Back to skills
SkillHub ClubGrow & DistributeFull StackTech WriterSecurity
compliance-officer
Reviews marketing content against FTC, HIPAA, GDPR, SEC 482, SEC Marketing, CCPA, COPPA, and CAN-SPAM — 208 specific laws with URLs.
Packaged view
This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.
Stars
3,087
Hot score
99
Updated
March 20, 2026
Overall rating
C4.0
Composite score
4.0
Best-practice grade
C63.9
Install command
npx @skill-hub/cli install openclaw-skills-compliance-officer
Repository
openclaw/skills
Skill path: skills/arberx/compliance-officer
Reviews marketing content against FTC, HIPAA, GDPR, SEC 482, SEC Marketing, CCPA, COPPA, and CAN-SPAM — 208 specific laws with URLs.
Open repositoryBest for
Primary workflow: Grow & Distribute.
Technical facets: Full Stack, Tech Writer, Security.
Target audience: everyone.
License: Apache-2.0.
Original source
Catalog source: SkillHub Club.
Repository owner: openclaw.
This is still a mirrored public skill entry. Review the repository before installing into production workflows.
What it helps with
- Install compliance-officer into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
- Review https://github.com/openclaw/skills before adding compliance-officer to shared team environments
- Use compliance-officer for development workflows
Works across
Claude CodeCodex CLIGemini CLIOpenCode
Favorites: 0.
Sub-skills: 0.
Aggregator: No.
Original source / Raw SKILL.md
--- name: compliance-officer description: > Reviews marketing content against FTC, HIPAA, GDPR, SEC 482, SEC Marketing, CCPA, COPPA, and CAN-SPAM — 208 specific laws with URLs. license: Apache-2.0 compatibility: Requires network access for URL fetching. Works with Claude Code and similar agents. metadata: author: qcme version: "1.0.0" source: https://github.com/QCME-AI/agentic-compliance-rules --- # Compliance Officer Check marketing content against 208 regulations across FTC, HIPAA, GDPR, SEC, CCPA, COPPA, and CAN-SPAM. Cites actual laws with source URLs. ## What You Can Do - **Review marketing content** — paste copy, a URL, or an image - **Check emails** — evaluate subject lines, bodies, and footers for CAN-SPAM and more - **Audit privacy policies** — check for required disclosures across GDPR, CCPA, HIPAA, COPPA - **Explain any rule** — look up a rule by ID and get a plain-English breakdown - **Draft disclosures** — generate compliant disclosure language for your content ## Examples Review a landing page: ``` Review this for compliance: "Lose 30 lbs in 2 weeks — GUARANTEED. Clinically proven. Doctor recommended. Only 3 left in stock!" ``` Check an email: ``` Check this email for CAN-SPAM compliance: Subject: "URGENT: Act now!" From: [email protected] Body: "Click to claim your FREE gift..." ``` Audit a privacy policy: ``` Review our privacy policy for GDPR and CCPA compliance: https://example.com/privacy ``` Look up a rule: ``` Explain rule FTC-255-5-material-connection ``` Draft disclosures: ``` Draft disclosure language for this influencer post: "Love this protein powder! Use code SARAH20 for 20% off" ``` ## Frameworks Covered | Framework | Rules | Scope | |-----------|-------|-------| | FTC | 95 | Endorsements, claims, dark patterns, pricing | | GDPR | 25 | Consent, disclosure, data rights, cookies | | SEC Marketing | 18 | Investment adviser marketing | | HIPAA | 17 | Health data, PHI, notice requirements | | SEC 482 | 15 | Investment company advertising | | CAN-SPAM | 14 | Email marketing, opt-out, sender ID | | CCPA | 12 | California privacy, opt-out rights | | COPPA | 12 | Children's privacy, parental consent | ## Install ``` npx clawhub install compliance-officer ``` ## Source Apache-2.0 — [github.com/QCME-AI/agentic-compliance-rules](https://github.com/QCME-AI/agentic-compliance-rules) --- *For agent instructions, see `references/instructions.md`.* --- ## Referenced Files > The following files are referenced in this skill and included for context. ### references/instructions.md ```markdown # Agent Instructions You are an AI Compliance Officer. You review marketing content against real regulatory rules and cite specific laws — not vibes. You have access to 208 structured compliance rules across 8 regulatory frameworks. ## Mode Detection Detect what the user needs from their request and follow the matching mode: | Mode | Trigger | |------|---------| | **Review content** | User provides marketing copy, a URL, or an image to check | | **Check email** | User provides email content (subject, body, sender) | | **Check privacy policy** | User provides a privacy policy (URL or text) | | **Explain rule** | User asks about a specific rule by ID | | **List rules** | User wants to browse or filter available rules | | **Draft disclosures** | User wants compliant disclosure language generated | ## Loading Rules Rules are stored as JSON files in the `references/` directory, split by framework: - `references/rules-ftc-claims.json` — 49 FTC rules (pricing, advertising claims, free trials, green guides, made-in-USA) - `references/rules-ftc-endorsements.json` — 33 FTC rules (endorsements, testimonials, reviews, native advertising) - `references/rules-ftc-dark-patterns.json` — 13 FTC rules (dark patterns, scarcity, negative options, cancellation) - `references/rules-hipaa.json` — 17 HIPAA rules (health data, PHI, notice requirements) - `references/rules-gdpr.json` — 25 GDPR rules (consent, disclosure, data rights, cookies) - `references/rules-sec-482.json` — 15 SEC 482 rules (investment company advertising) - `references/rules-sec-marketing.json` — 18 SEC Marketing rules (adviser marketing) - `references/rules-ccpa.json` — 12 CCPA rules (California privacy, opt-out, DNS link) - `references/rules-coppa.json` — 12 COPPA rules (children's privacy, parental consent) - `references/rules-can-spam.json` — 14 CAN-SPAM rules (email marketing, opt-out, sender ID) **Only load the frameworks relevant to the task.** Use these signals to determine relevance: - Health/medical content → HIPAA + FTC (all 3 files) - Investment/financial content → SEC 482 + SEC Marketing + FTC (claims + dark-patterns) - EU audience or mentions GDPR → GDPR - Email content → CAN-SPAM + FTC (dark-patterns) + GDPR (consent) + CCPA (opt-out) - Children/minors → COPPA - California audience → CCPA - Privacy policy review → GDPR + CCPA + HIPAA + COPPA - General marketing/advertising → FTC (all 3 files) - If `--framework` is specified, use only that framework - If `--framework all` or unclear, load all When loading FTC rules, load the relevant split files: `rules-ftc-claims.json`, `rules-ftc-endorsements.json`, and/or `rules-ftc-dark-patterns.json`. **Important:** Rules are structured knowledge for you to reason with — not regex patterns to execute. Use each rule's `summary`, `remediation.guidance`, and `source` to understand the regulation. The `detection.keywords` and `detection.patterns` fields are hints about scope, not matching instructions. Skip rules tagged `structural` — these are organizational requirements that cannot be assessed from content. --- ## Review Content Check marketing content for potential compliance violations. ### Input - Marketing copy text, a URL (fetch with WebFetch), or an image - Optional: `--framework ftc|hipaa|gdpr|sec-482|sec-marketing|ccpa|coppa|can-spam|all` ### Process 1. Load the relevant framework rule files from `references/` 2. For each rule, reason about whether the content violates the regulation described in the rule's `summary` and `remediation.guidance` 3. Consider context — "guaranteed delivery" (shipping) is fine, "guaranteed returns" (investment) is not 4. For `ai-only` detection type rules, rely entirely on your understanding of the regulation ### Output Format ``` ## Compliance Review **Content**: [first 100 chars]... **Frameworks evaluated**: [list] **Findings**: [count] ### Critical - **[rule.id]** [rule.title] Concern: [specific explanation of what is problematic and why] Regulation: [rule.summary] Suggested fix: [rule.remediation.guidance] Source: [rule.source.citation] ([rule.source.source_url]) ### Warning [same format] ### Info [same format] --- *Pre-review tool. Findings are potential issues for human review, not definitive violations. Your compliance and legal teams have final authority.* ``` --- ## Check Email Review email marketing content for compliance issues. ### Input - Email content — subject line, sender/from address, body, and/or footer - If only partial content is provided, evaluate what's available and note missing components ### Process 1. Load: CAN-SPAM (all), FTC dark pattern rules (`FTC-DARK-*`), GDPR marketing/consent rules, CCPA opt-out rules 2. Evaluate by component: - **Subject line**: Deceptive subjects (CAN-SPAM), misleading urgency, false claims - **Sender identification**: From address accuracy, sender identity - **Physical address**: Valid postal address (CAN-SPAM requirement) - **Opt-out mechanism**: Clear unsubscribe link, no fee, honored within 10 business days - **Content labeling**: Ad/commercial identification - **Dark patterns**: Manipulative urgency, confirmshaming, pre-selected options ### Output Format ``` ## Email Compliance Review **Content**: [subject line or first 100 chars] **Rules evaluated**: [count] rules across CAN-SPAM, FTC, GDPR, CCPA **Findings**: [count] ### Critical / Warning / Info [same format as Review Content, with added "Component:" field] ### Missing Components [List any email components not provided — e.g., "No footer provided. CAN-SPAM requires a physical postal address."] --- *Pre-review tool. Your compliance and legal teams have final authority.* ``` --- ## Check Privacy Policy Review a privacy policy for required disclosures. ### Input - A URL to a privacy policy (fetch with WebFetch) or pasted text ### Process 1. Load: GDPR disclosure rules (Art.12-14), CCPA disclosure rules, HIPAA notice rules, COPPA notice rules 2. Check for PRESENCE of required information — this is the opposite of violation detection 3. For each disclosure rule: is the information **present**, **missing**, or **incomplete**? 4. Determine applicable frameworks from content signals (mentions EU → GDPR, California → CCPA, health data → HIPAA, children → COPPA) ### Output Format ``` ## Privacy Policy Review **Source**: [URL or "Pasted text"] **Frameworks evaluated**: [list] **Required disclosures checked**: [count] ### Disclosure Checklist | Status | Requirement | Rule | Details | |--------|-------------|------|---------| | FOUND | Controller identity | GDPR-Art13-identity | Found in "About Us" section | | MISSING | Data retention periods | GDPR-Art13-retention | No retention info found | | INCOMPLETE | Purpose of processing | GDPR-Art13-purposes | Some purposes listed but not mapped to data categories | ### Missing Disclosures [Grouped by framework with rule citations] ### Recommendations [Priority-ordered list of what to add] --- *Pre-review tool. Privacy policy requirements vary by jurisdiction. Your legal team should review the final policy.* ``` --- ## Explain Rule Look up a specific compliance rule and explain it in plain English. ### Input - A rule ID (e.g., `FTC-255-5-material-connection`) ### Process 1. Load the relevant framework file and find the matching rule 2. If not found, list available framework prefixes ### Output Format ``` ## [rule.id] — [rule.title] **Framework**: [framework] | **Severity**: [severity] | **Jurisdiction**: [jurisdiction] ### What This Regulation Requires [Plain English explanation from rule.summary and remediation.guidance — write for a marketer, not a lawyer] ### What Triggers a Violation [Describe triggering language/practices using detection.keywords as examples, explained in context] ### Examples **Non-compliant**: [realistic violating content] **Compliant**: [same content rewritten to comply] ### How to Fix [rule.remediation.guidance] ### Source [rule.source.citation] — [rule.source.source_url] --- *Educational purposes. Consult your legal team for definitive guidance.* ``` --- ## List Rules Browse and filter available compliance rules. ### Input - `--framework <name>`: filter by framework - `--severity <level>`: filter by critical/warning/info - `--tag <tag>`: filter by tag (disclosure, consent, endorsement, dark-pattern, etc.) - `--search <query>`: free-text search across titles, summaries, keywords - No arguments: show framework summary table ### Output Format **No filters (summary mode)**: ``` ## Available Compliance Rules | Framework | Rules | Critical | Warning | Info | |-----------|-------|----------|---------|------| | FTC | 95 | ... | ... | ... | | ... | ... | ... | ... | ... | | **Total** | **208** | ... | ... | ... | ``` **With filters**: ``` ## Rules: [filter description] | ID | Title | Severity | Framework | Tags | |----|-------|----------|-----------|------| | ... | ... | ... | ... | ... | ``` --- ## Draft Disclosures Generate ready-to-use compliance disclosure language. ### Input - Marketing content that needs disclosures ### Process 1. Load relevant framework rules based on content type 2. Identify where disclosures or modifications are needed 3. Draft specific, ready-to-use disclosure text matching the original tone 4. Show where to place each disclosure ### Output Format ``` ## Draft Disclosures **Original content**: [first 100 chars]... **Frameworks evaluated**: [list] **Disclosures needed**: [count] ### 1. [rule.title] ([rule.id]) **Why**: [what regulation requires this] **Draft disclosure**: > [actual disclosure text to add] **Placement**: [where in the content] **Source**: [rule.source.citation] ### Revised Content > [Full content with disclosures inserted, marked with **bold**] --- *Draft disclosures for review. Your compliance teams should approve all language before publication.* ``` ``` --- ## Skill Companion Files > Additional files collected from the skill directory layout. ### README.md ```markdown # Compliance Officer Check marketing content against 208 regulations across FTC, HIPAA, GDPR, SEC, CCPA, COPPA, and CAN-SPAM. Cites actual laws with source URLs. ## Examples ``` Review this landing page for compliance: "Lose 30 lbs in 2 weeks — GUARANTEED. Clinically proven. Doctor recommended. Only 3 left in stock!" ``` ``` Check this email for CAN-SPAM compliance: Subject: "URGENT: Act now!" From: [email protected] Body: "Click to claim your FREE gift..." ``` ``` Review our privacy policy for GDPR and CCPA compliance: https://example.com/privacy ``` ``` Explain rule FTC-255-5-material-connection ``` ``` Draft disclosure language for this influencer post: "Love this protein powder! Use code SARAH20 for 20% off" ``` ## Install ``` npx clawhub install compliance-officer ``` ## Source Apache-2.0 — [github.com/QCME-AI/agentic-compliance-rules](https://github.com/QCME-AI/agentic-compliance-rules) ``` ### _meta.json ```json { "owner": "arberx", "slug": "compliance-officer", "displayName": "Compliance Officer", "latest": { "version": "1.1.0", "publishedAt": 1772598746515, "commit": "https://github.com/openclaw/skills/commit/5134fedb1186ff99203212de51dac73ae2342d84" }, "history": [] } ``` ### references/rules-can-spam.json ```json [ { "id": "CAN-SPAM-316-3-transactional", "version": "1.0.0", "framework": "can-spam", "title": "Transactional Email Definition", "severity": "info", "summary": "Transactional or relationship messages (order confirmations, account updates, warranty info) are exempt from most CAN-SPAM requirements, but must not be deceptive.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "order\\s+confirm", "account\\s+(update|notification|alert)", "shipping\\s+(confirm|notification|update)", "password\\s+reset" ], "keywords": [ "transactional email", "order confirmation", "account notification", "relationship message" ] }, "remediation": { "guidance": "Transactional emails are exempt from opt-out and identification requirements, but the primary purpose must genuinely be transactional. Do not disguise commercial messages as transactional.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 316.3", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-316", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "classification" ], "jurisdiction": [ "US" ], "content_types": [ "email", "marketing" ], "owner": "qcme-core" } }, { "id": "CAN-SPAM-316-4-primary-purpose", "version": "1.0.0", "framework": "can-spam", "title": "Primary Purpose Test", "severity": "warning", "summary": "If an email contains both transactional and commercial content, the primary purpose determines whether CAN-SPAM applies. Commercial content in subject line makes it commercial.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "primary purpose", "commercial content", "transactional content", "dual purpose email" ] }, "remediation": { "guidance": "When mixing transactional and commercial content, the primary purpose determines classification. If the subject line or opening content is commercial, the entire message is commercial under CAN-SPAM.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 316.3(a)(2)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-316", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "classification" ], "jurisdiction": [ "US" ], "content_types": [ "email", "marketing" ], "owner": "qcme-core" } }, { "id": "CAN-SPAM-7704-1-header", "version": "1.0.0", "framework": "can-spam", "title": "Accurate Header Information", "severity": "critical", "summary": "Header information in commercial email must not be materially false or misleading. From, To, Reply-To, and routing information must be accurate.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "from:\\s*[^@]+@", "reply[\\s-]?to" ], "keywords": [ "from address", "reply-to", "sender identity", "header information", "originating email" ] }, "remediation": { "guidance": "Ensure From, To, Reply-To, and routing information accurately identifies the person or business who initiated the email.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "15 USC 7704(a)(1)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-316", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "identity" ], "jurisdiction": [ "US" ], "content_types": [ "email", "marketing" ], "owner": "qcme-core" } }, { "id": "CAN-SPAM-7704-2-subject", "version": "1.0.0", "framework": "can-spam", "title": "Non-Deceptive Subject Lines", "severity": "critical", "summary": "Subject lines must not be deceptive or misleading about the content of the message.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "re:\\s", "fw(d)?:\\s", "urgent.*act\\s+now", "you('ve)?\\s+won" ], "keywords": [ "deceptive subject line", "misleading subject", "subject line accuracy" ] }, "remediation": { "guidance": "Subject lines must accurately reflect the content of the email. Do not use deceptive subject lines like fake Re: or Fwd: prefixes.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "15 USC 7704(a)(2)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-316", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "email", "marketing" ], "owner": "qcme-core" } }, { "id": "CAN-SPAM-7704-3-ad-identifier", "version": "1.0.0", "framework": "can-spam", "title": "Advertisement Identification", "severity": "warning", "summary": "Commercial email must be clearly and conspicuously identified as an advertisement or solicitation.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(this\\s+(is\\s+)?(an?\\s+)?)?advertis(ement|ing)", "commercial\\s+(message|email)", "promotional\\s+(message|email|offer)" ], "keywords": [ "advertisement", "this is an ad", "commercial message", "promotional email", "solicitation" ] }, "remediation": { "guidance": "Include clear identification that the message is a commercial advertisement or solicitation, unless the recipient has given prior affirmative consent.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "15 USC 7704(a)(5)(A)(i)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-316", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "email", "marketing" ], "owner": "qcme-core" } }, { "id": "CAN-SPAM-7704-4-physical-address", "version": "1.0.0", "framework": "can-spam", "title": "Physical Postal Address", "severity": "critical", "summary": "Commercial email must include a valid physical postal address of the sender.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "\\d+\\s+[A-Z][a-z]+\\s+(St|Ave|Blvd|Rd|Dr|Ln|Way|Ct)", "P\\.?O\\.?\\s+Box\\s+\\d+", "Suite\\s+\\d+" ], "keywords": [ "physical address", "mailing address", "postal address", "P.O. Box" ] }, "remediation": { "guidance": "Include a valid physical postal address in every commercial email. This can be a street address, P.O. Box, or private mailbox registered with a commercial mail receiving agency.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "15 USC 7704(a)(5)(A)(iii)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-316", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "identity" ], "jurisdiction": [ "US" ], "content_types": [ "email", "marketing" ], "owner": "qcme-core" } }, { "id": "CAN-SPAM-7704-5-opt-out", "version": "1.0.0", "framework": "can-spam", "title": "Opt-Out Mechanism Required", "severity": "critical", "summary": "Every commercial email must include a clear and conspicuous mechanism to opt out of future messages.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "unsubscribe", "opt[\\s-]?out", "manage.*preferences", "email\\s+preferences", "stop\\s+(receiving|these)\\s+(emails|messages)" ], "keywords": [ "unsubscribe", "opt out", "manage email preferences", "stop receiving emails", "remove from list" ] }, "remediation": { "guidance": "Include a clear, conspicuous, and functional opt-out mechanism in every commercial email. Must be operational for at least 30 days after sending.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "15 USC 7704(a)(3)(A)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-316", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "consent", "opt-out" ], "jurisdiction": [ "US" ], "content_types": [ "email", "marketing" ], "owner": "qcme-core" } }, { "id": "CAN-SPAM-7704-6-opt-out-honor", "version": "1.0.0", "framework": "can-spam", "title": "Honor Opt-Out Requests", "severity": "critical", "summary": "Opt-out requests must be honored within 10 business days. Cannot send commercial email after opt-out request is received.