Control Lookup
Search the 112 Controls in the Magist catalog. Each Control links to the regulations that require it, applicability conditions, and vendors that fulfill it.
California's ABC test is the contemporary standard for worker classification in California and a widening list of US states that adopted it after Dynamex Operations W. Inc. v. Superior Court (2018) an…
An accessibility feedback channel is the operational counterpart to the public accessibility statement: it is the route by which a user who hits a barrier in production tells the operator about it, an…
An accessibility statement is the public-facing document that records, in regulator-readable form, what the platform's current accessibility posture actually is. The document sits on the public websit…
Contextual-only advertising is the strategy of selecting which ad to show based on what the user is looking at (page content, query keyword, channel) rather than based on who the regulator-protected a…
Age-rating classification is the process by which an interactive product earns a rating from the rating bodies that gate distribution in each market. The submission is a content questionnaire, not a c…
Age verification is the operational tier-determinator for products whose features gate by age: minor-protection regulations that require enhanced safeguards once a user is known to be under a defined…
NYC Local Law 144 has the most operationally specific bias-audit obligation in any of the AI laws currently on the books: an independent third party must compute the four-fifths impact ratio across pr…
A published protocol and the implementing product behavior for an AI companion chatbot — the relationship-sustaining, socially-engaging class of assistant — covering self-harm and crisis handling, AI-…
Automated-decision explanation obligations sit at an awkward intersection: the regulation wants a meaningful description of why an algorithm reached a particular outcome for a particular person, the a…
Deepfake regulation has the wrong-name problem. The statutes label themselves after the technique (deepfakes, synthetic media, AI-generated likenesses), but the operational obligation is almost entire…
The Algorithmic Impact Assessment is the AI compliance world's awkward cousin to the GDPR Data Protection Impact Assessment, and the family resemblance is more than cosmetic. GDPR Article 35 establish…
Serious-incident reporting for AI systems has shown up in regulation faster than most other AI-governance obligations, and the reason is that the regulators writing AI law have been watching the aviat…
Recommender-transparency regimes are unusual among AI obligations because they assume the technology already works and focus instead on user agency. DSA Article 27 does not ask whether a ranking syste…
AI disclosure obligations have a peculiar shape: most of them are not about the AI, they are about whether the user knows they are talking to one. EU AI Act Article 50 does not regulate the model; it…
Training-data disclosure obligations represent a particularly Levine-ian regulatory move: the statutes do not, for the most part, regulate what an AI model is allowed to be trained on; they regulate w…
China's Algorithm Registry filing is one of the more distinctive pieces of the PRC's algorithmic-governance regime, and the structurally interesting piece is that the registry is public. Any provider…
Algorithmic management transparency is the worker-side counterpart to consumer algorithmic-transparency rules. When an automated system assigns shifts, ranks workers, evaluates performance, sets pay m…
Algorithmic transparency obligations have converged on a similar shape across DSA Article 27, China's Internet Information Service Algorithmic Recommendation Management Provisions, the EU AI Act high-…
Alternative formats are the accessibility regimes' answer to the fact that a single visual presentation does not work for every user. Large print serves low-vision users, audio serves blind or print-d…
An anti-money-laundering program is the operational system that money services businesses, payment institutions, e-money issuers, and crypto-asset service providers run to detect and report financial-…
Competition law is the unusual case of a regulatory regime whose operative obligation is mostly behavioral rather than documentary. The rules say "do not do this thing" (do not agree on prices with co…
Assistive-technology compatibility testing is the part of the accessibility program where abstract WCAG conformance claims meet the reality of users driving the product with NVDA, JAWS, VoiceOver, Tal…
Audit log retention is the unglamorous infrastructure piece that turns "we have logging" into evidence usable by a regulator, auditor, or litigator months or years after the fact. Most modern privacy,…
A written program governing how a product captures, stores, uses, and destroys biometric identifiers (fingerprints, voiceprints, face geometry, iris and retina scans). The state biometric statutes sha…
A breach-notification process is the operational system that runs after the security team identifies a personal-data incident, against a regulatory clock that started the moment the incident was detec…
CCL classification is the entry-point determination for the US export-controls regime. Every exportable product, technology, or piece of software gets assigned an Export Control Classification Number…
Commercial email compliance is the surface where US, EU, UK, Canadian, Korean, and Japanese rules converge into a single operational program because almost every email program ships across all of them…
