{ "schemaVersion": 1, "categories": [ { "id": "identity-accounts", "name": "Identity & Accounts", "features": [ { "id": "account-creation", "name": "Account creation / user registration", "icon": "🔑", "description": "Any form of user registration, login, or personal data collection at signup", "showMore": false, "subQualifications": [ { "id": "email-only", "label": "Email only", "triggerModifier": "account-email-only" }, { "id": "full-profile", "label": "Full profile (name, DOB, address)", "triggerModifier": "account-full-profile" }, { "id": "social-login", "label": "Social login (OAuth)", "triggerModifier": "account-social-login" } ], "triggerRegulations": [ "appi", "argentina-pdpa", "california-aadc", "ccpa", "chile-19628", "ciipa", "circia", "colombia-1581", "colorado-cpa", "connecticut-ctdpa", "coppa", "country-sanctions-rollup", "csl", "delaware-dpdpa", "dpdpa", "eu-dual-use", "ferpa", "gdpr", "uk-gdpr", "indiana-cdpa", "indonesia-pdp-law", "iowa-cdpa", "kenya-dpa", "lgpd", "maryland-modpa", "mexico-lfpdppp", "montana-mcdpa", "newjersey-njdpa", "nigeria-ndpr", "nis2", "oregon-ocpa", "philippines-dpa", "pipa-korea", "pipeda", "pipl", "privacy-act-au", "saudi-pdpl", "singapore-pdpa", "south-africa-popia", "tennessee-ipa", "texas-dpsa", "thailand-pdpa", "turkey-kvkk", "uae-pdp", "uk-aadc", "uk-export-control-order", "us-ear", "us-ofac-sanctions", "utah-ucpa", "vietnam-pdpd", "virginia-cdpa" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [], "regulatorySignificance": "Account creation typically triggers privacy notice and consent obligations across most jurisdictions, including COPPA parental consent for under-13 users, GDPR lawful basis requirements, and state privacy law disclosure obligations." }, { "id": "sso", "name": "Single sign-on / social login", "icon": "🔗", "description": "Letting users sign in with Google, Apple, Facebook, or other third-party identity providers", "showMore": false, "triggerRegulations": [ "gdpr", "uk-gdpr", "ccpa", "uk-aadc", "texas-dpsa", "colorado-cpa", "virginia-cdpa", "connecticut-ctdpa", "oregon-ocpa", "montana-mcdpa", "utah-ucpa", "delaware-dpdpa", "newjersey-njdpa", "maryland-modpa", "iowa-cdpa", "tennessee-ipa", "indiana-cdpa", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [], "regulatorySignificance": "Single sign-on involves third-party data sharing that may trigger GDPR data controller/processor agreements, CCPA service provider requirements, and platform-specific OAuth policy compliance." }, { "id": "age-gating", "name": "Age gating / age verification", "icon": "🎂", "description": "Asking users their age or date of birth to restrict access to features or content", "showMore": false, "triggerRegulations": [ "coppa", "gdpr", "uk-gdpr", "uk-aadc", "california-aadc", "kosa", "dsa", "china-minors-protection", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [ "esrb", "pegi" ], "regulatorySignificance": "Age verification mechanisms are typically required or strongly recommended under COPPA, UK AADC, EU DSA, and KOSA. Implementation approach may determine classification as a directed-to-children service." }, { "id": "age-estimation", "name": "Age estimation / age assurance", "icon": "🔍", "description": "Using AI, device signals, or third-party tools to estimate or verify a user's age beyond self-declaration", "showMore": false, "triggerRegulations": [ "uk-aadc", "california-aadc", "ai-act", "gdpr", "uk-gdpr", "coppa", "kosa", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [], "regulatorySignificance": "Age estimation technology may be classified as biometric processing under GDPR, BIPA, and emerging state privacy laws. Accuracy requirements vary by jurisdiction and may trigger AI-specific regulations." }, { "id": "identity-verification", "name": "Identity verification (KYC)", "icon": "🪪", "description": "Verifying a user's real-world identity through government ID, document upload, or similar