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "10 business days", "honor opt-out", "opt-out processing", "unsubscribe within" ] }, "remediation": { "guidance": "Process opt-out requests within 10 business days. Once a recipient opts out, stop sending them commercial email. The opt-out mechanism must remain functional for at least 30 days.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "15 USC 7704(a)(4)(A)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-316", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "consent", "opt-out", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "email", "marketing" ], "owner": "qcme-core" } }, { "id": "CAN-SPAM-7704-7-no-opt-out-fee", "version": "1.0.0", "framework": "can-spam", "title": "Free Opt-Out", "severity": "critical", "summary": "Cannot charge a fee, require the recipient to provide information beyond email address, or make the recipient take more than a single step to opt out.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(login|sign\\s+in|log\\s+in).*unsubscribe", "(pay|fee|charge).*unsubscribe" ], "keywords": [ "free to unsubscribe", "no fee to opt out", "single step opt out", "one-click unsubscribe" ] }, "remediation": { "guidance": "Opt-out must require no more than a single action (e.g., clicking a link or sending a reply). Cannot require login, payment, or additional personal information beyond email address.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "15 USC 7704(a)(3)(B)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-316", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "consent", "opt-out" ], "jurisdiction": [ "US" ], "content_types": [ "email", "marketing" ], "owner": "qcme-core" } }, { "id": "CAN-SPAM-7704-8-no-transfer", "version": "1.0.0", "framework": "can-spam", "title": "No Selling Opt-Out Lists", "severity": "critical", "summary": "Cannot sell, transfer, or share email addresses of recipients who have opted out.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "do not share opt-out", "opt-out list", "suppression list", "do not sell email addresses" ] }, "remediation": { "guidance": "Never sell, lease, exchange, or otherwise transfer the email addresses of people who have opted out of your messages.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "15 USC 7704(a)(4)(B)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-316", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "consent", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "email", "marketing" ], "owner": "qcme-core" } }, { "id": "CAN-SPAM-7704-dictionary", "version": "1.0.0", "framework": "can-spam", "title": "No Dictionary Attacks", "severity": "critical", "summary": "Cannot generate email addresses using automated tools that combine names, letters, or numbers (dictionary attacks).", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "dictionary attack", "generated email addresses", "automated address generation" ] }, "remediation": { "guidance": "Do not use automated tools to generate email addresses by combining names, letters, numbers, or other characters. All recipient addresses must be legitimately obtained.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "15 USC 7704(b)(1)(B)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-316", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "structural" ], "jurisdiction": [ "US" ], "content_types": [ "email", "marketing" ], "owner": "qcme-core" } }, { "id": "CAN-SPAM-7704-harvesting", "version": "1.0.0", "framework": "can-spam", "title": "No Harvested Addresses", "severity": "critical", "summary": "Cannot send commercial email to addresses obtained through automated harvesting of websites or online services.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "email harvesting", "scraped email", "automated collection", "purchased email list" ] }, "remediation": { "guidance": "Only send commercial email to addresses obtained through legitimate means (direct opt-in, business relationship). Never use harvested, scraped, or purchased email lists.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "15 USC 7704(b)(1)(A)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-316", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "consent", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "email", "marketing" ], "owner": "qcme-core" } }, { "id": "CAN-SPAM-7704-sender-identity", "version": "1.0.0", "framework": "can-spam", "title": "Sender Identification", "severity": "critical", "summary": "The sender of commercial email must be clearly identifiable. The 'From' line must accurately identify the person or entity who initiated the message.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "on\\s+behalf\\s+of", "sent\\s+by", "from\\s+the\\s+team\\s+at" ], "keywords": [ "sender identification", "sent by", "on behalf of", "from the team at" ] }, "remediation": { "guidance": "Clearly identify the sender in the 'From' field. If sending on behalf of another party, both the sender and the party must be identified.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "15 USC 7704(a)(1)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-316", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "identity" ], "jurisdiction": [ "US" ], "content_types": [ "email", "marketing" ], "owner": "qcme-core" } }, { "id": "CAN-SPAM-7704-sexually-explicit", "version": "1.0.0", "framework": "can-spam", "title": "Sexually Explicit Content", "severity": "critical", "summary": "Email with sexually explicit content must include 'SEXUALLY-EXPLICIT:' at the beginning of the subject line and specific initial viewable content requirements.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "SEXUALLY[\\s-]EXPLICIT" ], "keywords": [ "sexually explicit", "adult content label", "SEXUALLY-EXPLICIT", "18+" ] }, "remediation": { "guidance": "If sending email with sexually explicit content, include 'SEXUALLY-EXPLICIT:' at the beginning of the subject line and ensure no sexually explicit content appears in the initial viewable area.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "15 USC 7704(d), 16 CFR 316.4", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-316", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "content-label" ], "jurisdiction": [ "US" ], "content_types": [ "email", "marketing" ], "owner": "qcme-core" } } ] ``` ### references/rules-ccpa.json ```json [ { "id": "CCPA-100-disclosure", "version": "1.0.0", "framework": "ccpa", "title": "Pre-Collection Disclosure", "severity": "critical", "summary": "Businesses must provide notice at or before the point of collection of personal information.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(at|before)\\s+(the\\s+)?point\\s+of\\s+collection", "notice\\s+at\\s+collection" ], "keywords": [ "at or before collection", "categories collected", "notice at collection" ] }, "remediation": { "guidance": "Provide notice at point of collection listing categories and purposes.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "Cal. Civ. Code § 1798.100(b)", "source_url": "https://oag.ca.gov/privacy/ccpa", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US-CA" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "CCPA-100-know", "version": "1.0.0", "framework": "ccpa", "title": "Right to Know What Is Collected", "severity": "warning", "summary": "Consumers have the right to know what personal information is collected about them.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "right to know", "personal information collected", "categories of information" ] }, "remediation": { "guidance": "Disclose categories of personal information collected and purposes.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "Cal. Civ. Code § 1798.100(a)", "source_url": "https://oag.ca.gov/privacy/ccpa", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "structural" ], "jurisdiction": [ "US-CA" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "CCPA-105-delete", "version": "1.0.0", "framework": "ccpa", "title": "Right to Delete", "severity": "warning", "summary": "Consumers have the right to request deletion of personal information collected from them.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "delete.*personal\\s+information", "right\\s+to\\s+delet" ], "keywords": [ "right to delete", "request deletion", "delete my data", "delete my information" ] }, "remediation": { "guidance": "Provide clear mechanism to request deletion and respond within 45 days.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "Cal. Civ. Code § 1798.105(a)", "source_url": "https://oag.ca.gov/privacy/ccpa", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "data-rights" ], "jurisdiction": [ "US-CA" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "CCPA-110-categories", "version": "1.0.0", "framework": "ccpa", "title": "Specific Pieces of Information", "severity": "info", "summary": "Consumers have the right to request specific pieces of personal information collected about them.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "specific pieces", "personal information", "access request" ] }, "remediation": { "guidance": "Implement process to provide specific data upon verified request.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "Cal. Civ. Code § 1798.110(a)", "source_url": "https://oag.ca.gov/privacy/ccpa", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "data-rights", "structural" ], "jurisdiction": [ "US-CA" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "CCPA-120-minors", "version": "1.0.0", "framework": "ccpa", "title": "Minors Consent Required", "severity": "critical", "summary": "Businesses must obtain affirmative opt-in consent before selling personal information of consumers under 16 years of age.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "minors", "under 16", "children", "parental consent", "opt-in for minors" ] }, "remediation": { "guidance": "Implement age verification and obtain consent for minors data sale.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "Cal. Civ. Code § 1798.120(c)", "source_url": "https://oag.ca.gov/privacy/ccpa", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "consent", "structural" ], "jurisdiction": [ "US-CA" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "CCPA-120-opt-out", "version": "1.0.0", "framework": "ccpa", "title": "Right to Opt-Out of Sale", "severity": "critical", "summary": "Consumers have the right to opt-out of the sale or sharing of their personal information.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "sell.*personal\\s+information", "share.*personal\\s+information", "opt[\\s-]?out.*sale" ], "keywords": [ "opt-out", "sale of personal information", "do not sell", "do not share" ] }, "remediation": { "guidance": "Implement opt-out mechanism and honor requests immediately.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "Cal. Civ. Code § 1798.120(a)", "source_url": "https://oag.ca.gov/privacy/ccpa", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "consent", "data-sale" ], "jurisdiction": [ "US-CA" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "CCPA-125-non-discrimination", "version": "1.0.0", "framework": "ccpa", "title": "Non-Discrimination", "severity": "warning", "summary": "Businesses cannot discriminate against consumers for exercising their CCPA rights.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "non-discrimination", "equal service", "financial incentive" ] }, "remediation": { "guidance": "Do not deny services, charge different prices, or provide different quality based on privacy choices.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "Cal. Civ. Code § 1798.125(a)", "source_url": "https://oag.ca.gov/privacy/ccpa", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "structural" ], "jurisdiction": [ "US-CA" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "CCPA-130-methods", "version": "1.0.0", "framework": "ccpa", "title": "Request Methods", "severity": "warning", "summary": "Businesses must provide two or more designated methods for consumers to submit requests, including at minimum a toll-free telephone number and website address.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "toll-free number", "request methods", "privacy request form" ] }, "remediation": { "guidance": "Provide toll-free number and website form for privacy requests.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "Cal. Civ. Code § 1798.130(a)", "source_url": "https://oag.ca.gov/privacy/ccpa", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "structural" ], "jurisdiction": [ "US-CA" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "CCPA-130-response", "version": "1.0.0", "framework": "ccpa", "title": "Response Timeline", "severity": "warning", "summary": "Businesses must respond to verifiable consumer requests within 45 days of receipt.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "45 days", "response timeline", "acknowledge receipt" ] }, "remediation": { "guidance": "Implement process to acknowledge receipt and respond within 45 days.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "Cal. Civ. Code § 1798.130(a)(2)", "source_url": "https://oag.ca.gov/privacy/ccpa", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "structural" ], "jurisdiction": [ "US-CA" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "CCPA-135-dns-link", "version": "1.0.0", "framework": "ccpa", "title": "Do Not Sell Link Required", "severity": "critical", "summary": "Businesses that sell personal information must provide a clear and conspicuous link titled 'Do Not Sell My Personal Information' or 'Do Not Share My Personal Information' on their homepage.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "do\\s+not\\s+sell", "do\\s+not\\s+share", "opt[\\s-]?out.*sale" ], "keywords": [ "do not sell my personal information", "do not share my personal information", "DNS link" ] }, "remediation": { "guidance": "Add visible \"Do Not Sell My Personal Information\" link in website footer.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "Cal. Civ. Code § 1798.135(a)", "source_url": "https://oag.ca.gov/privacy/ccpa", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "consent" ], "jurisdiction": [ "US-CA" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "CCPA-135-privacy-policy", "version": "1.0.0", "framework": "ccpa", "title": "Privacy Policy Requirements", "severity": "warning", "summary": "Businesses must update their privacy policy at least once every 12 months and include CCPA-required disclosures.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "privacy\\s+policy", "california\\s+privacy\\s+rights" ], "keywords": [ "privacy policy", "annual update", "consumer rights", "CCPA rights" ] }, "remediation": { "guidance": "Update privacy policy annually with CCPA-required disclosures.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "Cal. Civ. Code § 1798.135(a)(2)", "source_url": "https://oag.ca.gov/privacy/ccpa", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US-CA" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "CCPA-CPRA-sensitive", "version": "1.0.0", "framework": "ccpa", "title": "Sensitive Personal Information", "severity": "critical", "summary": "Under CPRA, businesses must provide consumers the right to limit the use and disclosure of sensitive personal information.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "limit.*sensitive\\s+personal", "sensitive\\s+personal\\s+information" ], "keywords": [ "sensitive personal information", "limit use", "CPRA", "limit the use of my sensitive personal information" ] }, "remediation": { "guidance": "Provide \"Limit Use of My Sensitive Personal Information\" link if applicable.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "Cal. Civ. Code § 1798.121", "source_url": "https://oag.ca.gov/privacy/ccpa", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "consent", "disclosure" ], "jurisdiction": [ "US-CA" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } } ] ``` ### references/rules-coppa.json ```json [ { "id": "COPPA-312-10-retention", "version": "1.0.0", "framework": "coppa", "title": "Data Retention Limits", "severity": "warning", "summary": "Must retain children's personal information only as long as reasonably necessary to fulfill the purpose for which it was collected.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "retain.*child.*data\\s+(for|until|only)", "delet(e|ion).*child.*after" ], "keywords": [ "data retention for children", "retention limits", "delete children's data", "retention period" ] }, "remediation": { "guidance": "Delete children's personal information once it is no longer reasonably necessary. Do not retain it indefinitely.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 312.10", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "data-retention" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "COPPA-312-2-notice", "version": "1.0.0", "framework": "coppa", "title": "Notice on Website/App", "severity": "critical", "summary": "Operators of websites or online services directed to children under 13 must post a clear, prominent, and complete online privacy notice.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "children('s)?\\s+privacy", "kids(')?\\s+privacy", "coppa\\s+(compliance|notice|policy)" ], "keywords": [ "children's privacy policy", "kids privacy", "COPPA notice", "privacy policy for children" ] }, "remediation": { "guidance": "Post a clearly labeled, complete children's privacy notice linked from every page that collects information from children.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 312.2, 312.4(d)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "privacy" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "COPPA-312-3-consent", "version": "1.0.0", "framework": "coppa", "title": "Verifiable Parental Consent", "severity": "critical", "summary": "Must obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "parental\\s+consent", "parent('s)?\\s+(or\\s+)?guardian('s)?\\s+(consent|permission|approval)", "verif(y|iable|ied)\\s+.*consent" ], "keywords": [ "parental consent", "verifiable parental consent", "parent or guardian permission", "consent from parent" ] }, "remediation": { "guidance": "Obtain verifiable parental consent using an approved method (signed form, credit card, video conference, etc.) before collecting data from children under 13.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 312.3, 312.5", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "consent" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "COPPA-312-4-content-notice", "version": "1.0.0", "framework": "coppa", "title": "Content of Privacy Notice", "severity": "warning", "summary": "Children's privacy notice must list categories of personal information collected, how it is used, disclosure practices, and contact information for the operator.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(collect|gather).*from\\s+children", "information.*children.*collect" ], "keywords": [ "categories of information collected from children", "how we use children's data", "children's personal information" ] }, "remediation": { "guidance": "Include in the notice: operator contact info, categories of data collected from children, how data is used, disclosure practices, and parental rights.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 312.4(b)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "COPPA-312-4-direct-notice", "version": "1.0.0", "framework": "coppa", "title": "Direct Notice to Parents", "severity": "critical", "summary": "Must provide direct notice to parents before collecting information from their child, describing what information will be collected and how it will be used.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "direct notice to parents", "notify parent", "parental notification" ] }, "remediation": { "guidance": "Send direct notice to parents describing what data will be collected, how it will be used, and how parents can provide or revoke consent.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 312.4(c)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "consent" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "COPPA-312-5-methods", "version": "1.0.0", "framework": "coppa", "title": "Consent Methods", "severity": "warning", "summary": "Verifiable parental consent must use a method reasonably calculated to ensure the consenting person is the child's parent.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "signed\\s+(consent|authorization)\\s+form", "credit\\s+card.*verif", "video\\s+(conference|call).*consent" ], "keywords": [ "consent method", "signed consent form", "knowledge-based authentication", "video conference consent" ] }, "remediation": { "guidance": "Use an FTC-approved consent verification method: signed form returned by mail/fax/email scan, credit card transaction, video conference, or government ID check.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 312.5(b)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "consent", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "COPPA-312-6-rights", "version": "1.0.0", "framework": "coppa", "title": "Parental Rights", "severity": "warning", "summary": "Parents must be able to review personal information collected from their child, request deletion, and refuse further collection.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "parent.*review.*child('s)?\\s+(data|information)", "delete.*child('s)?\\s+(data|information|account)" ], "keywords": [ "parental access rights", "review child's information", "delete child's data", "refuse further collection" ] }, "remediation": { "guidance": "Provide parents the ability to: (1) review their child's personal information, (2) request deletion, and (3) refuse further collection or use.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 312.6", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "data-rights" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "COPPA-312-7-prohibition", "version": "1.0.0", "framework": "coppa", "title": "No Conditioning on Data Collection", "severity": "critical", "summary": "Cannot condition a child's participation in an activity on providing more personal information than is reasonably necessary.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(require|must\\s+provide).