…

Algorithmic management transparency is the worker-side counterpart to consumer algorithmic-transparency rules: when an automated system assigns shifts, ranks workers, evaluates performance, sets pay m…

Algorithmic transparency obligations have converged on a similar shape across DSA Article 27, China's Internet Information Service Algorithmic Recommendation Management Provisions, and the emerging US…

Alternative formats are the accessibility regimes' answer to the fact that a single visual presentation does not work for every user: large print for low-vision users, audio for blind or print-disable…

An AML program is the operational system that money services businesses, payment institutions, e-money issuers, and increasingly crypto-asset service providers run to detect and report financial crime…

Competition law is the unusual case of a regulatory regime where the operative obligation is mostly behavioral rather than documentary: most of the rules say "do not do this thing" rather than "file t…

Assistive-technology compatibility testing is the part of the accessibility program where the abstract WCAG conformance claims meet the reality of users with NVDA, JAWS, VoiceOver, TalkBack, magnifier…

Audit log retention is the unglamorous infrastructure piece that turns "we have logging" into evidence usable by a regulator, auditor, or litigator months or years after the fact. Most modern privacy,…

A breach-notification process is the operational system that runs after the security team identifies a personal-data incident and runs to the regulatory clock that started the moment the incident was…

CCL classification is the entry-point determination for the US export-controls regime: every exportable product, technology, or piece of software has to be assigned an Export Control Classification Nu…

Commercial email compliance is the surface where US, EU, UK, Canadian, Korean, and Japanese rules converge into a single operational program because almost every email program ships across all of them…

Complaint-handling systems show up in DSA Article 16, the EU P2B Regulation, the UK Online Safety Act, and a growing list of consumer-protection regimes as the user-facing intake for "this content or…

Compliance-by-design interfaces are the marketplace-platform answer to the structural problem that traders selling on a platform are responsible for product-compliance disclosures, but the platform is…

A consent banner is the operational endpoint of the lawful-basis question for tracking that requires user opt-in (cookies, ad pixels, analytics SDKs, third-party tags). Three pieces have to line up: t…

Contact-information disclosure is the regulatory descendant of the printed-imprint requirement that has run through European commercial law for a century: any consumer-facing online service has to tel…

Content moderation is now a regulated function rather than a voluntary product choice: the DSA, the UK Online Safety Act, Singapore's Online Criminal Harms Act, India's IT Rules 2021, and Australia's…

Cookie consent management is the inventory-and-gating function that sits behind the consent banner: the work of cataloguing every first-party and third-party cookie, SDK, pixel, and tag the product lo…

Notice-and-takedown is the operational core of every modern hosting safe-harbor regime: DMCA §512 in the US, EU Copyright Directive Article 17 (with its separate "best efforts" overlay), the UK CDPA s…

Every regulated jurisdiction with a comprehensive data-protection law restricts the transfer of personal data outside the jurisdiction's borders unless the receiving country provides comparable protec…

Companion to the cross-border-transfer-mechanism control. Where the mechanism control documents the legal basis per data-flow, this one is the operational inventory: every category of personal data le…

Dark-patterns prohibitions started as an FTC enforcement theme around forced-action and roach-motel cancellation flows and have since hardened into specific prohibitions in DSA Article 25, the EU Digi…

Data classification is the foundational schema that the rest of the data-protection program reads off of: every other Control (encryption, retention, access management, transfer rules, breach response…

Data minimization is the GDPR Article 5(1)(c) principle that has propagated into LGPD, CPRA, the Quebec Law 25 framework, and the contemporary read of FTC Section 5 unfairness: collect only what is ne…

A data retention policy is the document that converts the storage-limitation principle (GDPR Article 5(1)(e), CCPA disclosure-of-retention requirements, sectoral retention rules under HIPAA, PCI DSS,…

Deceptive-practices prohibitions are the consumer-protection backstop that runs underneath every other product-level rule: FTC Act §5 in the US, the EU Unfair Commercial Practices Directive (UCPD) Art…

Denied-persons screening is the export-controls equivalent of sanctions screening: before any export-controlled transaction (which under the EAR's deemed-export rules can include sharing technical dat…

Digital services tax tracking is the revenue-side compliance function that has emerged as DSTs have proliferated across the UK (2 percent), France (3 percent), Italy, Spain, Austria, Turkey, Canada (s…

Dispute resolution mechanisms for business users are the EU P2B Regulation's structural answer to the asymmetry between platforms and the businesses that depend on them: a marketplace, app store, sear…

DMCA designated-agent registration is one of the cheaper but structurally consequential filings in the US online-services regulatory toolkit: any hosting service that wants the §512 safe-harbor immuni…

A DPIA (Data Protection Impact Assessment) is the GDPR Article 35 structured-risk-analysis exercise that runs before any processing operation likely to result in high risk to data subjects: large-scal…

Data subject access requests (DSARs) are operationally the most demanding piece of most modern privacy regulations: a person you have never met asks for everything you have on them, you have a fixed w…