know-your-customer checks", "showMore": true, "triggerRegulations": [ "gdpr", "uk-gdpr", "ccpa", "pipl", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa", "texas-cubi", "washington-hb1493" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Identity verification involves processing sensitive personal data and may trigger biometric data laws (BIPA, GDPR Art. 9), financial regulations (KYC/AML), and data minimization requirements." }, { "id": "biometric-auth", "name": "Biometric authentication", "icon": "🫁", "description": "Face ID, fingerprint, voice print, behavioral biometrics", "showMore": false, "triggerRegulations": [ "coppa", "gdpr", "uk-gdpr", "bipa", "ccpa", "uk-aadc", "ai-act", "pipl", "turkey-kvkk", "singapore-pdpa", "thailand-pdpa", "iowa-cdpa", "tennessee-ipa", "indiana-cdpa", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa", "texas-cubi", "washington-hb1493" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [], "regulatorySignificance": "Biometric authentication typically triggers BIPA notice and consent requirements in Illinois, GDPR special category processing rules, and emerging state biometric privacy laws." }, { "id": "data-portability", "name": "Data portability / account deletion", "icon": "📦", "description": "Letting users export their data or permanently delete their account and associated information", "showMore": false, "triggerRegulations": [ "gdpr", "uk-gdpr", "ccpa", "lgpd", "pipl", "dpdpa", "turkey-kvkk", "singapore-pdpa", "thailand-pdpa", "uae-pdp", "pipa-korea", "appi", "pipeda", "privacy-act-au", "iowa-cdpa", "tennessee-ipa", "indiana-cdpa", "dsl", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [], "regulatorySignificance": "Data portability features implicate GDPR Art. 20 right to data portability, CCPA right to access, and emerging global data transfer requirements. Implementation affects compliance with deletion rights." } ] }, { "id": "communication", "name": "Communication", "features": [ { "id": "text-chat", "name": "Text chat / messaging", "icon": "💬", "description": "Any form of text-based communication between users, including DMs, group chats, and in-game messaging", "showMore": false, "triggerRegulations": [ "age-rating-classification", "argentina-pdpa", "china-minors-protection", "colombia-1581", "coppa", "dsa", "eu-dma", "gdpr", "uk-gdpr", "india-it-rules", "indonesia-pdp-law", "kenya-dpa", "kosa", "mexico-lfpdppp", "nigeria-ndpr", "philippines-dpa", "south-africa-popia", "uk-aadc", "vietnam-pdpd" ], "triggerPlatforms": [ "apple", "roblox" ], "triggerRatings": [], "regulatorySignificance": "Real-time messaging typically triggers content moderation obligations under the EU DSA, UK Online Safety Act, and COPPA. May require monitoring for child safety in under-18 services." }, { "id": "voice-chat", "name": "Voice chat", "icon": "🎤", "description": "Real-time voice communication between users, including party chat and in-game voice", "showMore": false, "triggerRegulations": [ "coppa", "gdpr", "uk-gdpr", "uk-aadc", "kosa", "age-rating-classification", "china-minors-protection", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [ "apple", "roblox" ], "triggerRatings": [], "regulatorySignificance": "Voice communications may constitute personal data collection under COPPA (audio recordings of children) and GDPR. Wiretapping laws and recording consent requirements may also apply." }, { "id": "video-chat", "name": "Video chat", "icon": "📹", "description": "Real-time video communication between users, including video calls and face-to-face features", "showMore": false, "triggerRegulations": [ "coppa", "gdpr", "uk-gdpr", "uk-aadc", "age-rating-classification", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa", "illinois-aivia" ], "triggerPlatforms": [ "apple" ], "triggerRatings": [], "regulatorySignificance": "Video chat involves processing biometric and audiovisual data, potentially triggering