*to\\s+(play|participate|access|use)", "required.*field.*children" ], "keywords": [ "required information", "cannot condition participation", "reasonably necessary", "data minimization for children" ] }, "remediation": { "guidance": "Do not require children to disclose more information than is reasonably necessary to participate in an activity. Only collect what is strictly needed.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 312.7", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "consent", "data-minimization" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "COPPA-312-8-confidentiality", "version": "1.0.0", "framework": "coppa", "title": "Data Security", "severity": "warning", "summary": "Must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of children's personal information.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "protect children's data", "security of children's information", "confidentiality", "data security" ] }, "remediation": { "guidance": "Implement reasonable data security measures to protect children's personal information from unauthorized access, use, or disclosure.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 312.8", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "security", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "COPPA-312-age-gate", "version": "1.0.0", "framework": "coppa", "title": "Age Screening", "severity": "critical", "summary": "Sites directed to a general audience that knowingly collect information from children under 13 must implement age screening.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(age|birthday)\\s+(gate|screen|check|verif)", "how\\s+old\\s+are\\s+you", "enter\\s+your\\s+(birth\\s*date|date\\s+of\\s+birth|age)" ], "keywords": [ "age gate", "age verification", "age screening", "date of birth", "are you over 13" ] }, "remediation": { "guidance": "Implement age screening before collecting personal information. If a user indicates they are under 13, block data collection or trigger parental consent flow.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 312.2", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "consent" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "COPPA-312-ed-tech", "version": "1.0.0", "framework": "coppa", "title": "Educational Technology Exception", "severity": "warning", "summary": "Schools may consent on behalf of parents for educational technology services, but only for school-authorized educational purposes.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "school.*consent", "educational\\s+(purpose|technology|service)", "teacher.*consent.*behalf" ], "keywords": [ "school consent", "educational purpose", "ed-tech", "school-authorized", "FERPA" ] }, "remediation": { "guidance": "When relying on school consent, use collected data only for school-authorized educational purposes. Do not use for commercial purposes.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 312.5(c)(3)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "consent", "education" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "COPPA-312-safe-harbor", "version": "1.0.0", "framework": "coppa", "title": "Safe Harbor Programs", "severity": "info", "summary": "Operators may participate in FTC-approved self-regulatory safe harbor programs as an alternative to individual FTC enforcement.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "safe harbor", "CARU", "kidSAFE", "PRIVO", "iKeepSafe", "self-regulatory program" ] }, "remediation": { "guidance": "Consider joining an FTC-approved COPPA safe harbor program (CARU, kidSAFE, PRIVO, iKeepSafe) for additional compliance support.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 312.11", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } } ] ``` ### references/rules-ftc-claims.json ```json [ { "id": "FTC-233-1-former-price", "version": "1.0.0", "framework": "ftc", "title": "Former Price Comparisons", "severity": "critical", "summary": "Price comparisons to a \"former price\" must be based on actual prices at which the item was offered in good faith for a reasonably substantial period.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "was\\s+\\$\\d+", "formerly\\s+\\$\\d+", "regular\\s+price\\s+\\$\\d+", "compare\\s+at\\s+\\$\\d+" ], "keywords": [ "was", "formerly", "regular price", "compare at" ] }, "remediation": { "guidance": "Only show \"was $X\" prices that reflect genuine prior pricing. Maintain records of historical pricing.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 233.1", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-233#233.1", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "pricing" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-233-2-retail-value", "version": "1.0.0", "framework": "ftc", "title": "Comparable Value Claims", "severity": "warning", "summary": "Retail value or comparable value claims must accurately reflect the price at which comparable products are sold by others.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "retail\\s+value\\s+\\$\\d+", "comparable\\s+value", "compare\\s+to\\s+\\$\\d+" ], "keywords": [ "retail value", "comparable value", "compare to" ] }, "remediation": { "guidance": "Verify comparable prices before using \"Retail Value\" or \"Compare at\" claims. Document competitive pricing.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 233.2", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-233#233.2", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims", "pricing" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-233-3-list-price", "version": "1.0.0", "framework": "ftc", "title": "Manufacturer List Price Claims", "severity": "warning", "summary": "Claims of savings from manufacturer's list price or suggested retail price must reflect prices at which products are actually sold.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "msrp\\s+\\$\\d+", "list\\s+price\\s+\\$\\d+", "suggested\\s+retail" ], "keywords": [ "MSRP", "list price", "suggested retail" ] }, "remediation": { "guidance": "Only reference MSRP if products are actually sold at that price in the market.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 233.3", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-233#233.3", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims", "pricing" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-233-4-bargain", "version": "1.0.0", "framework": "ftc", "title": "Bargain Offers Based on Other Purchases", "severity": "warning", "summary": "Offers like \"Buy one, get one free\" must not inflate the price of the first item to recover the cost of the \"free\" item.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "buy\\s+one.*get\\s+one", "bogo", "buy\\s+\\d+.*get\\s+\\d+" ], "keywords": [ "BOGO", "buy one get one", "buy 2 get 1" ] }, "remediation": { "guidance": "In BOGO offers, the first item price must be the regular price. Do not inflate to cover free item.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 233.4", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-233#233.4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "pricing" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-238-1-bait", "version": "1.0.0", "framework": "ftc", "title": "No Bait Advertising", "severity": "critical", "summary": "Bait advertising is an alluring but insincere offer to sell a product which the advertiser does not intend to sell.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "while\\s+supplies\\s+last", "limited\\s+quantities?", "limited\\s+stock" ], "keywords": [ "while supplies last", "limited quantity", "limited stock" ] }, "remediation": { "guidance": "Ensure advertised products are available in reasonable quantities. Do not use low prices just to lure customers.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 238.1", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-238#238.1", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-238-2-switch", "version": "1.0.0", "framework": "ftc", "title": "No Bait and Switch", "severity": "critical", "summary": "It is deceptive to disparage the advertised product, fail to show it, or refuse to take orders for it in order to switch consumers to a higher-priced item.", "rationale": "", "detection": { "type": "ai-only" }, "remediation": { "guidance": "Honor advertised prices. Do not discourage purchase of advertised items to upsell alternatives.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 238.2", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-238#238.2", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "pricing", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-238-3-adequate-supply", "version": "1.0.0", "framework": "ftc", "title": "Must Have Adequate Supply", "severity": "warning", "summary": "Advertisers must have adequate supply of advertised products to meet reasonably anticipated demand.", "rationale": "", "detection": { "type": "ai-only" }, "remediation": { "guidance": "Stock sufficient inventory for advertised offers. If limited, clearly disclose quantity available.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 238.3", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-238#238.3", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-238-4-refusal", "version": "1.0.0", "framework": "ftc", "title": "No Refusal to Sell Advertised Item", "severity": "critical", "summary": "Refusal to show, demonstrate, or sell the advertised product is evidence of bait advertising.", "rationale": "", "detection": { "type": "ai-only" }, "remediation": { "guidance": "Train staff to actively sell advertised products. Do not create obstacles to purchasing advertised items.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 238.4", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-238#238.4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-251-1-conditions", "version": "1.0.0", "framework": "ftc", "title": "\"Free\" Offer Conditions Must Be Disclosed", "severity": "critical", "summary": "All conditions and obligations for receiving a \"free\" item must be clearly and conspicuously disclosed.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "free\\s*\\*", "free.*conditions\\s+apply", "free.*see\\s+(details|terms)" ], "keywords": [ "conditions apply", "terms", "with purchase" ] }, "remediation": { "guidance": "Disclose all conditions upfront: \"Free with $50 purchase\" not hidden in fine print.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 251.1(b)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-251#251.1", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-251-1-continuous", "version": "1.0.0", "framework": "ftc", "title": "No Continuous \"Free\" Offers", "severity": "warning", "summary": "\"Free\" offers cannot be used continuously - they must be intermittent to preserve the meaning of \"free.\"", "rationale": "", "detection": { "type": "ai-only" }, "remediation": { "guidance": "Limit duration of free offers. A perpetual \"free gift\" promotion is deceptive.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 251.1(e)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-251#251.1", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-251-1-free-genuine", "version": "1.0.0", "framework": "ftc", "title": "\"Free\" Must Be Genuinely Free", "severity": "critical", "summary": "The word \"Free\" may only be used when the consumer pays nothing for the item and is not required to purchase anything else at an inflated price.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "\\bfree\\b", "at\\s+no\\s+(additional\\s+)?cost", "complimentary", "gift\\s+with\\s+purchase" ], "keywords": [ "free", "no cost", "complimentary", "gift" ] }, "remediation": { "guidance": "Only use \"FREE\" when the item is truly free with no hidden costs or inflated companion purchase requirements.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 251.1(a)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-251#251.1", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "pricing" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-251-1-regular-price", "version": "1.0.0", "framework": "ftc", "title": "\"Free\" Cannot Inflate Regular Price", "severity": "critical", "summary": "The regular price of merchandise sold with a \"free\" offer must not be increased to cover the cost of the free item.", "rationale": "", "detection": { "type": "ai-only" }, "remediation": { "guidance": "Maintain regular pricing during free promotions. Do not mark up base product to cover \"free\" item costs.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 251.1(c)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-251#251.1", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "pricing", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-251-1-shipping", "version": "1.0.0", "framework": "ftc", "title": "\"Free\" Item Shipping Charges", "severity": "warning", "summary": "Shipping and handling charges for a \"free\" item must be reasonable and disclosed. Excessive S&H that covers item cost is deceptive.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "free.*\\$\\d+.*shipping", "just\\s+pay\\s+shipping", "free.*s&h" ], "keywords": [ "shipping", "handling", "S&H", "just pay shipping" ] }, "remediation": { "guidance": "If charging S&H for \"free\" items, charges must be reasonable and clearly disclosed before checkout.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 251.1(d)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-251#251.1", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-260-1-purpose", "version": "1.0.0", "framework": "ftc", "title": "Green Guides Purpose", "severity": "info", "summary": "The Green Guides help marketers avoid making environmental claims that are unfair or deceptive under Section 5 of the FTC Act.", "rationale": "", "detection": { "type": "ai-only" }, "remediation": { "guidance": "Environmental marketing claims must be truthful, substantiated, and not misleading.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.1", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260#260.1", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-260-10-nontoxic", "version": "1.0.0", "framework": "ftc", "title": "Non-Toxic Claims", "severity": "warning", "summary": "Non-toxic claims must be substantiated for all foreseeable human and environmental exposures.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "non[\\s-]?toxic", "toxin[\\s-]?free", "safe\\s+for.*environment" ], "keywords": [ "non-toxic", "toxin free", "safe for environment" ] }, "remediation": { "guidance": "Substantiate non-toxic claims with testing. Consider all exposure routes and populations.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.10", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260#260.10", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-260-12-recyclable", "version": "1.0.0", "framework": "ftc", "title": "Recyclable Claims", "severity": "warning", "summary": "Recyclable claims should be qualified if recycling facilities are not available to a substantial majority of consumers.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "\\brecyclable\\b", "can\\s+be\\s+recycled", "\\d+%\\s+recyclable" ], "keywords": [ "recyclable", "recycle", "recycling" ] }, "remediation": { "guidance": "Qualify recyclable claims: \"Recyclable where facilities exist\" or \"Check local recycling.\" Specify which components.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.12", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260#260.12", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-260-13-recycled", "version": "1.0.0", "framework": "ftc", "title": "Recycled Content Claims", "severity": "warning", "summary": "Recycled content claims must specify whether content is pre-consumer or post-consumer recycled material.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(made\\s+with|contains?)\\s+\\d+%\\s+recycled", "post[\\s-]?consumer\\s+recycled", "pre[\\s-]?consumer\\s+recycled" ], "keywords": [ "recycled content", "post-consumer", "pre-consumer", "made with recycled" ] }, "remediation": { "guidance": "Distinguish between pre-consumer and post-consumer recycled content. Specify percentage accurately.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.13", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260#260.13", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-260-15-renewable", "version": "1.0.0", "framework": "ftc", "title": "Renewable Energy Claims", "severity": "warning", "summary": "Renewable energy claims must be substantiated. If using RECs, marketers should not overstate environmental benefits.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(powered|made)\\s+(by|with)\\s+renewable", "\\d+%\\s+renewable\\s+energy", "solar\\s+powered", "wind\\s+powered" ], "keywords": [ "renewable energy", "solar powered", "wind energy", "clean energy" ] }, "remediation": { "guidance": "Distinguish between on-site generation and REC purchases. Disclose methodology.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.15", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260#260.15", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-260-16-materials", "version": "1.0.0", "framework": "ftc", "title": "Renewable Materials Claims", "severity": "info", "summary": "Renewable materials claims should not be deceptive about the overall environmental benefit.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "renewable\\s+materials?", "plant[\\s-]?based", "bio[\\s-]?based" ], "keywords": [ "renewable materials", "plant-based", "bio-based" ] }, "remediation": { "guidance": "Specify what percentage of materials are from renewable sources. Identify the renewable materials.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.16", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260#260.16", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-260-3-general", "version": "1.0.0", "framework": "ftc", "title": "Environmental Claims Must Be Substantiated", "severity": "critical", "summary": "All environmental claims must be substantiated by competent and reliable scientific evidence.", "rationale": "", "detection": { "type": "ai-only" }, "remediation": { "guidance": "Maintain documentation supporting all environmental claims. Claims should be specific and verifiable.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.3", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260#260.3", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-260-3-qualification", "version": "1.0.0", "framework": "ftc", "title": "Qualify Broad Environmental Claims", "severity": "warning", "summary": "Broad environmental claims should be qualified to prevent deception about the product's environmental attributes.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "eco[\\s-]?friendly", "environmentally\\s+friendly", "green\\s+product", "earth[\\s-]?friendly" ], "keywords": [ "eco-friendly", "environmentally friendly", "green", "earth friendly" ] }, "remediation": { "guidance": "Avoid vague claims like \"eco-friendly\". Use specific claims like \"Made with 50% recycled plastic.\"", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.3", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260#260.3", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-260-4-general-benefit", "version": "1.0.0", "framework": "ftc", "title": "General Environmental Benefit Claims", "severity": "critical", "summary": "Unqualified general environmental benefit claims (e.g., \"green\" or \"eco-friendly\") are difficult to substantiate and should be avoided.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "\\b(green|eco|sustainable)\\b(?![\\w-])", "good\\s+for\\s+(the\\s+)?environment", "planet[\\s-]?friendly" ], "keywords": [ "green", "sustainable", "eco", "planet friendly" ] }, "remediation": { "guidance": "Replace vague environmental claims with specific, measurable benefits that can be documented.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.4", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260#260.4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-260-5-carbon", "version": "1.0.0", "framework": "ftc", "title": "Carbon Offset Claims", "severity": "warning", "summary": "Carbon offset claims must reflect genuine, verifiable, permanent emission reductions and should be properly qualified.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "carbon\\s+(neutral|negative|zero|offset)", "net[\\s-]?zero\\s+(carbon|emissions?)", "climate\\s+(neutral|positive)" ], "keywords": [ "carbon neutral", "carbon offset", "net zero", "climate neutral" ] }, "remediation": { "guidance": "Use third-party verified carbon offsets. Disclose offset methodology and certifying body.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.5", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260#260.5", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-260-6-seals", "version": "1.0.0", "framework": "ftc", "title": "Environmental Certifications and Seals", "severity": "warning", "summary": "Environmental certifications and seals can be deceptive if they imply general environmental benefit without qualification.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "certified\\s+(green|sustainable|eco)", "seal\\s+of\\s+approval", "\\d+%\\s+certified" ], "keywords": [ "certified", "seal", "certification", "approved" ] }, "remediation": { "guidance": "Clarify what specific attribute the certification covers. Disclose certifying organization.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.6", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260#260.6", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-260-7-compostable", "version": "1.0.0", "framework": "ftc", "title": "Compostable Claims", "severity": "warning", "summary": "Compostable claims should specify whether the item is suitable for home composting or requires industrial facilities.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "\\bcompostable\\b", "industrially\\s+compostable", "home\\s+compostable" ], "keywords": [ "compostable", "composting", "industrial compost", "home compost" ] }, "remediation": { "guidance": "Specify composting conditions: \"Commercially compostable only\" or \"Home compostable.\" Include timeframe if relevant.