Digital-services taxes (DSTs) are a small family of jurisdiction-specific levies on revenue from online advertising, marketplace intermediation, and user data, enacted across the UK, France, Italy, Sp…

Issuing e-money (prepaid balances, wallets, stored value redeemable for goods or cash) is a regulated activity in every jurisdiction that has caught up with the category. In the EU, the second Electro…

Compliance training is the regulatory checkbox that most operators treat as a checkbox and that most enforcement actions treat as evidence. The structure has settled across jurisdictions: an annual ba…

End-use and end-user controls are the tier of export-control law that operates above and beyond the destination-country sanctions list. The premise: even a transaction with a non-sanctioned counterpar…

Export-license determination is the per-transaction question that sits in front of every cross-border shipment of goods, software, or technology that touches a controlled list. The logic has three lay…

The federal CARD Act of 2009 set the operating envelope for gift cards and stored-value products in the US, and most of the operational work is in the corners that the headline rules do not obviously…

Algorithmic management of workers (the dispatch system that decides which driver gets which ride, the rating algorithm that gates gig work, the deactivation process that runs off a quality-score thres…

An incident-response plan is the document and the practiced workflow that runs when a cybersecurity incident is detected, designed to compress the time between detection and containment and to produce…

Information firewalls (sometimes called Chinese walls, increasingly avoided as a term) are what platforms operating both a marketplace and their own competing first-party offerings build to keep merch…

A KYC program is the customer-onboarding workflow that establishes who a customer actually is, calibrated to the risk that customer presents to the regulated activity in question. The architecture has…

GDPR Article 6 enumerates six lawful bases for processing personal data (consent, contract, legitimate interest, vital interest, public task, legal obligation) and most non-EU privacy regimes have con…

Mediator designation is the EU Platform-to-Business Regulation's small but operationally specific requirement that an online intermediation service identify at least two mediators it is willing to eng…

Most-favored-nation (MFN) and parity clauses are the contract terms that say a seller on one platform cannot offer better prices, terms, or inventory anywhere else. They are the textbook example of a…

The EU's Markets in Crypto-Assets Regulation (MiCA) introduced a single licensing regime for crypto-asset service providers (CASPs) that has been phasing in through 2024 and 2025 and that replaces the…

When a product accepts in-app purchases or subscription upgrades from minor or vulnerable-population accounts, regulators increasingly expect the platform to enforce a configurable spending cap on a p…

US money-transmitter licensing is the state-by-state regulatory regime that catches platforms moving customer funds (peer-to-peer transfers, marketplace escrow with payout discretion, prepaid balances…

The federal TAKE IT DOWN Act (2024) is the first US statute to impose a fixed takedown deadline for non-consensual intimate imagery (NCII), including AI-generated synthetic imagery, on platforms that…

SDN-list screening is the baseline of US sanctions compliance, and it is necessary but not sufficient. OFAC maintains several other restricted-party lists with different legal effects and different pr…

Verifiable parental consent (VPC) is the workflow that runs before a platform collects personal information from a user under the age of digital consent (under 13 in the US under COPPA, between 13 and…

Worker payment-timing tracking is the operational layer that runs against statutory deadlines for paying contractors and platform workers, and is where a growing number of jurisdictions have started i…

Platform-reporting programs are the operational systems that report seller and merchant earnings to tax authorities under DAC7 in the EU (in force since 2023), 1099-K in the US (with successive thresh…

Pre-contract disclosure is the package of statutorily-mandated information that consumers see before committing to a purchase, and the way the regulators have structured it is to make the disclosure s…

Privacy by design and by default is the GDPR Article 25 obligation that privacy considerations be built into product development from the outset rather than retrofitted before launch, and the by-defau…

Data processing agreements (DPAs) are the GDPR Article 28 contracts between a controller and a processor that allocate responsibility for the personal data the processor handles on the controller's be…

Product-safety database screening is the operational layer that runs against the public recall and banned-product registers maintained by safety regulators across the major markets. In the EU, the Saf…

A privacy policy is the public-facing notice that captures the substantive transparency obligations of every modern privacy regime in a single document, and that fails to do its job when it is written…

Random spot-checks of trader compliance are the EU Digital Services Act and Product Safety Regulation answer to the question of how a marketplace can keep its trader inventory honest without inspectin…

Ranking transparency is the disclosure obligation that catches the algorithm that orders search results, product listings, and feeds for users, and that has been spreading across regulatory regimes fa…

Trade-compliance recordkeeping is the documentation discipline that turns each export decision into an audit-ready file, and is where most export-control investigations either get closed quickly or ex…

Repeat-infringer termination is the DMCA Section 512 safe-harbor condition that forces hosting platforms to actually terminate the accounts of users who get caught infringing copyright more than a few…

Distance-selling cooling-off rights are a near-universal feature of consumer-protection regimes outside the US, and the period varies by jurisdiction in ways that catch operators who assumed one numbe…