Complaint-handling systems are the user-facing intake for "this content or this seller is breaking a rule." They show up across DSA Article 16, the EU P2B Regulation, the UK Online Safety Act, and a w…
Compliance-by-design interfaces are the marketplace-platform answer to a structural problem: traders selling on a platform are responsible for product-compliance disclosures, but the platform is the s…
A consent banner is the operational endpoint of the lawful-basis question for tracking that requires user opt-in: cookies, advertising pixels, analytics SDKs, third-party tags, and increasingly the se…
The bundle of consents, authorizations, disclosures, and limits that the consumer-health-data statutes — led by Washington's My Health My Data Act — impose on any business that collects health-linked…
Contact-information disclosure is the regulatory descendant of the printed-imprint requirement that has run through European commercial law for a century. Any consumer-facing online service tells user…
Content moderation is now a regulated function rather than a voluntary product choice. The DSA, the UK Online Safety Act, Singapore's Online Criminal Harms Act, India's IT Rules 2021, and Australia's…
Cookie consent management is the inventory-and-gating function that sits behind the consent banner. The work is cataloguing every first-party and third-party cookie, SDK, pixel, and tag the product lo…
Notice-and-takedown is the operational core of every modern hosting safe-harbor regime. DMCA §512 in the US, EU Copyright Directive Article 17 (with its separate "best efforts" overlay), the UK CDPA s…
Cross-border data transfer is the operational area where almost every comprehensive privacy regime ends up looking similar in shape and different in detail. GDPR Chapter V, PIPL Article 38, LGPD Artic…
A cross-border data transfer record is the operational inventory that sits underneath the mechanism program. The mechanism program (the companion control `cross-border-transfer-mechanism`) answers the…
Dark-patterns prohibitions started as an FTC enforcement theme around forced-action and roach-motel cancellation flows and have since hardened into specific prohibitions across DSA Article 25, the EU…
Data classification is the foundational schema that the rest of the data-protection program reads off of. Every other operational control (encryption, retention, access management, transfer rules, bre…
Data minimization is the GDPR Article 5(1)(c) principle that has propagated into LGPD, CPRA, the Quebec Law 25 framework, and the contemporary read of FTC Section 5 unfairness: collect only what is ne…
A data retention policy converts the storage-limitation principle into concrete rules the engineering team can implement. The principle itself is widely shared (GDPR Article 5(1)(e), CCPA disclosure-o…
Deceptive-practices prohibitions are the consumer-protection backstop that runs underneath every other product-level rule. FTC Act §5 in the US, the EU Unfair Commercial Practices Directive (UCPD) Art…
Denied-persons screening is the export-controls equivalent of sanctions screening. Before any export-controlled transaction, the counterparty gets screened against the relevant US Bureau of Industry a…
Digital services tax tracking is the revenue-side compliance function that emerged when the UK, France, Italy, Spain, Austria, Turkey, Canada, and India each decided, on independent timelines, that th…
Internal dispute-resolution mechanisms for business users are the EU P2B Regulation's structural answer to the bargaining asymmetry between online platforms and the businesses that depend on them for…
DMCA designated-agent registration is one of the cheaper filings in the US online-services regulatory toolkit and one of the most structurally consequential. Any hosting service that wants the 17 U.S.…
A Data Protection Impact Assessment is the GDPR Article 35 structured-risk-analysis exercise that runs before any processing operation likely to result in high risk to data subjects. The Article 35 li…
Data subject access requests are the single most operationally demanding piece of most modern privacy regulations. A person the operator has never met asks for everything the operator holds on them, t…
DST revenue ringfencing is the finance-system discipline of tagging in-scope revenue at the moment of recognition, by jurisdiction, so that the DST liability calculates against the underlying ledger r…
E-money issuance is a regulated activity in every jurisdiction that has caught up with the category, and the category itself covers any prepaid balance, wallet, or stored-value product that is redeema…
Compliance training is the regulatory checkbox that most operators treat as a checkbox and that most enforcement actions treat as evidence. The asymmetry is what makes the discipline matter: a perfunc…
End-use and end-user controls are the tier of export-control law that operates above and beyond the destination-country sanctions list. The premise is that even a transaction with a non-sanctioned cou…
A program that holds every environmental or sustainability claim a product makes to documented evidence before it is published, and that governs the use of sustainability labels. The greenwashing regi…
Export-license determination is the per-transaction question that sits in front of every cross-border shipment of goods, software, or technology that touches a controlled list. The logic decomposes in…
The federal CARD Act of 2009 set the operating envelope for gift cards and stored-value products in the US. The headline rules are mostly settled and most product teams understand them. The operationa…
Algorithmic management of workers has become its own regulatory category over the past five years, distinct from the broader automated-decision-making rules under GDPR Article 22 and distinct again fr…