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.7", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260#260.7", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-260-8-degradable", "version": "1.0.0", "framework": "ftc", "title": "Degradable and Biodegradable Claims", "severity": "critical", "summary": "Degradable claims require evidence that the product will completely break down within one year under normal disposal conditions.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "biodegradable", "bio[\\s-]?degradable", "degrades?\\s+naturally", "breaks?\\s+down\\s+(naturally|quickly)" ], "keywords": [ "biodegradable", "degradable", "breaks down", "decomposes" ] }, "remediation": { "guidance": "Only claim biodegradable if product fully decomposes within 1 year. Qualify for specific disposal conditions.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.8", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260#260.8", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-260-9-free-of", "version": "1.0.0", "framework": "ftc", "title": "Free-Of Environmental Claims", "severity": "warning", "summary": "Free-of claims must be truthful and should not be made if the substance was never present or associated with the product category.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "free\\s+of\\s+[a-z]+", "[a-z]+-free\\b", "contains?\\s+no\\s+[a-z]+" ], "keywords": [ "free of", "free", "contains no", "without" ] }, "remediation": { "guidance": "Only claim \"free of X\" if (1) X is typically present in similar products, and (2) absence provides environmental benefit.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.9", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260#260.9", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-CLAIM-BEST", "version": "1.0.0", "framework": "ftc", "title": "Superlative Claims Without Basis", "severity": "warning", "summary": "Claims like \"best\", \"#1\", \"leading\", or \"top-rated\" require substantiation through comparative testing or market data.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "#\\s*1\\s+(selling|rated|brand|choice|recommended)", "(best|top|leading|premier)\\s+(selling|rated|quality)", "(america|world)'?s?\\s+(best|#\\s*1|favorite|leading)", "award[\\s-]?winning" ], "keywords": [ "best", "number one", "top rated", "leading brand", "award winning" ] }, "remediation": { "guidance": "Remove unsubstantiated superlative claims or provide evidence (market share data, comparative tests, awards).", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/resources/advertising-faqs", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-CLAIM-CLINICAL", "version": "1.0.0", "framework": "ftc", "title": "\"Clinically Proven\" Without Clinical Trials", "severity": "critical", "summary": "Claims like \"clinically proven\" or \"clinically tested\" require actual clinical trials supporting the specific claim.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "clinically\\s+(proven|tested|shown|demonstrated)", "clinical\\s+(studies?|trials?|evidence)\\s+(show|prove|demonstrate)", "backed\\s+by\\s+(science|research|studies)" ], "keywords": [ "clinically proven", "clinical study", "scientific evidence", "research shows" ] }, "remediation": { "guidance": "Remove \"clinically proven\" unless backed by published, peer-reviewed clinical trials. Cite specific studies.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/resources/advertising-faqs", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-CLAIM-DOCTOR", "version": "1.0.0", "framework": "ftc", "title": "\"Doctor Recommended\" Without Substantiation", "severity": "warning", "summary": "Claims like \"doctor recommended\" or \"#1 doctor choice\" must be based on actual surveys or endorsements from qualified medical professionals.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(doctor|physician|MD|dermatologist)s?\\s+(recommended|approved|choice|trusted)", "#?1\\s+(doctor|physician|dermatologist)\\s+(recommended|choice)", "(recommended|approved)\\s+by\\s+(doctors?|physicians?|MDs?)" ], "keywords": [ "doctor recommended", "physician approved", "medical professional", "dermatologist tested" ] }, "remediation": { "guidance": "Remove doctor recommendation claims or provide substantiation (survey methodology, sample size, date).", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.3", "source_url": "https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "endorsement", "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-CLAIM-GUARANTEE", "version": "1.0.0", "framework": "ftc", "title": "\"100% Guaranteed\" Claims", "severity": "warning", "summary": "Absolute guarantee claims must be honored and any conditions must be clearly disclosed.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "100%\\s*(money[\\s-]?back\\s+)?guarantee", "guaranteed\\s+(results?|satisfaction|to\\s+work)", "(full|complete)\\s+refund\\s+guarantee", "no[\\s-]?questions?[\\s-]?asked\\s+refund" ], "keywords": [ "money back guarantee", "satisfaction guaranteed", "guaranteed results", "full refund" ] }, "remediation": { "guidance": "Clearly disclose all conditions, limitations, and procedures for any guarantee. Honor all guarantees offered.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/resources/advertising-faqs", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-CLAIM-HEALTH", "version": "1.0.0", "framework": "ftc", "title": "Unsubstantiated Health Benefit Claims", "severity": "critical", "summary": "Health benefit claims (cures, treats, prevents disease) require competent and reliable scientific evidence.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(cures?|treats?|prevents?|heals?)\\s+(cancer|diabetes|arthritis|disease|illness)", "eliminates?\\s+(pain|symptoms?|disease)", "reverses?\\s+(aging|diabetes|disease)", "boosts?\\s+(immune|immunity)\\s*system" ], "keywords": [ "cure", "treat", "prevent disease", "heal", "immune boost", "anti-aging" ] }, "remediation": { "guidance": "Remove unsupported health claims. Use qualified language like \"may support\" with appropriate disclaimers.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/resources/health-products-compliance-guidance", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims", "health-data" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-CLAIM-PERCENT", "version": "1.0.0", "framework": "ftc", "title": "Specific Percentage Efficacy Claims", "severity": "warning", "summary": "Specific percentage claims (e.g., \"90% effective\", \"reduces wrinkles by 50%\") require supporting evidence.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "\\d{2,3}%\\s*(effective|reduction|improvement|increase|decrease)", "(reduces?|improves?|increases?)\\s+(by\\s+)?\\d{2,3}%", "\\d+\\s*out\\s*of\\s*\\d+\\s*(people|users?|customers?)" ], "keywords": [ "percent effective", "reduction", "improvement", "efficacy" ] }, "remediation": { "guidance": "Substantiate percentage claims with studies or testing. Include methodology and conditions.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/resources/advertising-faqs", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-CLAIM-SCIENTIFIC", "version": "1.0.0", "framework": "ftc", "title": "\"Scientifically Proven\" Without Studies", "severity": "critical", "summary": "Claims invoking scientific authority must be supported by actual scientific studies relevant to the claim.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "scientifically\\s+(proven|tested|formulated|backed)", "science\\s+(shows|proves|confirms)", "(based\\s+on|backed\\s+by)\\s+science", "breakthrough\\s+(formula|technology|discovery)" ], "keywords": [ "scientifically proven", "science backed", "breakthrough", "revolutionary" ] }, "remediation": { "guidance": "Remove scientific proof claims or cite specific peer-reviewed studies with links to publications.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/resources/advertising-faqs", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-CLAIM-WEIGHT", "version": "1.0.0", "framework": "ftc", "title": "Unsubstantiated Weight Loss Claims", "severity": "critical", "summary": "Claims like \"Lose X pounds in Y days\" require competent and reliable scientific evidence. Most rapid weight loss claims are deceptive.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "lose\\s+\\d+\\s*(lbs?|pounds?|kg|kilos?)\\s*(in|within)\\s*\\d+\\s*(days?|weeks?)", "drop\\s+\\d+\\s*(lbs?|pounds?)\\s*(fast|quick|rapid)", "shed\\s+(up\\s+to\\s+)?\\d+\\s*(lbs?|pounds?)", "burn\\s+\\d+\\s*calories", "melt\\s+(away\\s+)?(fat|pounds)" ], "keywords": [ "weight loss", "lose weight", "burn fat", "slim down", "shed pounds" ] }, "remediation": { "guidance": "Remove specific weight loss claims unless supported by clinical trials. Add disclaimer about typical results and need for diet/exercise.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/resources/gut-check-reference-guide-media-spotting-false-weight-loss-claims", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-FREE-CONDITION", "version": "1.0.0", "framework": "ftc", "title": "Hidden Conditions for \"Free\" Products", "severity": "critical", "summary": "Offers of \"free\" products with hidden conditions (shipping, subscription, purchase requirement) must clearly disclose all terms.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "free\\s*[!\\*]", "free.*\\$\\d+\\s+(shipping|s&h|handling)", "free.*with\\s+(purchase|subscription|order)", "\\$0(\\.00)?.*\\$\\d+\\.\\d+\\s+shipping" ], "keywords": [ "free", "no cost", "complimentary", "shipping fee", "handling charge" ] }, "remediation": { "guidance": "Disclose all conditions for \"free\" offers prominently and before checkout. E.g., \"Free with $50 purchase\" not just \"FREE\".", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 251", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-251", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-FREE-TRIAL", "version": "1.0.0", "framework": "ftc", "title": "Free Trial Auto-Charge Without Disclosure", "severity": "critical", "summary": "Free trials that automatically convert to paid subscriptions must clearly disclose the conversion terms before enrollment.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "free\\s+trial.*\\$\\d+", "try\\s+(free|it)\\s*(for)?\\s*\\d+\\s*days?", "(starts?|begins?)\\s+(free|at\\s+\\$0)", "cancel\\s+(anytime|before)", "after\\s+(free\\s+)?trial.*\\$\\d+" ], "keywords": [ "free trial", "trial period", "auto-renew", "cancel anytime", "after trial" ] }, "remediation": { "guidance": "Clearly disclose before checkout: (1) Free trial length, (2) Post-trial price, (3) How to cancel. Get affirmative consent.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5 / ROSCA", "source_url": "https://www.ftc.gov/business-guidance/news-events/news/press-releases/2021/10/ftc-brings-first-case-challenging-illegal-dark-patterns-trick", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-GREEN-CARBON", "version": "1.0.0", "framework": "ftc", "title": "Carbon Neutral Without Certification", "severity": "warning", "summary": "Carbon neutral and carbon offset claims should be substantiated with reliable third-party certification.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "carbon\\s+(neutral|negative|zero|free)", "net[\\s-]?zero\\s+(carbon|emissions?)", "carbon\\s+offset", "climate\\s+(neutral|positive)" ], "keywords": [ "carbon neutral", "carbon offset", "net zero", "climate neutral" ] }, "remediation": { "guidance": "Provide certification details for carbon neutral claims. Disclose offset methodology and certifier.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.5", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "green-claims", "carbon", "environmental", "certification" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-GREEN-DEGRADE", "version": "1.0.0", "framework": "ftc", "title": "Misleading Biodegradable Claims", "severity": "warning", "summary": "\"Biodegradable\" claims require evidence that the product completely breaks down within one year under normal disposal conditions.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "biodegradable", "bio[\\s-]?degradable", "breaks?\\s+down\\s+naturally", "decomposes?\\s+(naturally|quickly)" ], "keywords": [ "biodegradable", "compostable", "breaks down", "decomposes" ] }, "remediation": { "guidance": "Substantiate biodegradable claims with testing. Specify timeframe and disposal conditions.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.8", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "green-claims", "biodegradable", "environmental" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-GREEN-ECO", "version": "1.0.0", "framework": "ftc", "title": "Unsubstantiated Eco-Friendly Claims", "severity": "warning", "summary": "Broad environmental claims like \"eco-friendly\" or \"green\" must be qualified and substantiated.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "eco[\\s-]?friendly", "(environmentally|earth)\\s+(friendly|safe|conscious)", "good\\s+for\\s+(the\\s+)?(planet|earth|environment)", "planet[\\s-]?friendly" ], "keywords": [ "eco-friendly", "environmentally friendly", "green product", "earth friendly" ] }, "remediation": { "guidance": "Replace vague \"eco-friendly\" with specific, substantiated claims (e.g., \"Made with 50% recycled content\").", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.4", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "green-claims", "environmental", "substantiation" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-GREEN-NATURAL", "version": "1.0.0", "framework": "ftc", "title": "Misleading Natural or Organic Claims", "severity": "warning", "summary": "\"Natural\" and \"organic\" claims should be specific and substantiated. For food/cosmetics, USDA standards may apply.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "\\b(100%\\s+)?(all[\\s-]?)natural\\b", "\\bnatural\\s+(ingredients?|formula|product)\\b", "\\borganic\\b(?!.*certified)", "made\\s+with\\s+natural" ], "keywords": [ "natural", "all natural", "organic", "naturally derived" ] }, "remediation": { "guidance": "Specify what makes the product natural. For organic claims, obtain USDA certification if applicable.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.4", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "green-claims", "natural", "organic", "environmental" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-GREEN-RECYCLE", "version": "1.0.0", "framework": "ftc", "title": "Unqualified Recyclable Claims", "severity": "warning", "summary": "\"Recyclable\" claims must specify what parts are recyclable and whether recycling facilities are available to consumers.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "\\b(100%\\s+)?recyclable\\b", "can\\s+be\\s+recycled", "recycle\\s+this\\s+(product|package|item)" ], "keywords": [ "recyclable", "recycle", "recycling", "recyclable packaging" ] }, "remediation": { "guidance": "Qualify recyclable claims: specify which parts, include recycling instructions, note facility availability.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.12", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "green-claims", "recyclable", "environmental" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-GREEN-SUSTAIN", "version": "1.0.0", "framework": "ftc", "title": "Vague Sustainable Claims", "severity": "info", "summary": "Broad claims like \"sustainable\" should be qualified with specific, substantiated environmental benefits.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "\\bsustainable\\b", "sustainably\\s+(sourced|made|produced)", "sustainability\\s+(certified|focused)" ], "keywords": [ "sustainable", "sustainably sourced", "sustainability" ] }, "remediation": { "guidance": "Replace vague sustainability claims with specific achievements (e.g., \"Made with 100% renewable energy\").", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 260.4", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-260", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "green-claims", "sustainability", "environmental" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-USA-ASSEMBLED", "version": "1.0.0", "framework": "ftc", "title": "\"Assembled in USA\" Misuse", "severity": "warning", "summary": "\"Assembled in USA\" requires principal assembly in the US. Must not imply higher US content than exists.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "assembled\\s+in\\s+(the\\s+)?u\\.?s\\.?a?\\.?", "assembled\\s+in\\s+(america|united\\s+states)" ], "keywords": [ "assembled in USA", "assembled in America", "US assembly" ] }, "remediation": { "guidance": "Only use \"Assembled in USA\" if significant assembly occurs in the US. Disclose foreign components.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5 / Made in USA Policy", "source_url": "https://www.ftc.gov/business-guidance/resources/complying-made-usa-standard", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-USA-ORIGIN", "version": "1.0.0", "framework": "ftc", "title": "Country of Origin Misrepresentation", "severity": "critical", "summary": "Misrepresenting country of origin through flags, symbols, or misleading statements is deceptive.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(american|usa)\\s+(flag|quality|pride)", "patriotic.*made" ], "keywords": [ "country of origin", "US flag", "American flag", "patriotic" ] }, "remediation": { "guidance": "Accurately represent country of origin. Do not use US flags/symbols for foreign-made products.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/resources/complying-made-usa-standard", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-USA-UNQUALIFIED", "version": "1.0.0", "framework": "ftc", "title": "Unqualified \"Made in USA\" Claim", "severity": "critical", "summary": "Unqualified \"Made in USA\" claims require that the product be \"all or virtually all\" made in the United States.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "made\\s+in\\s+(the\\s+)?u\\.?s\\.?a?\\.?(?!.*assembled)", "american\\s+made", "proudly\\s+made\\s+in\\s+(america|u\\.?s\\.?)", "100%\\s+american" ], "keywords": [ "made in USA", "American made", "made in America", "USA made" ] }, "remediation": { "guidance": "Verify that final assembly and all significant parts/processing are in the USA. If not, qualify the claim.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5 / Made in USA Policy", "source_url": "https://www.ftc.gov/business-guidance/resources/complying-made-usa-standard", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-bait-switch", "version": "1.0.0", "framework": "ftc", "title": "No Bait and Switch", "severity": "critical", "summary": "Advertising an offer that is not genuinely available to lure customers is illegal.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "bait", "switch", "unavailable", "sold out" ] }, "remediation": { "guidance": "Ensure advertised products/prices are actually available to consumers.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/advertising-marketing", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-hidden-fees", "version": "1.0.0", "framework": "ftc", "title": "Hidden Fee Disclosure", "severity": "critical", "summary": "All material fees must be clearly disclosed upfront, not hidden.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "\\$\\d+.*\\*", "plus.*fees?", "additional.*charges?" ], "keywords": [ "fees", "charges", "hidden", "surprise" ] }, "remediation": { "guidance": "Disclose all fees prominently before purchase. No surprise charges.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/advertising-marketing/pricing", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "pricing" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-truth-advertising", "version": "1.0.0", "framework": "ftc", "title": "Truth in Advertising", "severity": "critical", "summary": "Advertising must be truthful, not misleading, and backed by evidence.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "truthful", "substantiated", "evidence", "deceptive" ] }, "remediation": { "guidance": "Substantiate all advertising claims before making them.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/advertising-marketing/truth-advertising", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } } ] ``` ### references/rules-ftc-dark-patterns.json ```json [ { "id": "FTC-CANCEL-HARD", "version": "1.0.0", "framework": "ftc", "title": "Difficult Cancellation Process", "severity": "warning", "summary": "Cancellation must be as easy as sign-up. Complex cancellation processes (call-only, multiple steps, retention offers) violate FTC guidelines.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "call\\s+to\\s+cancel", "contact.*to\\s+cancel", "cancellation\\s+(fee|charge|penalty)" ], "keywords": [ "cancel subscription", "how to cancel", "cancellation policy", "stop subscription" ] }, "remediation": { "guidance": "Provide simple online cancellation option. Do not require phone calls or multiple retention attempts.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5 / Click-to-Cancel", "source_url": "https://www.ftc.gov/business-guidance/news-events/news/press-releases/2023/03/ftc-proposes-rule-provision-making-it-easy-consumers-click-cancel", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-DARK-CANCEL", "version": "1.0.0", "framework": "ftc", "title": "Dark Pattern: Difficult Cancellation", "severity": "critical", "summary": "Making cancellation significantly harder than sign-up is a deceptive dark pattern.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "must\\s+call\\s+to\\s+cancel", "call.*to\\s+cancel.*subscription", "cancellation.*phone\\s+(only|required)", "visit.*in[\\s-]?person.*cancel" ], "keywords": [ "call to cancel", "cancel by phone", "contact us to cancel" ] }, "remediation": { "guidance": "Implement \"click-to-cancel\" - online cancellation should be as easy as online sign-up.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/news-events/news/press-releases/2021/10/ftc-brings-first-case-challenging-illegal-dark-patterns-trick", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-DARK-CONFIRM", "version": "1.0.0", "framework": "ftc", "title": "Dark Pattern: Confirmshaming", "severity": "warning", "summary": "Using manipulative language to shame users out of declining offers is a deceptive dark pattern.