GDPR special category rules, COPPA for children, and wiretapping/recording consent laws." }, { "id": "live-streaming", "name": "Live streaming / broadcasting", "icon": "📡", "description": "Users can broadcast live video or audio to an audience, including game streaming and live events", "showMore": true, "triggerRegulations": [ "coppa", "gdpr", "dsa", "uk-aadc", "kosa", "age-rating-classification", "china-minors-protection", "china-content-review", "dmca", "india-it-rules", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Live streaming combines content moderation obligations (DSA, UK OSA) with real-time data processing. Special considerations apply for minors under KOSA and child safety regulations." }, { "id": "push-notifications", "name": "Push notifications", "icon": "🔔", "description": "Sending alerts and messages to users' devices outside the app experience", "showMore": false, "triggerRegulations": [ "gdpr", "uk-gdpr", "ccpa", "uk-aadc", "texas-dpsa", "colorado-cpa", "virginia-cdpa", "connecticut-ctdpa", "oregon-ocpa", "iowa-cdpa", "tennessee-ipa", "indiana-cdpa", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa", "california-sb-976" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Push notifications may constitute direct marketing under GDPR ePrivacy Directive and CAN-SPAM, requiring opt-in consent in the EU and opt-out mechanisms in the US." }, { "id": "email-marketing", "name": "Email / SMS marketing", "icon": "📧", "description": "Sending promotional emails, newsletters, or SMS messages to users for marketing purposes", "showMore": true, "triggerRegulations": [ "gdpr", "uk-gdpr", "ccpa", "can-spam", "pipeda", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Email marketing triggers CAN-SPAM compliance in the US, GDPR/ePrivacy opt-in consent in the EU, and CASL requirements in Canada. Anti-spam laws apply in most jurisdictions." }, { "id": "transactional-email", "name": "Transactional notifications", "icon": "📨", "description": "Automated emails, SMS, or in-app messages triggered by user actions (receipts, password resets, status updates)", "showMore": true, "triggerRegulations": [ "gdpr", "ccpa", "can-spam", "tcpa", "pipeda", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Transactional emails are generally exempt from marketing consent rules but still subject to data processing requirements under GDPR and privacy laws for the personal data they contain." } ] }, { "id": "social-community", "name": "Social & Community", "features": [ { "id": "user-profiles", "name": "User profiles (bios, avatars, display names)", "icon": "👤", "description": "Public or semi-public user profiles where users set display names, avatars, bios, or other personal info", "showMore": false, "triggerRegulations": [ "coppa", "gdpr", "uk-gdpr", "ccpa", "uk-aadc", "dsa", "texas-dpsa", "colorado-cpa", "virginia-cdpa", "connecticut-ctdpa", "oregon-ocpa", "montana-mcdpa", "utah-ucpa", "delaware-dpdpa", "newjersey-njdpa", "maryland-modpa", "iowa-cdpa", "tennessee-ipa", "indiana-cdpa", "brazil-marco-civil", "take-it-down-act", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "User profiles involve ongoing personal data collection and processing, triggering GDPR purpose limitation, CCPA disclosure requirements, and enhanced protections for minor profiles under KOSA and UK AADC." }, { "id": "social-features", "name": "Social features (friends, groups, followers)", "icon": "👥", "description": "Friend lists, follower systems, groups, clans, guilds, or any social graph connecting users", "showMore": false, "triggerRegulations": [ "age-rating-classification", "argentina-pdpa", "austria-dst", "brazil-marco-civil", "canada-dst", "china-minors-protection", "china-content-review", "colombia-1581", "coppa", "dsa", "eu-dma", "france-dst", "gdpr", "uk-gdpr", "india-it-rules", "indonesia-pdp-law", "italy-dst", "kenya-dpa", "kosa", "mexico-lfpdppp", "netzdg", "nigeria-ndpr", "philippines-dpa", "section-230", "south-africa-popia", "spain-dst", "turkiye-dst", "uk-aadc", "uk-dst", "vietnam-pdpd", "california-sb-976" ], "triggerPlatforms": [ "roblox" ], "triggerRatings": [], "regulatorySignificance": "Social interaction features may create additional data sharing and content moderation obligations under DSA, UK OSA, and child safety regulations. Friend lists and connections constitute personal data." }, { "id": "leaderboards", "name": "Leaderboards / public rankings", "icon": "🏆", "description": "Publicly visible rankings, scoreboards, or competitive standings that display user performance", "showMore": true, "triggerRegulations": [ "gdpr", "coppa", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Public leaderboards involve displaying user data and may require consent under GDPR. For minors, additional protections against harmful social pressure may apply under KOSA and UK AADC." }, { "id": "user-reviews", "name": "User reviews / ratings", "icon": "⭐", "description": "Letting users post reviews, ratings, or testimonials about products, content, or other users", "showMore": true, "triggerRegulations": [ "gdpr", "dsa", "ftc-act", "eu-omnibus", "ucpd", "section-230", "dmca", "netzdg", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "User-generated reviews trigger content moderation requirements under the DSA and consumer protection transparency rules. Review systems must comply with FTC endorsement guidelines." }, { "id": "referral-systems", "name": "Referral / invite systems", "icon": "📨", "description": "Users can invite friends via email, link, or code, often with rewards for successful referrals", "showMore": true, "triggerRegulations": [ "gdpr", "ccpa", "can-spam", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Referral programs involve sharing contact data and may trigger GDPR consent requirements, CAN-SPAM compliance, and potentially violate anti-spam laws in certain jurisdictions." } ] }, { "id": "content-media", "name": "Content & Media", "features": [ { "id": "ugc", "name": "User-generated content (uploads, posts, levels, mods)", "icon": "📝", "description": "Users can create, upload, or share their own content: text posts, images, videos, game levels, mods, or other assets", "showMore": false, "triggerRegulations": [ "age-rating-classification", "argentina-pdpa", "brazil-marco-civil", "china-minors-protection", "china-content-review", "colombia-1581", "coppa", "dac7", "dmca", "dsa", "eu-copyright-directive", "eu-dma", "eu-p2b", "gdpr", "uk-gdpr", "india-it-rules", "indonesia-pdp-law", "kenya-dpa", "kosa", "mexico-lfpdppp", "netzdg", "nigeria-ndpr", "philippines-dpa", "saudi-anti-cyber", "section-230", "south-africa-popia", "take-it-down-act", "uk-aadc", "uk-competition-platforms", "uk-osa", "us-antitrust-platforms", "vietnam-pdpd" ], "triggerPlatforms": [ "apple", "google-play", "roblox" ], "triggerRatings": [], "regulatorySignificance": "User-generated content triggers significant content moderation obligations under the EU DSA, UK Online Safety Act, and COPPA. Requires notice-and-takedown procedures and potentially proactive monitoring for minors." }, { "id": "file-sharing", "name": "File sharing / document collaboration", "icon": "📁", "description": "Users can upload, share, or collaboratively edit files and documents within the product", "showMore": true, "triggerRegulations": [ "gdpr", "dsa", "take-it-down-act", "dmca", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "File sharing features involve data transfer and storage obligations under GDPR, content liability considerations, and potential cross-border data transfer restrictions." }, { "id": "ephemeral-content", "name": "Ephemeral / disappearing content", "icon": "⏳", "description": "Content that automatically disappears after a set time, such as stories, snaps, or temporary posts", "showMore": true, "triggerRegulations": [ "gdpr", "uk-aadc", "dsa", "kosa", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Ephemeral content may still constitute personal data processing under GDPR even if auto-deleted. Data retention and deletion verification obligations apply, particularly for minor users." }, { "id": "synthetic-media", "name": "Synthetic media / deepfakes / face filters", "icon": "🎭", "description": "AI-generated or AI-modified media including deepfakes, face swaps, AR face filters, and synthetic avatars", "showMore": true, "triggerRegulations": [ "gdpr", "ai-act", "dsa", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa", "california-ab-1836", "california-sb-942", "tennessee-elvis-act" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "AI-generated synthetic media may trigger the EU AI Act transparency requirements, deepfake disclosure obligations, and intellectual property considerations across jurisdictions." } ] }, { "id": "commerce-monetization", "name": "Commerce & Monetization", "features": [ { "id": "iap", "name": "In-app purchases", "icon": "💳", "description": "Users can buy digital goods, upgrades, or content within the app", "showMore": false, "subQualifications": [ { "id": "consumable", "label": "Consumable (coins, gems)", "triggerModifier": "iap-consumable" }, { "id": "subscription", "label": "Subscription/recurring", "triggerModifier": "iap-subscription" }, { "id": "unlock", "label": "One-time unlock (levels, features)", "triggerModifier": "iap-unlock" } ], "triggerRegulations": [ "age-rating-classification", "argentina-pdpa", "australian-consumer-law", "brazil-cdc", "california-arl", "ccpa", "china-minors-protection", "china-game-approval", "china-content-review", "colombia-1581", "coppa", "eu-consumer-rights", "eu-dma", "eu-emd2", "eu-mica", "eu-omnibus", "eu-oss", "ftc-act", "gdpr", "india-ecommerce-rules", "indonesia-pdp-law", "japan-sct", "kenya-dpa", "korea-ecommerce", "mexico-lfpdppp", "nigeria-ndpr", "philippines-dpa", "rosca", "saudi-ecommerce", "south-africa-popia", "ucpd", "uk-consumer-contracts", "uk-consumer-rights-act", "uk-fca-payment-services", "us-ear", "us-mtl", "us-ofac-sanctions", "vietnam-pdpd" ], "triggerPlatforms": [ "apple", "google-play", "roblox" ], "triggerRatings": [ "esrb", "pegi" ], "regulatorySignificance": "In-app purchases trigger consumer protection laws, app store platform policies, and specific regulations for minors including COPPA, FTC guidelines on dark patterns, and EU consumer rights directives." }, { "id": "subscriptions", "name": "Subscriptions / auto-renewal billing", "icon": "🔄", "description": "Recurring payment plans that auto-renew, including premium tiers and membership models", "showMore": false, "triggerRegulations": [ "argentina-pdpa", "australian-consumer-law", "brazil-cdc", "california-arl", "card-act", "ccpa", "colombia-1581", "eu-consumer-rights", "eu-dma", "eu-emd2", "eu-omnibus", "eu-oss", "ftc-act", "gdpr", "uk-gdpr", "india-ecommerce-rules", "indonesia-pdp-law", "japan-sct", "kenya-dpa", "korea-ecommerce", "mexico-lfpdppp", "nigeria-ndpr", "philippines-dpa", "rosca", "saudi-ecommerce", "south-africa-popia", "texas-dpsa", "ucpd", "uk-consumer-contracts", "uk-consumer-rights-act", "uk-fca-payment-services", "us-mtl", "vietnam-pdpd", "china-game-approval" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [], "regulatorySignificance": "Subscription models trigger auto-renewal disclosure requirements, cancellation rights under consumer protection laws, and platform-specific rules. FTC negative option rules and EU consumer rights apply." }, { "id": "loot-boxes", "name": "Loot boxes / randomized purchases", "icon": "🎰", "description": "Loot boxes, mystery boxes, gacha, blind bags, or any mechanic where the buyer doesn't know the specific item they'll receive before purchase", "showMore": false, "triggerRegulations": [ "coppa", "gdpr", "ccpa", "ftc-act", "age-rating-classification", "ucpd", "eu-dfa", "uk-consumer-rights-act", "australian-consumer-law", "korea-ecommerce", "china-minors-protection", "china-game-approval", "china-content-review", "japan-sct", "brazil-cdc", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [ "apple", "google-play", "roblox" ], "triggerRatings": [ "esrb", "pegi" ], "regulatorySignificance": "Loot boxes and randomized purchases face increasing regulatory scrutiny. Some jurisdictions classify them as gambling, and consumer protection agencies require probability disclosure. Enhanced restrictions apply for minors." }, { "id": "virtual-currency", "name": "Virtual currency", "icon": "🪙", "description": "In-game coins, gems, tokens, or other virtual currencies that users earn or purchase", "showMore": false, "triggerRegulations": [ "coppa", "gdpr", "ftc-act", "age-rating-classification", "eu-consumer-rights", "ucpd", "uk-consumer-contracts", "uk-consumer-rights-act", "korea-ecommerce", "japan-sct", "brazil-cdc", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa", "china-game-approval", "china-content-review" ], "triggerPlatforms": [ "apple", "roblox" ], "triggerRatings": [], "regulatorySignificance": "Virtual currencies may trigger financial regulation, consumer protection disclosure requirements, and refund obligations. Some jurisdictions apply money transmitter or e-money regulations." }, { "id": "ads", "name": "Ads / ad-supported model", "icon": "📢", "description": "Displaying advertisements to users, including banner ads, interstitials, rewarded video, and native ads", "showMore": false, "triggerRegulations": [ "coppa", "gdpr", "uk-gdpr", "ccpa", "uk-aadc", "ftc-act", "age-rating-classification", "ucpd", "texas-dpsa", "colorado-cpa", "virginia-cdpa", "connecticut-ctdpa", "oregon-ocpa", "iowa-cdpa", "tennessee-ipa", "indiana-cdpa", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [ "apple", "google-play", "roblox" ], "triggerRatings": [], "regulatorySignificance": "Advertising features trigger ad tracking consent requirements (GDPR/ePrivacy), COPPA restrictions on behavioral advertising to children, CCPA opt-out rights, and FTC truth-in-advertising rules." }, { "id": "dynamic-pricing", "name": "Dynamic pricing / price personalization", "icon": "🏷️", "description": "Adjusting prices based on user data, behavior, location, or other personalization signals", "showMore": true, "triggerRegulations": [ "gdpr", "ccpa", "ftc-act", "eu-consumer-rights", "eu-omnibus", "ucpd", "eu-dfa", "india-ecommerce-rules", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Dynamic and personalized pricing may trigger consumer protection transparency requirements, algorithmic fairness obligations under the EU AI Act, and price discrimination scrutiny." }, { "id": "marketplace", "name": "Marketplace / user-to-user trading", "icon": "🏪", "description": "A marketplace where users can buy, sell, or trade items, content, or services with each other", "showMore": false, "triggerRegulations": [ "age-rating-classification", "argentina-pdpa", "au-fair-work-sham-contracting", "australia-gst-digital", "australian-consumer-law", "austria-dst", "brazil-cdc", "ca-ab2257", "ca-ab5", "ca-prop-22", "canada-dependent-contractor", "canada-dst", "colombia-1581", "dac7", "dmca", "dsa", "eu-competition-platforms", "eu-dma", "eu-gpsr-2023", "eu-omnibus", "eu-oss", "eu-p2b", "eu-pwd-2024", "flsa-economic-realities", "france-dst", "ftc-act", "gdpr", "uk-gdpr", "india-ecommerce-rules", "india-gst-digital", "indonesia-pdp-law", "irs-section-530", "italy-dst", "japan-sct", "japan-transparency-act", "kenya-dpa", "korea-ecommerce", "ma-question-3", "mexico-lfpdppp", "nigeria-ndpr", "nj-misclassification", "ny-fifa", "philippines-dpa", "saudi-ecommerce", "section-230", "south-africa-popia", "spain-dst", "turkiye-dst", "ucpd", "uk-competition-platforms", "uk-consumer-contracts", "uk-consumer-rights-act", "uk-dst", "uk-fca-payment-services", "uk-ir35", "uk-uber-aslam", "us-antitrust-platforms", "us-mtl", "us-sales-tax-wayfair", "us-state-product-liability", "vietnam-pdpd" ], "triggerPlatforms": [ "roblox" ], "triggerRatings": [], "regulatorySignificance": "Marketplace features create potential platform liability under the DSA, consumer protection obligations for facilitated transactions, and tax reporting requirements across jurisdictions." }, { "id": "tipping", "name": "Tipping / creator payments", "icon": "💸", "description": "Users can send monetary tips or payments directly to creators, streamers, or other users", "showMore": true, "triggerRegulations": [ "gdpr", "ftc-act", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Tipping and direct payment features may trigger money transmitter regulations, payment services directives, and platform policies on creator payments and tax reporting." }, { "id": "player-gifting", "name": "Player-to-player gifting", "icon": "🎁", "description": "Users can send items, currency, or content to other users. Distinct AML, grooming, and indirect gambling implications.", "showMore": true, "triggerRegulations": [ "coppa", "gdpr", "ftc-act", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Player-to-player gifting involves value transfer that may trigger consumer protection rules, platform policies, and potential money laundering concerns requiring transaction monitoring." }, { "id": "nfts-crypto", "name": "NFTs / blockchain / crypto", "icon": "⛓️", "description": "Any blockchain-based feature including NFTs, cryptocurrency payments, token-gated content, or web3 integrations", "showMore": true, "triggerRegulations": [ "argentina-pdpa", "australian-consumer-law", "ccpa", "colombia-1581", "eu-consumer-rights", "eu-mica", "gdpr", "indonesia-pdp-law", "kenya-dpa", "mexico-lfpdppp", "nigeria-ndpr", "philippines-dpa", "south-africa-popia", "uk-consumer-rights-act", "uk-fca-payment-services", "us-mtl", "vietnam-pdpd" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "NFTs and cryptocurrency features may trigger securities regulations, money transmitter licensing, anti-money laundering requirements, and consumer protection disclosures across multiple jurisdictions." }, { "id": "loyalty-programs", "name": "Loyalty programs / reward points", "icon": "⭐", "description": "Points systems, VIP tiers, reward programs, or other loyalty mechanics that incentivize repeat engagement", "showMore": true, "triggerRegulations": [ "gdpr", "ccpa", "ftc-act", "rosca", "california-arl", "eu-omnibus", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Loyalty programs involve ongoing personal data processing and may trigger consumer protection disclosure requirements, data retention limitations, and cross-border transfer restrictions." }, { "id": "gamification", "name": "Gamification / engagement mechanics", "icon": "🎮", "description": "Streaks, rewards, FOMO mechanics, loot loops, progress systems, daily login bonuses", "showMore": true, "triggerRegulations": [ "coppa", "gdpr", "uk-aadc", "kosa", "ftc-act", "age-rating-classification", "ucpd", "eu-dfa", "australian-consumer-law", "china-minors-protection", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Gamification elements may trigger enhanced scrutiny for minor users under KOSA and UK AADC due to engagement-maximizing design. Dark pattern regulations may also apply." }, { "id": "payment-processing", "name": "Payment processing / checkout", "icon": "💳", "description": "Processing credit card, debit card, or bank payments directly (not through app store IAP)", "showMore": false, "triggerRegulations": [ "argentina-pdpa", "card-act", "ccpa", "circia", "colombia-1581", "csl", "dpdpa", "eu-consumer-rights", "eu-emd2", "gdpr", "indonesia-pdp-law", "kenya-dpa", "lgpd", "mexico-lfpdppp", "nigeria-ndpr", "nis2", "philippines-dpa", "pipl", "psd2", "rosca", "south-africa-popia", "uk-fca-payment-services", "us-mtl", "vietnam-pdpd" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Payment