An incident-response plan is both a document and a practiced workflow. The document captures the playbook that runs when a cybersecurity incident is detected; the workflow is what the response team ac…
Information firewalls between a platform's marketplace operations and its own first-party business units are what hybrid platforms build to keep merchant-side data out of the hands of the people desig…
A KYC program is the customer-onboarding workflow that establishes who a customer actually is, calibrated to the risk that customer presents to the regulated activity in question. The architecture has…
GDPR Article 6 enumerates six lawful bases for processing personal data: consent, contract, legitimate interest, vital interest, public task, and legal obligation. Most non-EU privacy regimes have con…
Mediator designation is the EU Platform-to-Business Regulation's small but operationally specific requirement that an online intermediation service identify at least two mediators it is willing to eng…
Most-favored-nation and parity clauses are the contract terms that say a seller on one platform cannot offer better prices, terms, or inventory anywhere else. The textbook framing of the problem is th…
MiCA CASP authorization is the EU's single licensing regime for crypto-asset service providers, introduced by Regulation (EU) 2023/1114 (the Markets in Crypto-Assets Regulation), phased in through 202…
Monetization spending caps are the platform-side answer to a specific recurring pattern in minor-account monetization disputes: a child or vulnerable-population account accumulates a large in-app-purc…
US money-transmitter licensing is the state-by-state regulatory regime that catches platforms moving customer funds, with no federal preemption mechanism and substantial substantive variation across t…
The federal TAKE IT DOWN Act is the first US statute to impose a fixed takedown deadline for non-consensual intimate imagery on platforms that host user-generated content, and is also the first US sta…
SDN-list screening is the baseline of US sanctions compliance and is necessary but not sufficient. OFAC maintains several additional restricted-party lists with different legal effects and different p…
Verifiable parental consent is the workflow that runs before a platform collects personal information from a user under the age of digital consent. The age threshold is jurisdiction-specific: under 13…
Worker payment-timing tracking is the operational layer that runs against statutory deadlines for paying contractors and platform workers. A growing number of jurisdictions over the past five years ha…
Platform-reporting programs are the operational systems that report seller and merchant earnings to tax authorities. The category sits across several parallel regimes that have converged on a similar…
Pre-contract disclosure is the package of statutorily-mandated information that consumers see before committing to a purchase. The structural feature across modern consumer-protection regimes is that…
Privacy by design and by default is the GDPR Article 25 obligation that privacy considerations be built into product development from the outset rather than retrofitted before launch. The Article has…
Data processing agreements are the GDPR Article 28 contracts between a controller and a processor that allocate responsibility for the personal data the processor handles on the controller's behalf. A…
Product-safety database screening is the operational layer that runs against the public recall and banned-product registers maintained by safety regulators across the major markets. In the EU, the Saf…
A privacy policy is the public-facing notice that captures the substantive transparency obligations of every modern privacy regime in a single document. The structural failure mode that produces most…
Random spot-checks of trader compliance are the EU Digital Services Act and Product Safety Regulation answer to a structural question: how does a marketplace keep its trader inventory honest without i…
A working ranking-transparency program describes, in plain language and in the terms of service, the main parameters the platform uses to order search results, product listings, or feeds, the relative…
A working trade-compliance recordkeeping program turns each export decision into an audit-ready file. The components are a records system keyed to the export transaction with each decision-making arti…
A working repeat-infringer termination policy actually terminates accounts that cross a defined infringement threshold, and documents the chain of strikes and decisions in a form a court can audit. Th…
A working right-of-withdrawal procedure runs against a regulatory clock that starts when the consumer receives the goods or accepts the digital service, not when the operator's customer-service team g…
A working right-to-erasure process deletes a data subject's personal data on request, across primary stores, backups, search indexes, replicas, and processor systems, within a fixed regulatory window.…
A working data-portability process produces the subject's personal data in a structured, commonly used, machine-readable format on request, and, where technically feasible, transmits it directly from…
A working safeguarding program enforces the legal premise that customer funds held by a payments institution or e-money issuer are not the institution's funds. The components are segregation of those…
A working sanctions-screening program operates a screening engine, a false-positive review queue, an escalation path for confirmed hits, and an audit log, against a constantly-updating set of restrict…