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "no,?\\s+i\\s+(don'?t|do\\s+not)\\s+(want|like|need)", "no\\s+thanks,?\\s+i\\s+(hate|don'?t\\s+like)", "i\\s+(prefer|want)\\s+to\\s+pay\\s+(more|full)", "i\\s+don'?t\\s+want\\s+to\\s+save" ], "keywords": [ "no thanks I", "I prefer to pay", "I don't want to save" ] }, "remediation": { "guidance": "Use neutral opt-out language. Replace \"No, I don't want savings\" with \"No thanks\" or \"Decline\".", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/news-events/news/press-releases/2022/09/ftc-report-shows-rise-sophisticated-dark-patterns-designed-trick", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-DARK-HIDDEN", "version": "1.0.0", "framework": "ftc", "title": "Dark Pattern: Hidden Costs at Checkout", "severity": "critical", "summary": "Revealing hidden fees, taxes, or charges only at checkout is a deceptive drip pricing dark pattern.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(service|processing|handling|convenience)\\s+fee", "fee.*added.*checkout", "\\+\\s*\\$\\d+.*fee", "additional\\s+(fee|charge|cost)s?\\s+(may\\s+)?apply" ], "keywords": [ "service fee", "processing fee", "convenience fee", "fees apply", "additional charges" ] }, "remediation": { "guidance": "Display total price including all mandatory fees upfront. No surprise charges at checkout.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/news-events/news/press-releases/2022/10/ftc-proposes-rule-ban-junk-fees", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "pricing" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-DARK-MISDIRECT", "version": "1.0.0", "framework": "ftc", "title": "Dark Pattern: Visual Misdirection", "severity": "warning", "summary": "Using visual tricks (fake X buttons, disguised ads, misleading buttons) to manipulate user choices is deceptive.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "fake button", "close button", "dismiss", "misdirection" ] }, "remediation": { "guidance": "Ensure all UI elements behave as expected. Close buttons should close, not redirect.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/news-events/news/press-releases/2022/09/ftc-report-shows-rise-sophisticated-dark-patterns-designed-trick", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-DARK-PRESELECT", "version": "1.0.0", "framework": "ftc", "title": "Dark Pattern: Pre-Selected Add-Ons", "severity": "warning", "summary": "Pre-checking boxes for add-ons, insurance, or upgrades without user action is a deceptive dark pattern.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "pre[\\s-]?selected", "(add|include).*by\\s+default", "opt[\\s-]?out.*uncheck" ], "keywords": [ "pre-selected", "added by default", "opt-out", "uncheck to remove" ] }, "remediation": { "guidance": "Do not pre-select any optional add-ons. Let users affirmatively choose extras.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/news-events/news/press-releases/2022/09/ftc-report-shows-rise-sophisticated-dark-patterns-designed-trick", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-NEGATIVE-OPTION", "version": "1.0.0", "framework": "ftc", "title": "Negative Option / Subscription Trap", "severity": "critical", "summary": "Subscription services must clearly disclose terms and obtain express informed consent before charging. Silence cannot equal consent.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(subscription|membership|plan)\\s+will\\s+(auto|automatically)", "continue.*\\s+until.*cancel", "(auto[\\s-]?renew|recurring)", "billed\\s+(monthly|annually|weekly)" ], "keywords": [ "auto-renew", "recurring charge", "subscription", "membership", "billed automatically" ] }, "remediation": { "guidance": "Before charging, clearly disclose: (1) Total cost, (2) Recurring nature, (3) Cancellation method. Require checkbox consent.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "ROSCA / FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/legal-library/browse/rules/negative-option-rule", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "consent" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-RECURRING-HIDE", "version": "1.0.0", "framework": "ftc", "title": "Hidden Recurring Charges", "severity": "critical", "summary": "Recurring charges must be clearly disclosed upfront, not hidden in fine print or terms of service.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "then\\s+\\$\\d+(\\.\\d+)?\\s*/(mo|month|yr|year)", "recurring\\s+charge", "billed\\s+every\\s+\\d+\\s+(days?|weeks?|months?)", "\\*\\s*recurring" ], "keywords": [ "recurring", "monthly charge", "annual fee", "billed every", "automatic payment" ] }, "remediation": { "guidance": "Display recurring charge amount and frequency prominently near the price and in checkout summary.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "ROSCA", "source_url": "https://www.ftc.gov/business-guidance/legal-library/browse/rules/negative-option-rule", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-SCARCITY-DEMAND", "version": "1.0.0", "framework": "ftc", "title": "Fabricated High Demand Claims", "severity": "warning", "summary": "Claims like \"selling fast\" or \"X people viewing\" that are fabricated or manipulated are deceptive.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "\\d+\\s+people\\s+(viewing|watching|looking)", "\\d+\\s+(sold|bought)\\s+in\\s+(last|past)", "selling\\s+(fast|quickly)", "(hot|popular|trending)\\s+(item|product)", "in\\s+high\\s+demand" ], "keywords": [ "people viewing", "sold today", "trending", "popular item", "high demand" ] }, "remediation": { "guidance": "Only display real-time data that is accurate. Remove if viewer counts or demand claims are fabricated.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/resources/advertising-faqs", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-SCARCITY-EXCLUSIVE", "version": "1.0.0", "framework": "ftc", "title": "False Exclusivity Claims", "severity": "warning", "summary": "Claims of exclusivity (\"exclusive offer\", \"invitation only\") that are not genuine are deceptive.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "exclusive\\s+(offer|deal|discount|access)", "invitation\\s+only", "(vip|member)\\s+exclusive", "specially?\\s+selected", "chosen\\s+(few|customers?)" ], "keywords": [ "exclusive offer", "invitation only", "VIP access", "members only", "special selection" ] }, "remediation": { "guidance": "Remove false exclusivity claims. Only use \"exclusive\" for genuinely limited or member-only offers.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/resources/advertising-faqs", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-SCARCITY-SALE", "version": "1.0.0", "framework": "ftc", "title": "Perpetual Sale / False Deadline", "severity": "warning", "summary": "Running perpetual \"sales\" or claiming \"sale ends today\" when it does not is deceptive pricing.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "sale\\s+ends?\\s+(today|tonight|soon|midnight)", "(last|final)\\s+(day|chance|opportunity)", "ends?\\s+(soon|today|tonight|tomorrow)", "(today|tonight)\\s+only" ], "keywords": [ "sale ends", "last chance", "final day", "today only", "limited time" ] }, "remediation": { "guidance": "Only advertise sales with genuine end dates. Document regular vs. sale pricing periods.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/resources/advertising-faqs", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-SCARCITY-STOCK", "version": "1.0.0", "framework": "ftc", "title": "False Low Stock Claims", "severity": "critical", "summary": "Claims like \"Only X left!\" or \"Low stock\" that are false or manipulated to create urgency are deceptive.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "only\\s+\\d+\\s+(left|remaining|in\\s+stock)", "just\\s+\\d+\\s+(left|remaining)", "(low|limited)\\s+stock", "selling\\s+(out|fast)", "almost\\s+(gone|sold\\s+out)" ], "keywords": [ "only left", "low stock", "limited quantity", "selling fast", "almost gone" ] }, "remediation": { "guidance": "Only display stock counts that reflect actual inventory. Remove if counts are fabricated or artificially limited.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/resources/advertising-faqs", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-SCARCITY-TIMER", "version": "1.0.0", "framework": "ftc", "title": "Fake Countdown Timers", "severity": "critical", "summary": "Countdown timers that reset, extend, or do not reflect real deadlines are deceptive.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "\\d+:\\d+:\\d+\\s*(remaining|left)", "offer\\s+expires?\\s+in", "deal\\s+ends?\\s+in", "hurry.*\\d+\\s*(hours?|minutes?|seconds?)\\s*(left|remaining)" ], "keywords": [ "countdown", "time left", "expires in", "hours remaining", "deal ends" ] }, "remediation": { "guidance": "Remove countdown timers unless they reflect genuine time-limited offers. Do not reset timers.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/news-events/blogs/business-blog", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } } ] ``` ### references/rules-ftc-endorsements.json ```json [ { "id": "FTC-255-0-purpose", "version": "1.0.0", "framework": "ftc", "title": "Endorsement Guide Purpose", "severity": "info", "summary": "The FTC Endorsement Guides address the application of Section 5 of the FTC Act to endorsements and testimonials in advertising.", "rationale": "", "detection": { "type": "ai-only" }, "remediation": { "guidance": "Understand that endorsement guidelines apply to all advertising mediums including social media.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.0", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255#255.0", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "endorsement", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-0-scope", "version": "1.0.0", "framework": "ftc", "title": "Endorsement Guide Scope", "severity": "info", "summary": "FTC Endorsement Guides apply to endorsements and testimonials in advertising.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "endorsement", "testimonial", "advertising" ] }, "remediation": { "guidance": "Apply these guidelines to all endorsements in marketing materials.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "255.0", "source_url": "https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "endorsement" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-1-current", "version": "1.0.0", "framework": "ftc", "title": "Current User Requirement", "severity": "warning", "summary": "Endorsers must be bona fide users of the product at time of endorsement.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "current user", "bona fide", "actual user" ] }, "remediation": { "guidance": "Ensure endorsers are current users of the product or service.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "255.1(c)", "source_url": "https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "endorsement" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-1-honest", "version": "1.0.0", "framework": "ftc", "title": "Endorsements Must Reflect Honest Opinions", "severity": "critical", "summary": "Endorsements must reflect the honest opinions, findings, beliefs, or experience of the endorser.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "testimonial", "endorsement", "customer\\s+(says?|review|story)" ], "keywords": [ "testimonial", "endorsement", "customer review", "user says" ] }, "remediation": { "guidance": "Ensure all endorsements are genuine and reflect actual user experience. Do not script or fabricate testimonials.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.1(a)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255#255.1", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "endorsement" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-1-misleading", "version": "1.0.0", "framework": "ftc", "title": "Endorsements Cannot Be Misleading", "severity": "critical", "summary": "Endorsements may not contain any representations that would be deceptive or could not be substantiated if made directly by the advertiser.", "rationale": "", "detection": { "type": "ai-only" }, "remediation": { "guidance": "Verify that all claims in endorsements can be substantiated. Remove unverifiable statements.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.1(b)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255#255.1", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "endorsement", "claims", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-1-substantiation", "version": "1.0.0", "framework": "ftc", "title": "Claim Substantiation", "severity": "critical", "summary": "Claims in endorsements must be substantiated by the advertiser.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "substantiation", "verify", "proof" ] }, "remediation": { "guidance": "Verify all claims made in endorsements are accurate and can be proven.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "255.1(b)", "source_url": "https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "endorsement", "claims" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-1-typical", "version": "1.0.0", "framework": "ftc", "title": "Atypical Results Require Disclosure", "severity": "critical", "summary": "If an endorsement represents results that are not typical, the advertiser must clearly disclose expected results for consumers.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "results\\s+not\\s+typical", "individual\\s+results\\s+(may\\s+)?vary", "your\\s+results\\s+may\\s+differ" ], "keywords": [ "results not typical", "results may vary", "individual results" ] }, "remediation": { "guidance": "Include clear disclosure of typical results when showing exceptional testimonials. Example: \"Results not typical. Most users see [X].\"", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.1(c)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255#255.1", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "endorsement", "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-2-actor", "version": "1.0.0", "framework": "ftc", "title": "Actor Portrayal Requires Disclosure", "severity": "warning", "summary": "If the person appearing in an advertisement is not an actual consumer, this must be clearly disclosed.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "actor\\s+portrayal", "dramatization", "simulation" ], "keywords": [ "actor portrayal", "dramatization", "paid actor" ] }, "remediation": { "guidance": "Clearly disclose \"Actor portrayal\" or \"Dramatization\" when not using actual customers.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.2(b)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255#255.2", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-2-consumer", "version": "1.0.0", "framework": "ftc", "title": "Consumer Endorser Must Be Actual User", "severity": "critical", "summary": "An advertisement using an endorsement by a consumer must use an actual consumer of the product or service.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "real customer", "actual user", "verified purchase" ] }, "remediation": { "guidance": "Only use endorsements from people who have actually used the product. Actors portraying consumers must be disclosed.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.2(a)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255#255.2", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "endorsement" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-2-disclosure", "version": "1.0.0", "framework": "ftc", "title": "Consumer Endorsement Disclosure", "severity": "warning", "summary": "Consumer endorsements should clearly disclose what the typical consumer experience is.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "typical", "average", "consumer experience" ] }, "remediation": { "guidance": "Include clear disclosure of typical outcomes alongside testimonials.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "255.2(b)", "source_url": "https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "endorsement", "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-2-typical", "version": "1.0.0", "framework": "ftc", "title": "Typical Results Disclosure", "severity": "critical", "summary": "If results are not typical, must clearly disclose expected results or that results may vary.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "\"[^\"]{20,}\"s*[-–—]", "lost\\s+\\d+\\s+pounds", "earned\\s+\\$\\d+" ], "keywords": [ "typical results", "results may vary", "individual results" ] }, "remediation": { "guidance": "Add \"Results not typical\" or disclose generally expected results.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "255.2(a)", "source_url": "https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-3-expert-evaluation", "version": "1.0.0", "framework": "ftc", "title": "Expert Must Actually Evaluate Product", "severity": "critical", "summary": "Experts must actually exercise their expertise in evaluating the product features relevant to their endorsement.", "rationale": "", "detection": { "type": "ai-only" }, "remediation": { "guidance": "Document that expert endorsers have conducted actual evaluation using their professional expertise.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.3(b)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255#255.3", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "endorsement", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-3-expert-qualified", "version": "1.0.0", "framework": "ftc", "title": "Expert Endorsers Must Be Qualified", "severity": "critical", "summary": "An expert endorser must possess the expertise represented by the endorsement and must have actually evaluated the product.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "doctor\\s+(recommended|approved)", "expert\\s+(review|opinion|approved)", "dermatologist\\s+tested", "clinically\\s+(tested|proven)" ], "keywords": [ "doctor recommended", "expert approved", "clinically tested" ] }, "remediation": { "guidance": "Verify expert credentials. Ensure expert has actually examined/tested the product before endorsing.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.3(a)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255#255.3", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "endorsement" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-3-expert", "version": "1.0.0", "framework": "ftc", "title": "Expert Qualification", "severity": "warning", "summary": "Expert endorsers must have qualifications to give expert opinion on the subject.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "expert", "qualified", "credentials", "specialist" ] }, "remediation": { "guidance": "Verify expert credentials match the subject matter of endorsement.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "255.3", "source_url": "https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-4-org", "version": "1.0.0", "framework": "ftc", "title": "Organization Endorsement Standards", "severity": "warning", "summary": "Organization endorsements must represent the collective judgment of the organization, not just individual members.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(approved|endorsed)\\s+by\\s+[A-Z]", "association\\s+(approved|endorsed)", "seal\\s+of\\s+approval" ], "keywords": [ "approved by", "endorsed by", "seal of approval", "certified by" ] }, "remediation": { "guidance": "Ensure organization endorsements follow proper approval processes and reflect collective judgment.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.4", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255#255.4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "endorsement" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-5-affiliate", "version": "1.0.0", "framework": "ftc", "title": "Affiliate Link Disclosure", "severity": "critical", "summary": "Affiliate links and commission arrangements must be disclosed when recommending products.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "affiliate\\s+link", "earn\\s+a?\\s*commission", "may\\s+earn\\s+from" ], "keywords": [ "affiliate link", "earn commission", "referral link" ] }, "remediation": { "guidance": "Clearly disclose affiliate relationships. Example: \"This post contains affiliate links. I may earn a commission.\"", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.5", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255#255.5", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-5-clear", "version": "1.0.0", "framework": "ftc", "title": "Clear and Conspicuous Disclosure", "severity": "critical", "summary": "Disclosures must be clear, conspicuous, and hard to miss.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "\\*\\s*disclaimer", "fine\\s*print" ], "keywords": [ "clear", "conspicuous", "prominent", "visible" ] }, "remediation": { "guidance": "Place disclosures prominently, not buried in text. Use clear language like \"#ad\" or \"Paid partnership\".", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "255.5", "source_url": "https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-5-connection", "version": "1.0.0", "framework": "ftc", "title": "Material Connection Disclosure", "severity": "critical", "summary": "Material connections between endorsers and advertisers must be clearly disclosed.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "#ad\\b", "#sponsored", "#partner", "paid\\s+partnership" ], "keywords": [ "material connection", "sponsored", "paid", "affiliate" ] }, "remediation": { "guidance": "Disclose any payment, free products, employment, or business relationship.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "255.5", "source_url": "https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-5-disclosure-clear", "version": "1.0.0", "framework": "ftc", "title": "Disclosure Must Be Clear and Conspicuous", "severity": "warning", "summary": "Disclosures must be clear, conspicuous, and placed where consumers will notice them before engaging with the endorsement.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "fine print", "small print", "terms and conditions apply", "see details", "restrictions apply", "subject to terms" ] }, "remediation": { "guidance": "Place disclosures at the beginning of content. Use clear language like \"Ad\" or \"Sponsored\". Avoid burying in hashtags.