Right-to-erasure (right-to-be-forgotten under GDPR Article 17, with parallels in CCPA, LGPD, and most modern privacy statutes) is the obligation to delete a data subject's personal data on request, ac…

Right-to-portability (GDPR Article 20, with analogues in CCPA, LGPD, and most second-generation privacy laws) gives a data subject the ability to receive their personal data in a structured, commonly…

Safeguarding requirements sit at the heart of payments-institution and e-money regulation: customer funds held by the institution are not the institution's funds, and the regimes (PSD2 safeguarding, E…

Sanctions screening is the operational expression of a small set of overlapping prohibitions: don't transact with persons or entities on the OFAC Specially Designated Nationals list, the UK OFSI Conso…

The OFAC Specially Designated Nationals and Blocked Persons list is the US government's headline sanctions instrument; it identifies individuals, entities, vessels, and aircraft whose property is bloc…

Self-preferencing is the conduct theory that a platform with market power cannot use its ranking, recommendation, or visibility surfaces to give its own first-party offerings an advantage over compara…

Platforms that host user-to-user chat or private messaging (DMs) increasingly carry duty-of-care obligations distinct from public-content moderation: the audience is smaller, the harms (grooming, sext…

A status determination statement (SDS) is the written record an engager issues to a worker explaining the worker's classification (employee, worker, off-payroll contractor under IR35, or independent c…

Strong Customer Authentication (SCA) is the EU PSD2 / UK FCA requirement that electronic payments be authenticated using two independent factors drawn from knowledge, possession, and inherence (someth…

Subprocessor management is the operational extension of the controller / processor distinction in modern privacy law: when a processor (the platform) hands personal data to a further processor (a vend…

Auto-renewal disclosure rules sit at the intersection of consumer-protection law and dark-pattern enforcement, and the regimes have been converging on a similar shape: pre-enrollment disclosure of ren…

Tax ID collection is the upstream piece of every payout, marketplace remittance, and information-reporting obligation: before a platform can pay a seller, contractor, or creator, it has to know who th…

US telemarketing law is built around the TCPA and the FTC Telemarketing Sales Rule, with state overlays (Florida's mini-TCPA, Oklahoma's Telephone Solicitation Act, Washington's CPA) that have raised…

The EU Platform-to-Business Regulation (P2B, Regulation 2019/1150) requires online intermediation services and online search engines to publish terms that bind their relationship with business users,…

Terms of service are the operative contract between a platform and its users, and they sit at the intersection of contract law (the terms have to be presented in a way that makes them enforceable), co…

Cross-border data transfer rules are the part of modern privacy regulation that keeps changing under operators' feet. GDPR Chapter V is the canonical version: personal data leaving the EEA needs a tra…

KYBC (Know Your Business Customer) for online marketplaces is the EU Digital Services Act's headline due-diligence obligation on platforms that allow consumers to contract with third-party traders. Ar…

Trader traceability is the operational expression of two converging regimes: the EU's Market Surveillance Regulation 2019/1020 (which extended product-safety responsibility to economic operators inclu…

Transaction monitoring is the operational engine of every modern AML / CTF regime: the obligation to look at customer activity in flight and after the fact, recognize the patterns that statutes and FA…

Most developed-market consumer-protection regimes police standard-form contracts on a fairness standard that operates independently of whether the consumer agreed to the terms: the EU Unfair Contract…

Phase O-D W4.2 placeholder Control. The /admin/orphaned-progress triage surface lets an operator route legacy requirement-keyed user_progress rows here when no specific Control mapping is appropriate…

User-review authenticity has become a dedicated enforcement priority across the major consumer-protection regimes in the past few years. The FTC's 2024 final rule on fake reviews makes it unlawful to…

VAT in the EU and UK is the running operational obligation that catches every cross-border digital seller eventually. The thresholds matter and they are jurisdiction-specific: the EU's One-Stop Shop (…

Vendor risk assessment is the operational expression of the principle, embedded across modern privacy, security, and financial-regulation frameworks, that an institution's regulatory obligations follo…

South Dakota v. Wayfair (2018) replaced the physical-presence test for state sales-tax nexus with an economic-presence test, and within five years every state that levies sales tax had adopted economi…

WCAG (Web Content Accessibility Guidelines) is the de facto global standard for digital accessibility; the EU Web Accessibility Directive, the US ADA Title III as interpreted by DOJ in the Robles v. D…

Where a contractor or remote employee actually performs work determines which jurisdiction's tax, labor, employment, and licensing rules attach to the engagement, and the answer is increasingly not wh…

Worker classification is the recurring litigation-and-enforcement battleground of the platform-economy era: whether a person performing work is an employee (with wage-and-hour, tax-withholding, benefi…

A written contractor agreement is the foundational document that establishes the legal posture of an independent-contractor engagement, and its absence is one of the easier evidentiary points for a re…