A working OFAC SDN screening program matches every customer, beneficial owner, and counterparty against the Specially Designated Nationals and Blocked Persons list at onboarding, on transaction, and o…
A published commitment to provide security updates for a defined period, plus the engineering pipeline that actually delivers them. The connectable-product regimes converge on the same two ideas: the…
A self-preferencing review program documents that the platform's ranking, recommendation, and visibility surfaces apply uniform criteria to first-party and third-party offerings on the same surface, a…
A working chat-moderation program covers a platform's user-to-user messaging surfaces with a policy, an enforcement workflow, and a transparency mechanism that survives regulator review. The component…
A status determination statement is the written record an engager issues to a worker (and, where relevant, to the agency immediately above the worker in the supply chain) explaining the worker's class…
Strong Customer Authentication is the EU PSD2 and UK FCA requirement that electronic payments be authenticated using two independent factors drawn from knowledge, possession, and inherence (something…
A working subprocessor-management program treats the controller-processor chain as a contract chain plus an inventory, and keeps both current. When a processor (the platform) hands personal data to a…
A working auto-renewal disclosure and click-to-cancel program runs the same shape across most modern consumer-protection regimes: pre-enrollment disclosure of renewal terms in a form the consumer is l…
Synthetic-content labeling is the rare AI obligation where the regulation specifies a wire format. EU AI Act Article 50 reaches for machine-readable provenance and points implementers at C2PA-style co…
A working tax-ID collection program sits upstream of every payout, marketplace remittance, and information-reporting obligation: before a platform can pay a seller, contractor, or creator, it has to k…
A working TCPA program captures consent, records it in a form a court will accept, scrubs against the federal and applicable state Do-Not-Call lists, enforces time-of-day routing, and processes revoca…
Business-user terms of service compliant with the EU Platform-to-Business Regulation are not just a longer consumer ToS; the P2B regime prescribes content the way a regulator usually prescribes financ…
Terms of service are the operative contract between a platform and its users, and they sit at the intersection of three overlapping bodies of law. Contract law governs whether the terms were presented…
A working cross-border transfer program treats every flow of personal data leaving a home jurisdiction as a discrete transfer with a discrete legal basis. The components are a transfer register that l…
A working trader KYBC program collects and verifies a defined dataset before a third-party trader can transact with consumers on the platform, retains the records on a documented clock, and surfaces t…
A trader traceability database is a queryable inventory that maps each product or listing on a marketplace to its responsible trader, the trader's identification, the trader's address, and (for produc…
A working transaction-monitoring program looks at customer activity in flight and after the fact, recognizes the patterns statutes and FATF guidance have flagged as suspicious (structuring, rapid move…
A working unfair-contract-terms review is a periodic legal review of every standard-form consumer (and, in Australia, small-business) contract the platform uses, with a fairness-test scorecard per cla…
Phase O-D W4.2 placeholder Control. The /admin/orphaned-progress triage surface lets an operator route legacy requirement-keyed user_progress rows here when no specific Control mapping is appropriate…
A working user-review authenticity program runs three layers that have to be operationally tight together: a verification posture that ties reviews to actual customers (typically through verified-purc…
A working VAT-registration program runs four pieces in concert: a threshold-monitoring system that identifies when a registration trigger is approaching in a given jurisdiction, a registration workflo…
A working vendor risk-assessment program identifies every vendor that handles regulated data, money, or critical infrastructure; classifies them by the risk they introduce; applies due diligence propo…
A published, free, and easy-to-find way for security researchers and the public to report a vulnerability in a product, plus the internal process that receives, triages, and remediates those reports.…
A working economic-nexus monitoring program tracks per-state revenue and transaction counts against each state's nexus threshold, alerts before the threshold crosses, and runs the registration workflo…
A working WCAG audit covers each AA success criterion against the actual product (not a representative subset), produces a finding-by-finding remediation list keyed to component and page, and feeds ba…
A working work-location tracking program collects periodic attestations from each contractor or remote employee, cross-checks them against passive signals the engager already has, and feeds the result…
A working worker-classification policy is a written document that names which classification test applies in which jurisdiction, applies the test consistently across the workforce, and audits classifi…
A working contractor-agreement program runs a current agreement library, a per-engagement signed-agreement audit, and a periodic refresh against the moving set of statutory disclosures the jurisdictio…
Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.