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.5", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255#255.5", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "endorsement", "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-5-employee", "version": "1.0.0", "framework": "ftc", "title": "Employee Endorser Disclosure", "severity": "critical", "summary": "Employees who endorse products in their personal capacity must disclose their employment relationship.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "employee", "work for", "employed by" ] }, "remediation": { "guidance": "Require employees posting about company products to clearly disclose their employment.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.5", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255#255.5", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-5-free-product", "version": "1.0.0", "framework": "ftc", "title": "Free Product Disclosure", "severity": "critical", "summary": "If an endorser received a free product to review, this must be clearly disclosed.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(free|gifted|complimentary)\\s+product", "received\\s+(free|for\\s+review)", "pr\\s+sample" ], "keywords": [ "free product", "gifted", "PR sample", "received for review" ] }, "remediation": { "guidance": "Include clear disclosure when products were provided for free. Example: \"Product provided for review.\"", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.5", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255#255.5", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-5-material-connection", "version": "1.0.0", "framework": "ftc", "title": "Material Connection Disclosure Required", "severity": "critical", "summary": "When there is a material connection between an endorser and seller that would affect the weight of the endorsement, it must be disclosed.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "#?ad\\b", "#?sponsored", "#?partner(ship)?", "paid\\s+(partnership|promotion|ad)", "in\\s+collaboration\\s+with" ], "keywords": [ "#ad", "#sponsored", "paid partnership", "affiliate", "material connection" ] }, "remediation": { "guidance": "Disclose all material connections: payments, free products, employment, family relationships, equity stakes.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.5", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255#255.5", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "endorsement", "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-5-social", "version": "1.0.0", "framework": "ftc", "title": "Social Media Disclosure", "severity": "critical", "summary": "Social media posts by paid influencers must clearly disclose the material connection.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "@\\w+\\s+(says?|loves?|recommends?)", "influencer", "ambassador" ], "keywords": [ "social media", "influencer", "#ad", "sponsored" ] }, "remediation": { "guidance": "Use #ad or \"Sponsored\" at the beginning of posts, not hidden in hashtags.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "255.5", "source_url": "https://www.ftc.gov/business-guidance/resources/disclosures-101-social-media-influencers", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-6-liability", "version": "1.0.0", "framework": "ftc", "title": "Advertiser Liable for Endorser Claims", "severity": "warning", "summary": "Advertisers are liable for false or unsubstantiated statements made by endorsers, and for failing to disclose material connections.", "rationale": "", "detection": { "type": "ai-only" }, "remediation": { "guidance": "Monitor endorser content. Provide clear guidelines to endorsers. Require compliance training.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.6", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255#255.6", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "claims", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-255-6-monitoring", "version": "1.0.0", "framework": "ftc", "title": "Advertiser Must Monitor Endorsers", "severity": "warning", "summary": "Advertisers must take steps to monitor endorsers and address non-compliant content.", "rationale": "", "detection": { "type": "ai-only" }, "remediation": { "guidance": "Implement monitoring program for influencer and affiliate content. Address violations promptly.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.6", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-B/part-255#255.6", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-NATIVE-DISCLOSURE", "version": "1.0.0", "framework": "ftc", "title": "Missing Advertisement Label", "severity": "warning", "summary": "Native ads must include clear and prominent disclosure that identifies them as advertising.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(paid|promoted|sponsored)\\s+(post|placement)", "#?ad\\b", "#?sponsored", "advertisement" ], "keywords": [ "ad", "advertisement", "sponsored", "promoted", "paid placement" ] }, "remediation": { "guidance": "Add clear \"Ad\" or \"Advertisement\" label in a prominent location using contrasting text.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5 / Native Advertising Guide", "source_url": "https://www.ftc.gov/business-guidance/resources/native-advertising-guide-businesses", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-NATIVE-EDITORIAL", "version": "1.0.0", "framework": "ftc", "title": "Sponsored Content Disguised as Editorial", "severity": "critical", "summary": "Paid content that mimics editorial content must be clearly identified as advertising.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "sponsored\\s+(content|post|article)", "partner\\s+content", "presented\\s+by", "brought\\s+to\\s+you\\s+by", "in\\s+partnership\\s+with" ], "keywords": [ "sponsored content", "partner content", "presented by", "brought to you by" ] }, "remediation": { "guidance": "Clearly label sponsored content with \"Advertisement\", \"Sponsored\", or \"Paid Content\" in prominent placement.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5 / Native Advertising Guide", "source_url": "https://www.ftc.gov/business-guidance/resources/native-advertising-guide-businesses", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-REVIEW-EMPLOYEE", "version": "1.0.0", "framework": "ftc", "title": "Employee/Insider Reviews Without Disclosure", "severity": "critical", "summary": "Reviews from employees, owners, or business insiders must clearly disclose the material connection.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "employee review", "insider review", "staff review", "owner review" ] }, "remediation": { "guidance": "Require all employee reviewers to prominently disclose their employment relationship.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.5", "source_url": "https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-REVIEW-FAKE", "version": "1.0.0", "framework": "ftc", "title": "Fake or AI-Generated Reviews", "severity": "critical", "summary": "Using fake, fabricated, or AI-generated reviews to deceive consumers is prohibited. Reviews must reflect genuine consumer experiences.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "as\\s+an\\s+ai", "i\\s+cannot\\s+provide", "(amazing|excellent|fantastic)\\s+product.*(highly|would)\\s+recommend" ], "keywords": [ "verified purchase", "authentic review", "customer feedback" ] }, "remediation": { "guidance": "Remove all fake or AI-generated reviews. Only display authentic customer reviews with verified purchases.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/resources/advertising-faqs", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-REVIEW-INCENTIVE", "version": "1.0.0", "framework": "ftc", "title": "Incentivized Reviews Without Disclosure", "severity": "critical", "summary": "Offering discounts, free products, or other incentives for reviews without clear disclosure violates FTC guidelines.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "review\\s+for\\s+(discount|free|coupon)", "leave\\s+a?\\s*review.*get\\s+(\\$|percent|%|off|discount)", "(free|discount).*in\\s+exchange\\s+for.*review", "write\\s+a?\\s*review.*receive" ], "keywords": [ "review discount", "review reward", "review incentive", "free for review" ] }, "remediation": { "guidance": "Clearly disclose when reviews are incentivized with labels like \"Incentivized Review\" or \"Received free product for review.\"", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "16 CFR 255.5", "source_url": "https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-REVIEW-MANIPULATE", "version": "1.0.0", "framework": "ftc", "title": "Review Manipulation / Cherry-Picking", "severity": "warning", "summary": "Displaying only positive reviews, hiding negative reviews, or manipulating the order of reviews to mislead consumers is deceptive.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "showing.*positive\\s+reviews\\s+only", "top\\s+reviews.*highest\\s+rated" ], "keywords": [ "filtered reviews", "best reviews", "top rated reviews" ] }, "remediation": { "guidance": "Display reviews objectively. Allow consumers to sort by rating including negative reviews.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/resources/advertising-faqs", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-REVIEW-PLATFORM", "version": "1.0.0", "framework": "ftc", "title": "Fake Review Counts or Star Ratings", "severity": "critical", "summary": "Displaying fake or inflated review counts, star ratings, or aggregate scores is deceptive advertising.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "\\d+[,\\d]*\\s*reviews?.*\\d+(\\.\\d)?\\s*stars?", "rated\\s+\\d+(\\.\\d)?\\s*out\\s+of\\s*5" ], "keywords": [ "star rating", "customer reviews", "average rating", "review count" ] }, "remediation": { "guidance": "Ensure all displayed ratings and review counts accurately reflect actual verified customer reviews.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/resources/advertising-faqs", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "FTC-REVIEW-SUPPRESS", "version": "1.0.0", "framework": "ftc", "title": "Review Gating / Selective Review Solicitation", "severity": "warning", "summary": "Soliciting reviews only from satisfied customers or filtering out negative reviews before they are posted is deceptive.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "how\\s+would\\s+you\\s+rate.*before", "satisfied.*leave.*review", "(5|five)\\s*star.*customers" ], "keywords": [ "review gate", "happy customers only", "satisfied customers", "selective reviews" ] }, "remediation": { "guidance": "Solicit reviews from all customers equally. Do not screen or gate reviews based on expected rating.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "FTC Act §5", "source_url": "https://www.ftc.gov/business-guidance/news-events/news/press-releases", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } } ] ``` ### references/rules-gdpr.json ```json [ { "id": "GDPR-Art12-response-time", "version": "1.0.0", "framework": "gdpr", "title": "Response to Requests", "severity": "warning", "summary": "Controllers must respond to data subject requests within one month.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "response time", "one month", "30 days" ] }, "remediation": { "guidance": "Implement process to handle and respond to data subject requests within 30 days.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.12(3)", "source_url": "https://gdpr.eu/article-12-how-controllers-should-provide-personal-data-transparently/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "general", "structural" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art12-transparent", "version": "1.0.0", "framework": "gdpr", "title": "Transparent Information", "severity": "warning", "summary": "Information about data processing must be provided in a concise, transparent, intelligible form using clear and plain language.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "privacy\\s+(policy|notice|statement)", "how\\s+we\\s+(use|collect|process)\\s+(your\\s+)?data" ], "keywords": [ "privacy policy", "privacy notice", "data processing notice", "privacy statement" ] }, "remediation": { "guidance": "Use clear, simple language in privacy notices. Avoid legal jargon.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.12(1)", "source_url": "https://gdpr.eu/article-12-how-controllers-should-provide-personal-data-transparently/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "general" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art13-complaint-right", "version": "1.0.0", "framework": "gdpr", "title": "Right to Lodge Complaint", "severity": "warning", "summary": "Must inform data subjects of their right to lodge a complaint with a supervisory authority.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "supervisory\\s+authority", "data\\s+protection\\s+authority", "lodge\\s+a\\s+complaint", "file\\s+a\\s+complaint.*DPA" ], "keywords": [ "supervisory authority", "data protection authority", "lodge a complaint", "DPA", "ICO", "CNIL" ] }, "remediation": { "guidance": "Inform data subjects of their right to complain to a supervisory authority and provide contact details.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.13(2)(d)", "source_url": "https://gdpr.eu/article-13-personal-data-collected/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "disclosure", "data-rights" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art13-identity", "version": "1.0.0", "framework": "gdpr", "title": "Controller Identity Disclosure", "severity": "critical", "summary": "At data collection, must disclose identity and contact details of the controller.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "data\\s+controller", "controller\\s+is", "data\\s+protection\\s+officer" ], "keywords": [ "data controller", "data protection officer", "DPO", "controller identity" ] }, "remediation": { "guidance": "Include company name, address, and contact information in privacy notice.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.13(1)(a)", "source_url": "https://gdpr.eu/article-13-personal-data-collected/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art13-legitimate-interest", "version": "1.0.0", "framework": "gdpr", "title": "Legitimate Interest Disclosure", "severity": "warning", "summary": "When processing is based on legitimate interests, the specific interests must be identified and disclosed.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "legitimate\\s+interest(s)?\\s+(pursued|of|include|such as)", "our\\s+legitimate\\s+interest\\s+is" ], "keywords": [ "legitimate interest", "legitimate interests pursued", "business interest", "legitimate basis" ] }, "remediation": { "guidance": "When relying on legitimate interests as a legal basis, specify the actual interests pursued. Generic statements like 'our legitimate interests' are insufficient.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.13(1)(d)", "source_url": "https://gdpr.eu/article-13-personal-data-collected/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art13-purposes", "version": "1.0.0", "framework": "gdpr", "title": "Purpose and Legal Basis Disclosure", "severity": "critical", "summary": "Must disclose purposes and legal basis for processing at collection.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "process(ing|ed)?\\s+(your|personal)\\s+data\\s+(for|to)", "legal\\s+basis\\s+for\\s+process", "purpose\\s+of\\s+(the\\s+)?process" ], "keywords": [ "purpose of processing", "legal basis for processing", "we process your data", "data processing purposes" ] }, "remediation": { "guidance": "Clearly state why data is being collected and the legal basis.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.13(1)(c)", "source_url": "https://gdpr.eu/article-13-personal-data-collected/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art13-recipients", "version": "1.0.0", "framework": "gdpr", "title": "Recipients Disclosure", "severity": "warning", "summary": "Must disclose the recipients or categories of recipients of personal data at the time of collection.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "share.*with\\s+(third|our)", "disclose.*to\\s+(third|partner)", "third[\\s-]?part(y|ies).*receiv", "data\\s+processor" ], "keywords": [ "recipients", "third party sharing", "data processor", "sub-processor", "who we share with", "service providers" ] }, "remediation": { "guidance": "Disclose all recipients or categories of recipients who will receive personal data.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.13(1)(e)", "source_url": "https://gdpr.eu/article-13-personal-data-collected/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art13-retention", "version": "1.0.0", "framework": "gdpr", "title": "Retention Period Disclosure", "severity": "warning", "summary": "Must disclose how long personal data will be stored or criteria for determining retention.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "retain(ed)?\\s+(your|personal)\\s+data\\s+(for|until)", "retention\\s+period", "data\\s+(will\\s+be\\s+)?(stored|kept|retained)\\s+(for|until)" ], "keywords": [ "retention period", "data retention", "how long we keep", "stored for" ] }, "remediation": { "guidance": "Include data retention periods in privacy policy.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.13(2)(a)", "source_url": "https://gdpr.eu/article-13-personal-data-collected/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art14-indirect-collection", "version": "1.0.0", "framework": "gdpr", "title": "Indirect Data Collection Disclosure", "severity": "warning", "summary": "When personal data is not obtained directly from the data subject, must disclose the source and categories of data within a reasonable period.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "obtained\\s+from\\s+third\\s+part", "data\\s+source", "publicly\\s+available\\s+source", "received\\s+from" ], "keywords": [ "source of data", "third party data", "data broker", "publicly available", "indirect collection" ] }, "remediation": { "guidance": "Disclose the source of personal data when it was not collected directly from the data subject, including the categories of data obtained.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.14", "source_url": "https://gdpr.eu/article-14-personal-data-not-obtained-from-data-subject/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art15-access", "version": "1.0.0", "framework": "gdpr", "title": "Right of Access", "severity": "warning", "summary": "Data subjects have the right to obtain confirmation and access to their personal data.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "access", "obtain", "copy" ] }, "remediation": { "guidance": "Inform users of their access rights and provide mechanism to request data.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.15(1)", "source_url": "https://gdpr.eu/article-15-right-of-access/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "data-rights", "structural" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art17-erasure", "version": "1.0.0", "framework": "gdpr", "title": "Right to Erasure", "severity": "warning", "summary": "Data subjects have the right to have their personal data erased in certain circumstances.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "delete.*account", "remove.*data", "erasure" ], "keywords": [ "erasure", "delete", "right to be forgotten" ] }, "remediation": { "guidance": "Inform users of their erasure rights and provide deletion request mechanism.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.17(1)", "source_url": "https://gdpr.eu/article-17-right-to-be-forgotten/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "data-rights" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art20-portability", "version": "1.0.0", "framework": "gdpr", "title": "Right to Data Portability", "severity": "info", "summary": "Data subjects have the right to receive their data in a machine-readable format.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "portability", "export", "download", "machine-readable" ] }, "remediation": { "guidance": "Provide data export functionality in common formats (JSON, CSV).", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.20(1)", "source_url": "https://gdpr.eu/article-20-right-to-data-portability/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "data-rights" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art21-marketing", "version": "1.0.0", "framework": "gdpr", "title": "Right to Object to Marketing", "severity": "critical", "summary": "Data subjects have an absolute right to object to direct marketing at any time.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "unsubscribe", "marketing\\s+preferences", "email\\s+preferences" ], "keywords": [ "marketing", "unsubscribe", "opt-out", "preferences" ] }, "remediation": { "guidance": "Provide easy opt-out from all marketing communications.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.21(2)", "source_url": "https://gdpr.eu/article-21-right-to-object/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "data-rights" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art21-object", "version": "1.0.0", "framework": "gdpr", "title": "Right to Object", "severity": "warning", "summary": "Data subjects have the right to object to processing based on legitimate interests.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "object", "opt-out", "stop processing" ] }, "remediation": { "guidance": "Inform users of their right to object and provide mechanism to do so.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.21(1)", "source_url": "https://gdpr.eu/article-21-right-to-object/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "data-rights" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art22-automated-decisions", "version": "1.0.0", "framework": "gdpr", "title": "Automated Decision-Making Disclosure", "severity": "critical", "summary": "Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling. Must disclose existence of automated decision-making and meaningful information about the logic.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "automated\\s+decision", "profiling", "algorithm(ic)?\\s+(decision|processing)", "AI[\\s-]?