Claude for Lawyers
ReviewIntermediate

Compliance Checker

When launching a new product, updating policies, or conducting a periodic compliance audit.

CorporateEmployment Law

Compliance failures rarely come from ignorance of the headline rule, they come from the missing disclosure, the consent mechanism that falls just short, or the retention policy nobody updated. Checking a document, policy, or practice against the regulations that actually apply, GDPR, CCPA, HIPAA, ADA, SOX, or a state-specific analog, turns a vague worry into a concrete list of what is compliant, what has a gap, and what must change before launch.

Claude is effective at this kind of requirement-mapping. Give it the document or practice, the applicable regulations, the industry, the jurisdiction, and the company's size, which often determines whether a threshold is even triggered, and it produces a compliance matrix: required elements present or missing, prohibited content, notice and consent adequacy, recordkeeping, and preserved rights, each tied to a provision with a remediation step. It is a fast, cost-effective way to scope a compliance review.

The check is a first-pass diagnostic, not a compliance certification. Regulatory thresholds, overlapping state and federal regimes, and enforcement trends all require your judgment, and you must verify each finding against the current text of the regulation, which changes often. Use the output to organize the review and prioritize fixes, but the compliance assessment and the advice flowing from it remain yours. This is not legal advice.

The Prompt

Check the following [DOCUMENT/PRACTICE/POLICY] for compliance:

Document or practice: [DESCRIBE OR PASTE]
Applicable regulations: [e.g., GDPR, CCPA, HIPAA, SOX, ADA, OSHA, state-specific]
Industry: [CLIENT'S INDUSTRY]
Jurisdiction: [STATE(S) OR COUNTRIES]
Company size: [EMPLOYEES AND REVENUE — relevant for thresholds]

Assess compliance on:
1. Required elements — does the document include everything the regulation mandates?
2. Prohibited elements — does it contain anything the regulation forbids?
3. Notice requirements — are disclosures timely and in the right format?
4. Consent mechanisms — are they sufficient under the applicable standard?
5. Record-keeping obligations — is the retention policy adequate?
6. Employee/consumer rights — are required rights preserved?
7. Cross-border considerations — if data or operations cross jurisdictions

For each finding:
- Cite the specific regulatory provision
- Rate compliance: COMPLIANT / GAP / VIOLATION
- Provide the specific fix needed

Example Output

A compliance matrix mapping each regulatory requirement to the document or practice, with gap identification and remediation steps.

Illustrative example — names, figures, and facts are fictional.

COMPLIANCE CHECK — PRIVACY POLICY
Document: Website Privacy Policy v3
Regulations assessed: CCPA/CPRA, GDPR | Industry: D2C e-commerce
Jurisdictions: California + EU users | Company size: ~120 employees, $30M revenue

FINDING-BY-FINDING

1. Notice at Collection (CCPA §1798.100) — GAP
   Policy describes data "in general terms" but omits categories of personal information and purposes at the point of collection.
   Fix: Add a categories-and-purposes table and a just-in-time notice at collection.

2. Right to Opt Out of Sale/Sharing (CCPA §1798.135) — VIOLATION
   No "Do Not Sell or Share My Personal Information" link; site uses third-party ad cookies.
   Fix: Add the opt-out link and honor Global Privacy Control signals.

3. GDPR Lawful Basis (Art. 6) — GAP
   Policy does not state a lawful basis for processing EU personal data.
   Fix: Identify and disclose the lawful basis per processing purpose.

4. Data Subject / Consumer Rights — GAP
   Access and deletion described; right to correct and to limit sensitive data use omitted.
   Fix: Add all CPRA rights and a verifiable request process with timelines.

5. Retention Disclosure (CPRA; GDPR Art. 13) — GAP
   No retention periods stated.
   Fix: Disclose retention periods or the criteria used to set them.

6. Consent for Cookies (ePrivacy/GDPR) — VIOLATION
   Non-essential cookies set before consent.
   Fix: Implement a prior-consent banner with granular toggles.

7. Service Provider/Processor Terms — COMPLIANT
   DPA references and processor obligations are adequately addressed.

Priority: Items 2 and 6 are active violations, remediate first.
Note: Citations are illustrative placeholders. Confirm against the current regulatory text and your facts before relying on this check.

Tips

  • Specify all applicable jurisdictions — state privacy laws often layer on top of federal requirements.
  • Include company size — many regulations exempt small businesses.
  • Update compliance checks whenever regulations change, not just during annual audits.

Frequently Asked Questions

When is the compliance checker most useful?

Use it when launching a new product or feature, updating a policy, or running a periodic compliance audit, any moment you need to know whether a document or practice meets the rules that apply. It is well suited to scoping which requirements are triggered and producing a prioritized gap list before you commit to a full regulatory analysis.

Does the output mean the client is compliant?

No. The check is a first-pass diagnostic, not a compliance opinion or certification, and the responsibility for the assessment stays with you. AI may misjudge thresholds, miss a state analog, or rely on outdated rule text. Verify every finding against the current regulation and the client's specific facts before advising that anything is compliant.

How do I get the most accurate compliance findings?

Specify every applicable jurisdiction, the industry, and the company's size and revenue, since many obligations turn on thresholds and small-business exemptions, and state laws often layer on top of federal ones. Name the exact regulations in scope and paste the full document or a precise description of the practice so nothing material is overlooked.

Can I paste sensitive compliance documents into AI?

Do so cautiously. Model Rule 1.6 and ABA Formal Opinion 512 require protecting client confidentiality and understanding a tool's data handling. Avoid entering privileged audit materials or personal data into consumer AI without adequate protections; prefer an enterprise or no-retention configuration, minimize identifiers where possible, and obtain client consent when the sensitivity calls for it.

Related Prompts

Regulatory AnalysisTerms Of Service Auditor

Related Reading

Get New Prompts Like This Every Week

Join the free Claude for Lawyers newsletter — weekly prompts, tutorials, and practice-specific guides.

Free weekly newsletter. Unsubscribe anytime.