GDPR Compliance

What Compliable checks for when validating AI-generated content against the General Data Protection Regulation (GDPR).

Overview

GDPR (General Data Protection Regulation) is the EU's comprehensive data privacy law. It applies to any organization processing personal data of EU residents, regardless of where the organization is based.

When your AI generates privacy policies, user disclosures, terms of service, or marketing content, it must comply with GDPR's strict transparency and consent requirements.

Jurisdiction: Set jurisdiction: "EU" to enable GDPR checks.

Common Violations Compliable Detects

Unnamed Third Parties

HIGH

GDPR Article 13.1(e)

The Issue: AI-generated privacy policies often use vague terms like "partners," "third-party services," or "analytics providers" without naming specific companies.

❌ "We may share your data with partners for analytics purposes."

Why It Fails: GDPR Article 13.1(e) requires disclosure of "the recipients or categories of recipients" of personal data. "Partners" is too vague—users have the right to know exactly who processes their data.

✓ "We share your email address and usage data with Google Analytics and Mailchimp."

Vague Data Retention Periods

HIGH

GDPR Article 13.2(a)

The Issue: Saying "we retain data as long as necessary" or "for a reasonable period" without defining specific timeframes.

❌ "We retain your data for as long as necessary to provide our services."

Why It Fails: GDPR Article 13.2(a) requires disclosure of "the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period."

✓ "We retain account data for 12 months after account closure. Marketing data is retained until you opt out."

Missing Right to Data Portability

MEDIUM

GDPR Article 20

The Issue: Privacy policies often mention the right to access and delete data, but forget to mention the right to receive data in a portable format.

❌ "You can request access to or deletion of your data."

Why It Fails: GDPR Article 20 grants users the right to receive their personal data "in a structured, commonly used, and machine-readable format."

✓ "You can request access to, portability of, or deletion of your data. We provide exports in JSON format."

Bundled Consent

CRITICAL

GDPR Article 7.2

The Issue: Combining multiple consent requests into a single checkbox (e.g., "I agree to the Terms and Privacy Policy and want to receive marketing emails").

❌ "By signing up, you agree to our Terms and consent to marketing communications."

Why It Fails: GDPR Article 7.2 requires consent requests to be "clearly distinguishable from other matters." Users must be able to consent to each purpose separately.

✓ Separate checkboxes: "☐ I agree to the Terms" and "☐ I want to receive marketing emails."

Implied Consent

CRITICAL

GDPR Article 4.11 & Article 7

The Issue: Consent phrased as "by using our site, you agree..." or "continued use implies consent."

❌ "By continuing to use our service, you consent to data processing."

Why It Fails: GDPR requires consent to be "freely given, specific, informed and unambiguous." Implied consent does not meet these criteria—users must actively opt in.

✓ "Click 'Accept' to consent to data processing. You can withdraw consent at any time."

How to Check GDPR Compliance

To check AI-generated content for GDPR violations, use the /v1/check/gdpr endpoint with scope.jurisdiction set to "EU":

Example
curl -X POST https://api.compliable.dev/v1/check/gdpr \
  -H "Authorization: Bearer cpbl_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "content": "We share data with partners and retain it as long as necessary.",
    "scope": {
      "jurisdiction": "EU"
    },
    "context": {
      "documentType": "privacy_policy"
    }
  }'

Further Reading