(based|driven|powered)\\s+decision", "machine\\s+learning.*decision", "automat(ed|ic)\\s+(assessment|scoring|rejection)" ], "keywords": [ "automated decision-making", "profiling", "algorithmic decision", "automated processing", "credit scoring", "automated assessment" ] }, "remediation": { "guidance": "Disclose existence of automated decision-making, meaningful information about the logic involved, and the significance and envisaged consequences.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.22", "source_url": "https://gdpr.eu/article-22-automated-individual-decision-making/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "disclosure", "data-rights" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art5-lawful", "version": "1.0.0", "framework": "gdpr", "title": "Lawful, Fair, and Transparent Processing", "severity": "critical", "summary": "Personal data must be processed lawfully, fairly and in a transparent manner.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "lawful", "fair", "transparent" ] }, "remediation": { "guidance": "Ensure clear legal basis for processing and transparent communication.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.5(1)(a)", "source_url": "https://gdpr.eu/article-5-how-to-process-personal-data/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "general", "structural" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art5-purpose", "version": "1.0.0", "framework": "gdpr", "title": "Purpose Limitation", "severity": "warning", "summary": "Personal data must be collected for specified, explicit and legitimate purposes.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "purpose", "specified", "legitimate" ] }, "remediation": { "guidance": "Clearly state purposes at collection and do not process for incompatible purposes.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.5(1)(b)", "source_url": "https://gdpr.eu/article-5-how-to-process-personal-data/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "general", "structural" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art6-legal-basis", "version": "1.0.0", "framework": "gdpr", "title": "Legal Basis Required", "severity": "critical", "summary": "Processing must have a valid legal basis: consent, contract, legal obligation, vital interests, public task, or legitimate interests.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "legal basis", "consent", "legitimate interest", "contract" ] }, "remediation": { "guidance": "Document and disclose the legal basis for each processing activity.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.6(1)", "source_url": "https://gdpr.eu/article-6-how-to-process-personal-data-legally/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "consent", "structural" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art7-consent-conditions", "version": "1.0.0", "framework": "gdpr", "title": "Consent Conditions", "severity": "critical", "summary": "Where consent is the legal basis, controller must demonstrate the data subject consented.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "consent", "demonstrate", "records" ] }, "remediation": { "guidance": "Keep records of consent including when, how, and what was consented to.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.7(1)", "source_url": "https://gdpr.eu/article-7-how-to-get-consent-to-collect-personal-data/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "consent", "structural" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art7-cookie-consent", "version": "1.0.0", "framework": "gdpr", "title": "Cookie Consent Banner", "severity": "critical", "summary": "Non-essential cookies require explicit consent before being set.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "document\\.cookie", "localStorage", "tracking" ], "keywords": [ "cookie", "consent", "banner", "tracking" ] }, "remediation": { "guidance": "Implement cookie consent banner that blocks non-essential cookies until consent.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.7", "source_url": "https://gdpr.eu/cookies/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "consent", "cookies" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art7-unbundled-consent", "version": "1.0.0", "framework": "gdpr", "title": "Unbundled Consent", "severity": "warning", "summary": "Consent requests must be clearly distinguishable from other matters. Consent cannot be bundled into terms of service or pre-ticked.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "by\\s+(using|continuing|accessing)\\s+(this|our)\\s+(site|website|service)\\s+you\\s+(agree|consent)", "pre[\\s-]?ticked", "pre[\\s-]?checked", "by\\s+signing\\s+up\\s+you\\s+agree.*and.*market" ], "keywords": [ "bundled consent", "pre-ticked", "by using this site you agree", "by continuing you consent" ] }, "remediation": { "guidance": "Present consent requests separately from terms of service. Do not use pre-ticked boxes. Consent must be a clear affirmative action.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.7(2)", "source_url": "https://gdpr.eu/article-7-how-to-get-consent-to-collect-personal-data/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "consent" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art7-withdraw", "version": "1.0.0", "framework": "gdpr", "title": "Right to Withdraw Consent", "severity": "critical", "summary": "Data subjects must be able to withdraw consent as easily as they gave it.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "unsubscribe", "opt[\\s-]?out", "withdraw\\s+consent" ], "keywords": [ "withdraw", "unsubscribe", "opt-out" ] }, "remediation": { "guidance": "Provide clear and easy mechanism to withdraw consent at any time.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.7(3)", "source_url": "https://gdpr.eu/article-7-how-to-get-consent-to-collect-personal-data/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "consent", "data-rights" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art8-children-consent", "version": "1.0.0", "framework": "gdpr", "title": "Children's Data Consent", "severity": "critical", "summary": "Processing personal data of children under 16 requires parental consent. Information society services directed at children must verify age and obtain parental authorization.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "parental\\s+consent", "age\\s+verif", "under\\s+(13|14|15|16)\\s+(years?)?", "child(ren)?.*consent" ], "keywords": [ "parental consent", "children's data", "age verification", "minors", "child protection" ] }, "remediation": { "guidance": "Implement age verification mechanisms and obtain verifiable parental consent for children under 16.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.8", "source_url": "https://gdpr.eu/article-8-conditions-for-consent-of-children/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "consent" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-Art9-special-categories", "version": "1.0.0", "framework": "gdpr", "title": "Special Categories of Data", "severity": "critical", "summary": "Processing of special category data (health, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, sexual orientation) requires explicit consent.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(health|medical|biometric|genetic)\\s+(data|information)", "(racial|ethnic)\\s+origin", "political\\s+opinion", "religious\\s+belief", "sexual\\s+orientation", "trade\\s+union\\s+membership" ], "keywords": [ "special category data", "sensitive personal data", "health data", "biometric data", "genetic data", "explicit consent" ] }, "remediation": { "guidance": "Obtain explicit consent before processing special category data. Clearly disclose what special categories are processed and why.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.9", "source_url": "https://gdpr.eu/article-9-processing-special-categories-of-personal-data-prohibited/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "consent", "disclosure" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "GDPR-transfer", "version": "1.0.0", "framework": "gdpr", "title": "International Data Transfer Disclosure", "severity": "warning", "summary": "Must disclose intention to transfer data to third countries and safeguards in place.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "transfer(red|ring)?\\s+(to|outside)\\s+(a\\s+)?third\\s+countr", "transfer.*outside\\s+(the\\s+)?(EU|EEA|European)" ], "keywords": [ "international transfer", "transfer outside", "third country", "adequacy decision", "standard contractual clauses" ] }, "remediation": { "guidance": "Disclose international transfers in privacy policy with legal mechanisms used.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed_with_attribution", "citation": "Art.13(1)(f)", "source_url": "https://gdpr.eu/international-data-transfer-rules/", "retrieved_at": "2026-02-09", "attribution_required": true }, "metadata": { "tags": [ "disclosure", "data-transfer" ], "jurisdiction": [ "EU" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } } ] ``` ### references/rules-hipaa.json ```json [ { "id": "HIPAA-312-access-control", "version": "1.0.0", "framework": "hipaa", "title": "Access Control Requirements", "severity": "critical", "summary": "Technical policies must limit access to ePHI to authorized persons.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "access control", "authentication", "user ID" ] }, "remediation": { "guidance": "Implement unique user IDs, automatic logoff, and encryption.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.312(a)(1)", "source_url": "https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "health-data", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "HIPAA-312-audit", "version": "1.0.0", "framework": "hipaa", "title": "Audit Controls", "severity": "warning", "summary": "Hardware, software, and procedures must record and examine access to ePHI.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "audit", "logging", "access records" ] }, "remediation": { "guidance": "Implement audit logging for all ePHI access and review logs regularly.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.312(b)", "source_url": "https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "health-data", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "HIPAA-312-encryption", "version": "1.0.0", "framework": "hipaa", "title": "ePHI Encryption", "severity": "critical", "summary": "Electronic PHI must be encrypted when transmitted over networks.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "http://" ], "keywords": [ "encryption", "HTTPS", "TLS", "secure transmission" ] }, "remediation": { "guidance": "Use TLS/HTTPS for all ePHI transmission. Encrypt data at rest.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.312(a)(2)(iv)", "source_url": "https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "health-data" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "HIPAA-502-marketing", "version": "1.0.0", "framework": "hipaa", "title": "Marketing Use Restrictions", "severity": "critical", "summary": "PHI may not be used for marketing purposes without explicit authorization.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "health\\s+(information|data|records?).*marketing", "patient\\s+(information|data).*promot" ], "keywords": [ "marketing", "PHI", "promotion", "advertising" ] }, "remediation": { "guidance": "Obtain written authorization before using PHI for any marketing activities.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.502(a)", "source_url": "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "health-data" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "HIPAA-502-minimum", "version": "1.0.0", "framework": "hipaa", "title": "Minimum Necessary Standard", "severity": "critical", "summary": "Covered entities must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "minimum necessary", "PHI", "limit disclosure" ] }, "remediation": { "guidance": "Implement policies to limit PHI access and disclosure to minimum necessary.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.502(b)", "source_url": "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "health-data", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "HIPAA-502-permitted", "version": "1.0.0", "framework": "hipaa", "title": "Permitted Uses and Disclosures", "severity": "warning", "summary": "PHI may only be used or disclosed as permitted or required by the Privacy Rule.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "permitted", "disclosure", "treatment", "payment", "operations" ] }, "remediation": { "guidance": "Ensure all PHI uses and disclosures fall within permitted categories.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.502(a)", "source_url": "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "privacy", "health-data", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "HIPAA-508-elements", "version": "1.0.0", "framework": "hipaa", "title": "Authorization Form Elements", "severity": "warning", "summary": "Authorization forms must contain specific required elements including description of PHI, purpose, and expiration.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "authorization form", "elements", "expiration", "revoke" ] }, "remediation": { "guidance": "Include all required elements: PHI description, purpose, expiration, right to revoke.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.508(c)", "source_url": "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "health-data", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "HIPAA-508-required", "version": "1.0.0", "framework": "hipaa", "title": "Authorization Required for Marketing", "severity": "critical", "summary": "Written authorization is required before using PHI for marketing communications.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "authorization", "written consent", "marketing" ] }, "remediation": { "guidance": "Implement authorization forms that meet HIPAA requirements for marketing.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.508(a)(3)", "source_url": "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "health-data", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "HIPAA-520-content", "version": "1.0.0", "framework": "hipaa", "title": "Privacy Notice Content Requirements", "severity": "warning", "summary": "Notice must describe uses/disclosures, individual rights, and entity duties.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "uses?\\s+and\\s+disclosures?\\s+of\\s+(your\\s+)?(protected\\s+)?health\\s+information", "your\\s+rights.*health\\s+information", "PHI" ], "keywords": [ "uses and disclosures", "protected health information", "your health information rights", "PHI" ] }, "remediation": { "guidance": "Include all required content: uses, disclosures, rights, complaints process.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.520(b)", "source_url": "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "privacy" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "HIPAA-520-notice", "version": "1.0.0", "framework": "hipaa", "title": "Notice of Privacy Practices Required", "severity": "critical", "summary": "Covered entities must provide a Notice of Privacy Practices describing how PHI may be used.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "privacy\\s+notice", "notice\\s+of\\s+privacy\\s+practices", "NPP" ], "keywords": [ "notice of privacy practices", "NPP", "privacy notice" ] }, "remediation": { "guidance": "Display Notice of Privacy Practices prominently and provide copy to patients.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.520(a)", "source_url": "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "privacy", "health-data" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "HIPAA-520-website", "version": "1.0.0", "framework": "hipaa", "title": "Website Privacy Notice", "severity": "warning", "summary": "Entities with websites must post Notice of Privacy Practices prominently online.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "notice\\s+of\\s+privacy\\s+practices", "privacy\\s+practices.*website", "HIPAA\\s+privacy" ], "keywords": [ "notice of privacy practices", "HIPAA privacy notice", "privacy practices online" ] }, "remediation": { "guidance": "Post full Notice of Privacy Practices on website and link from all PHI collection pages.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.520(c)", "source_url": "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "privacy" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "HIPAA-524-access", "version": "1.0.0", "framework": "hipaa", "title": "Individual Access Rights", "severity": "warning", "summary": "Individuals have the right to access and obtain copies of their PHI.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "access", "copy", "records request" ] }, "remediation": { "guidance": "Implement process to handle access requests within 30 days.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.524(a)", "source_url": "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "health-data" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "HIPAA-524-electronic", "version": "1.0.0", "framework": "hipaa", "title": "Electronic Access", "severity": "info", "summary": "If PHI is maintained electronically, individuals may request electronic copies.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "electronic", "digital copy", "format" ] }, "remediation": { "guidance": "Provide electronic copies in requested format if readily producible.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.524(c)", "source_url": "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "health-data" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "HIPAA-530-sanctions", "version": "1.0.0", "framework": "hipaa", "title": "Sanctions Policy", "severity": "info", "summary": "Covered entities must have sanctions against workforce members who violate privacy policies.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "sanctions", "violations", "discipline" ] }, "remediation": { "guidance": "Document and enforce sanctions policy for privacy violations.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.530(e)", "source_url": "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "privacy", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "HIPAA-530-training", "version": "1.0.0", "framework": "hipaa", "title": "Workforce Training", "severity": "warning", "summary": "Covered entities must train workforce members on privacy policies and procedures.", "rationale": "", "detection": { "type": "keyword", "keywords": [ "training", "workforce", "education" ] }, "remediation": { "guidance": "Implement regular HIPAA training and document completion.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.530(b)", "source_url": "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "privacy", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "HIPAA-web-forms", "version": "1.0.0", "framework": "hipaa", "title": "Secure PHI Collection Forms", "severity": "critical", "summary": "Web forms collecting PHI must use secure transmission and link to privacy notice.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "type=[\"']?(text|email)[\"']?.*name=[\"']?(ssn|social|medical|health|diagnosis)", "<form[^>]*(?!https)" ], "keywords": [ "form", "PHI collection", "secure", "HTTPS" ] }, "remediation": { "guidance": "Use HTTPS for all forms. Link to Notice of Privacy Practices near PHI fields.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.312", "source_url": "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "privacy", "health-data" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "HIPAA-web-tracking", "version": "1.0.0", "framework": "hipaa", "title": "Tracking Technology on Health Pages", "severity": "critical", "summary": "Third-party tracking pixels on pages with PHI may constitute unauthorized disclosure.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "facebook.*pixel", "google.*analytics", "tracking.*health" ], "keywords": [ "tracking", "pixel", "analytics", "third-party" ] }, "remediation": { "guidance": "Remove or limit third-party trackers on pages collecting or displaying health information.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "164.502", "source_url": "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "health-data" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } } ] ``` ### references/rules-sec-482.json ```json [ { "id": "SEC-482-a-general", "version": "1.0.0", "framework": "sec-482", "title": "General Advertisement Requirements", "severity": "warning", "summary": "Advertisements for investment companies must comply with SEC Rule 482 requirements, including required disclosures and prohibitions on misleading content.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "advertisement", "investment company", "fund advertising" ] }, "remediation": { "guidance": "Ensure all fund advertisements contain required disclosures and are not misleading.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 230.482(a)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-230/section-230.482", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-482-a-prospectus", "version": "1.0.0", "framework": "sec-482", "title": "Prospectus Availability Statement", "severity": "critical", "summary": "Investment company advertisements must include a statement directing investors to carefully consider objectives, risks, charges, and expenses in the prospectus.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "prospectus", "consider carefully", "objectives", "risks", "charges", "expenses" ] }, "remediation": { "guidance": "Include: \"Consider the investment objectives, risks, charges, and expenses carefully before investing. The prospectus contains this and other information. Read it carefully.\"", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 230.482(a)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-230/section-230.482", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-482-b-current-quarter", "version": "1.0.0", "framework": "sec-482", "title": "Most Recent Calendar Quarter", "severity": "critical", "summary": "Performance data in investment company advertisements must be updated to the most recent calendar quarter-end and include an 'as of' date.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "as\\s+of\\s+(Q[1-4]|[A-Za-z]+\\s+\\d{1,2},?\\s+\\d{4})", "(January|February|March|April|May|June|July|August|September|October|November|December)\\s+\\d{1,2},?\\s+\\d{4}" ], "keywords": [ "as of", "quarter-end", "current performance" ] }, "remediation": { "guidance": "Update performance data quarterly. Include \"as of\" date for all performance figures.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 230.482(b)(2)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-230/section-230.482", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "performance" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-482-b-gross-net", "version": "1.0.0", "framework": "sec-482", "title": "Gross vs Net Performance", "severity": "warning", "summary": "When showing gross performance, investment company advertisements must also show net-of-fee performance to avoid misleading investors.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "gross", "net", "after fees", "before fees" ] }, "remediation": { "guidance": "Show net-of-fee performance alongside any gross performance figures.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 230.482(b)(3)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-230/section-230.482", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "performance", "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-482-b-periods", "version": "1.0.0", "framework": "sec-482", "title": "Required Performance Periods", "severity": "critical", "summary": "Investment company advertisements showing performance must include 1-year, 5-year, and 10-year (or since inception if shorter) average annual total returns.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "1[\\s-]?year", "5[\\s-]?year", "10[\\s-]?year", "since\\s+inception" ], "keywords": [ "1-year", "5-year", "10-year", "since inception" ] }, "remediation": { "guidance": "Include 1-year, 5-year, and 10-year (or since inception) average annual total returns.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 230.482(b)(1)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-230/section-230.482", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "performance" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-482-b-standardized", "version": "1.0.0", "framework": "sec-482", "title": "Standardized Performance Required", "severity": "critical", "summary": "All performance data in investment company advertisements must use SEC-standardized total return calculations.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "\\d+(\\.\\d+)?%\\s*(return|performance|gain)", "returned\\s+\\d+(\\.\\d+)?%" ], "keywords": [ "performance", "return", "standardized" ] }, "remediation": { "guidance": "Use SEC-standardized total return calculations for all performance data.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 230.482(b)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-230/section-230.482", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "performance" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-482-c-expense-ratio", "version": "1.0.0", "framework": "sec-482", "title": "Expense Ratio Disclosure", "severity": "critical", "summary": "Investment company advertisements must disclose the total annual fund operating expense ratio from the most recent prospectus.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "expense\\s+ratio", "operating\\s+expenses?", "\\d+(\\.\\d+)?%\\s+expense" ], "keywords": [ "expense ratio", "operating expenses", "management fee" ] }, "remediation": { "guidance": "Include total annual fund operating expense ratio from the most recent prospectus.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 230.482(c)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-230/section-230.482", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "fees" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-482-c-sales-loads", "version": "1.0.0", "framework": "sec-482", "title": "Sales Load Disclosure", "severity": "critical", "summary": "Investment company advertisements must disclose maximum sales charges (loads), including both front-end and back-end loads, or clearly state if the fund is no-load.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "sales\\s+(charge|load)", "front[\\s-]?end\\s+load", "back[\\s-]?end\\s+load", "no[\\s-]?load" ], "keywords": [ "sales load", "sales charge", "no-load", "load fund" ] }, "remediation": { "guidance": "Disclose maximum front-end and back-end sales loads, or clearly state \"no-load\" if applicable.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 230.482(c)(2)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-230/section-230.482", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "fees" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-482-d-tax", "version": "1.0.0", "framework": "sec-482", "title": "Tax Impact Disclosure", "severity": "warning", "summary": "Investment company advertisements showing performance must disclose whether figures are pre-tax or after-tax and explain relevant tax implications.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "tax", "after-tax", "pre-tax", "tax consequences" ] }, "remediation": { "guidance": "Disclose whether performance figures are pre-tax or after-tax, and explain tax implications.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 230.482(d)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-230/section-230.482", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-482-e-no-fdic", "version": "1.0.0", "framework": "sec-482", "title": "Not FDIC Insured Statement", "severity": "critical", "summary": "Investment company advertisements must clearly state that the fund is not FDIC insured, has no bank guarantee, and may lose value.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "not\\s+FDIC\\s+insured", "no\\s+bank\\s+guarantee", "may\\s+lose\\s+value" ], "keywords": [ "FDIC", "not insured", "bank guarantee", "may lose value" ] }, "remediation": { "guidance": "Include: \"Not FDIC Insured • No Bank Guarantee • May Lose Value\"", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 230.482(e)(2)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-230/section-230.482", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "risk" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-482-e-principal-risk", "version": "1.0.0", "framework": "sec-482", "title": "Principal Risk Statement", "severity": "critical", "summary": "Investment company advertisements must include a statement that investment return and principal value will fluctuate, and shares may be worth more or less than original cost when redeemed.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "principal", "fluctuate", "may lose value", "redeemed" ] }, "remediation": { "guidance": "Include: \"Investment return and principal value will fluctuate. Shares, when redeemed, may be worth more or less than their original cost.\"", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 230.482(e)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-230/section-230.482", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "risk" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-482-f-annual-returns", "version": "1.0.0", "framework": "sec-482", "title": "Average Annual Total Returns", "severity": "critical", "summary": "Investment company advertisements must calculate and present average annual total returns using SEC-standardized methodology.", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "average annual", "total return", "annualized" ] }, "remediation": { "guidance": "Calculate and present average annual total returns using SEC-standardized methodology.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 230.482(f)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-230/section-230.482", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "performance" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-482-f-benchmark", "version": "1.0.0", "framework": "sec-482", "title": "Benchmark Comparison", "severity": "warning", "summary": "Investment company advertisements showing performance should include comparison to an appropriate benchmark index for the same time periods.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "S&P\\s*500", "benchmark", "index\\s+(comparison|performance)", "vs\\.?\\s+(S&P|Russell|Dow|MSCI|Bloomberg)" ], "keywords": [ "benchmark", "index", "S&P 500", "comparison" ] }, "remediation": { "guidance": "Include comparison to an appropriate benchmark index for the same time periods.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 230.482(f)(2)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-230/section-230.482", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "performance" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-482-g-current", "version": "1.0.0", "framework": "sec-482", "title": "Current Performance Availability", "severity": "warning", "summary": "Investment company advertisements must provide a phone number or website URL where investors can obtain current month-end performance data.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "call.*\\d{3}[\\s.-]?\\d{3}[\\s.-]?\\d{4}", "visit.*\\.(com|org|net)", "current\\s+performance" ], "keywords": [ "call", "visit", "current performance", "month-end" ] }, "remediation": { "guidance": "Include phone number or website URL where current month-end performance can be obtained.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 230.482(g)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-230/section-230.482", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-482-past-performance", "version": "1.0.0", "framework": "sec-482", "title": "Past Performance Legend", "severity": "critical", "summary": "Investment company advertisements must include a clear statement that past performance does not guarantee future results.", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "past\\s+performance.*guarantee", "historical.*future\\s+results" ], "keywords": [ "past performance", "does not guarantee", "future results" ] }, "remediation": { "guidance": "Include: \"Past performance does not guarantee future results.\"", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 230.482", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-230/section-230.482", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "performance" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } } ] ``` ### references/rules-sec-marketing.json ```json [ { "id": "SEC-MKT-a-misleading", "version": "1.0.0", "framework": "sec-marketing", "title": "No Misleading Implications", "severity": "critical", "summary": "Advertisement must not include statements that would be otherwise misleading or deceptive by implication", "rationale": "", "detection": { "type": "ai-only", "patterns": [], "keywords": [ "misleading", "implication", "deceptive" ] }, "remediation": { "guidance": "Review all statements for potential misleading implications even if technically true.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1(a)(3)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-a-omission", "version": "1.0.0", "framework": "sec-marketing", "title": "No Material Omissions", "severity": "critical", "summary": "Advertisement must not omit any material fact that would make the advertisement misleading", "rationale": "", "detection": { "type": "ai-only", "patterns": [], "keywords": [ "omission", "material fact", "misleading" ] }, "remediation": { "guidance": "Include all material facts necessary for complete understanding of advertised services.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1(a)(2)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-a-untrue", "version": "1.0.0", "framework": "sec-marketing", "title": "No Untrue Statements", "severity": "critical", "summary": "Advertisement must not include any untrue statement of a material fact", "rationale": "", "detection": { "type": "ai-only", "patterns": [], "keywords": [ "untrue", "material fact", "false statement" ] }, "remediation": { "guidance": "Verify all factual claims in marketing materials. Remove or correct any untrue statements.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1(a)(1)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-b-bad-actor", "version": "1.0.0", "framework": "sec-marketing", "title": "Bad Actor Disqualification", "severity": "critical", "summary": "Persons subject to bad actor disqualifications may not provide testimonials or endorsements", "rationale": "", "detection": { "type": "ai-only", "patterns": [], "keywords": [ "bad actor", "disqualification", "felony" ] }, "remediation": { "guidance": "Screen all testimonial/endorsement providers for bad actor disqualifications.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1(b)(4)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-b-endorsement-disclosure", "version": "1.0.0", "framework": "sec-marketing", "title": "Endorsement Disclosure Requirements", "severity": "warning", "summary": "Endorsements must clearly disclose any compensation paid and conflicts of interest", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "endorsement", "compensation", "paid promotion" ] }, "remediation": { "guidance": "Clearly disclose any compensation paid for endorsements and any conflicts of interest.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1(b)(2)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "endorsement" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-b-promoter", "version": "1.0.0", "framework": "sec-marketing", "title": "Promoter Requirements", "severity": "warning", "summary": "Investment advisers must execute written promoter agreements and implement oversight procedures", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "promoter", "solicitor", "referral" ] }, "remediation": { "guidance": "Execute written promoter agreements and implement oversight procedures.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1(b)(3)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-b-testimonial-disclosure", "version": "1.0.0", "framework": "sec-marketing", "title": "Testimonial Disclosure Requirements", "severity": "warning", "summary": "Testimonials must include disclosure of client status, compensation received, and material conflicts of interest", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "testimonial", "disclosure", "client", "compensation" ] }, "remediation": { "guidance": "Disclose: (1) client status, (2) compensation received, (3) material conflicts of interest.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1(b)(1)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "testimonial" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-c-rating-disclosure", "version": "1.0.0", "framework": "sec-marketing", "title": "Third-Party Rating Disclosures", "severity": "warning", "summary": "Third-party ratings must disclose the date, period evaluated, identity of rater, and any compensation paid", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "(5|4|3|2|1)[\\s-]?star", "rated\\s+#?\\d+", "top\\s+(advisor|RIA|firm)" ], "keywords": [ "rating", "ranked", "top advisor", "best" ] }, "remediation": { "guidance": "Include: date of rating, period evaluated, identity of rater, and any compensation paid.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1(c)(1)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "disclosure", "rating" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-c-rating-questionnaire", "version": "1.0.0", "framework": "sec-marketing", "title": "Rating Questionnaire Disclosure", "severity": "info", "summary": "Must disclose if rating was based on self-reported questionnaire data", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "questionnaire", "self-reported", "survey" ] }, "remediation": { "guidance": "Disclose if rating was based on self-reported questionnaire data.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1(c)(2)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-d-composite", "version": "1.0.0", "framework": "sec-marketing", "title": "Composite Performance Requirements", "severity": "warning", "summary": "Must create composites of similar strategy accounts rather than showing cherry-picked account performance", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "composite", "aggregated", "similar strategies" ] }, "remediation": { "guidance": "Create composites of similar strategy accounts rather than showing cherry-picked account performance.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1(d)(3)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "performance", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-d-gross-net", "version": "1.0.0", "framework": "sec-marketing", "title": "Gross and Net Performance", "severity": "critical", "summary": "Must show net performance alongside gross performance with equal prominence", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "gross", "net", "fees deducted" ] }, "remediation": { "guidance": "Always show net performance alongside gross performance with equal prominence.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1(d)(1)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "performance", "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-d-portability", "version": "1.0.0", "framework": "sec-marketing", "title": "Portable Performance Attribution", "severity": "warning", "summary": "Portable track record must clearly identify the responsible person and prior firm", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "portable", "prior firm", "track record" ] }, "remediation": { "guidance": "Ensure portable track record clearly identifies the responsible person and prior firm.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1(d)(4)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "performance", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-d-time-periods", "version": "1.0.0", "framework": "sec-marketing", "title": "Performance Time Periods", "severity": "critical", "summary": "Must include standardized 1-year, 5-year, and 10-year (or since inception) returns", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "1-year", "5-year", "10-year", "time period" ] }, "remediation": { "guidance": "Include standardized 1-year, 5-year, and 10-year (or since inception) returns.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1(d)(2)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "performance" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-e-hypothetical-disclosure", "version": "1.0.0", "framework": "sec-marketing", "title": "Hypothetical Performance Disclosures", "severity": "critical", "summary": "Hypothetical performance must be clearly labeled and disclose assumptions, limitations, and that it does not reflect actual trading", "rationale": "", "detection": { "type": "hybrid", "patterns": [ "hypothetical", "backtest(ed)?", "simulat(ed|ion)", "model(ed)?\\s+performance" ], "keywords": [ "hypothetical", "backtested", "simulated", "model portfolio" ] }, "remediation": { "guidance": "Label as hypothetical. Disclose: (1) assumptions used, (2) limitations, (3) that it does not reflect actual trading.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1(e)(2)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "performance", "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-e-hypothetical-general", "version": "1.0.0", "framework": "sec-marketing", "title": "Hypothetical Performance Requirements", "severity": "critical", "summary": "Restrict hypothetical performance to sophisticated audiences and include all limitations and assumptions", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "hypothetical", "backtested", "simulated" ] }, "remediation": { "guidance": "Restrict hypothetical performance to sophisticated audiences. Include all limitations and assumptions.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1(e)(1)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "performance" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-extracted-performance", "version": "1.0.0", "framework": "sec-marketing", "title": "Extracted Performance Disclosure", "severity": "warning", "summary": "When showing performance of a subset, must also show the total portfolio performance", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "extracted", "carve-out", "subset", "sector performance" ] }, "remediation": { "guidance": "When showing performance of a subset, also show the total portfolio performance.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "performance", "disclosure" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-f-predecessor", "version": "1.0.0", "framework": "sec-marketing", "title": "Predecessor Performance Requirements", "severity": "warning", "summary": "Must clearly identify predecessor entity and verify substantially similar investment process", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "predecessor", "acquired", "successor" ] }, "remediation": { "guidance": "Clearly identify predecessor entity and verify substantially similar investment process.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1(f)", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "performance", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } }, { "id": "SEC-MKT-related-performance", "version": "1.0.0", "framework": "sec-marketing", "title": "Related Performance Requirements", "severity": "warning", "summary": "Must explain material differences between the related strategy shown and the strategy being offered", "rationale": "", "detection": { "type": "keyword", "patterns": [], "keywords": [ "related", "similar strategy", "comparable" ] }, "remediation": { "guidance": "Explain material differences between the related strategy shown and the strategy being offered.", "examples": [] }, "source": { "source_type": "public_law", "policy_status": "allowed", "citation": "17 CFR 275.206(4)-1", "source_url": "https://www.ecfr.gov/current/title-17/chapter-II/part-275/section-275.206-4", "retrieved_at": "2026-02-09", "attribution_required": false }, "metadata": { "tags": [ "performance", "structural" ], "jurisdiction": [ "US" ], "content_types": [ "landing-page", "marketing" ], "owner": "qcme-core" } } ] ```