processing triggers PCI DSS compliance, financial data protection requirements, and jurisdiction-specific payment services regulations (PSD2 in EU, state money transmitter laws)." }, { "id": "environmental-claims", "name": "Environmental / sustainability claims", "icon": "🌱", "description": "Markets environmental or sustainability claims (eco-friendly, carbon-neutral, recyclable, biodegradable) or displays sustainability labels. Triggers greenwashing regimes such as the EU Empowering Consumers Directive and the FTC Green Guides.", "showMore": false, "triggerRegulations": [ "eu-empowering-consumers", "ftc-green-guides", "eu-green-claims" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Environmental and sustainability marketing claims trigger greenwashing regimes (EU Empowering Consumers Directive, FTC Green Guides) requiring substantiation and restricting generic, offset-based carbon-neutral, or uncertified-label claims." } ] }, { "id": "data-tracking", "name": "Data & Tracking", "features": [ { "id": "cookies-analytics", "name": "Cookies / analytics / tracking", "icon": "🍪", "description": "Using cookies, pixels, or analytics tools to track user behavior", "showMore": false, "subQualifications": [ { "id": "analytics-only", "label": "Analytics/cookies only", "triggerModifier": "data-analytics" }, { "id": "pii", "label": "Personally identifiable information", "triggerModifier": "data-pii" }, { "id": "biometric", "label": "Biometric data (face, voice, fingerprints)", "triggerModifier": "data-biometric" } ], "triggerRegulations": [ "coppa", "gdpr", "ccpa", "uk-aadc", "ferpa", "turkey-kvkk", "singapore-pdpa", "thailand-pdpa", "uae-pdp", "saudi-pdpl", "iowa-cdpa", "tennessee-ipa", "indiana-cdpa", "lgpd", "pipl", "pipa-korea", "appi", "pipeda", "dpdpa", "privacy-act-au", "csl", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [], "regulatorySignificance": "Cookies and analytics tracking typically require opt-in consent in the EU (ePrivacy Directive), disclosure under CCPA, and compliance with emerging state privacy law cookie requirements." }, { "id": "location-tracking", "name": "Location tracking", "icon": "📍", "description": "Collecting GPS, IP-based, or WiFi-based location data", "showMore": false, "triggerRegulations": [ "coppa", "gdpr", "ccpa", "uk-aadc", "pipl", "turkey-kvkk", "singapore-pdpa", "thailand-pdpa", "uae-pdp", "saudi-pdpl", "lgpd", "pipa-korea", "appi", "pipeda", "dpdpa", "privacy-act-au", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa", "washington-mhmd" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [], "regulatorySignificance": "Location data is considered sensitive personal data under GDPR and several state privacy laws. Collection typically requires explicit consent and purpose limitation, with enhanced protections for minors." }, { "id": "contact-list-access", "name": "Contact list / address book access", "icon": "📇", "description": "Requesting access to user's contacts or address book", "showMore": false, "triggerRegulations": [ "coppa", "gdpr", "ccpa", "texas-dpsa", "colorado-cpa", "virginia-cdpa", "connecticut-ctdpa", "oregon-ocpa", "iowa-cdpa", "tennessee-ipa", "indiana-cdpa", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [], "regulatorySignificance": "Accessing device contacts involves collecting third-party personal data, triggering GDPR consent requirements for non-users, CCPA disclosure obligations, and platform permission policies." }, { "id": "third-party-sdks", "name": "Third-party SDKs / data sharing", "icon": "🔗", "description": "Using analytics, ad network, social, or attribution SDKs that send data to third parties", "showMore": false, "triggerRegulations": [ "coppa", "gdpr", "ccpa", "uk-aadc", "turkey-kvkk", "singapore-pdpa", "thailand-pdpa", "uae-pdp", "saudi-pdpl", "iowa-cdpa", "tennessee-ipa", "indiana-cdpa", "lgpd", "pipl", "pipa-korea", "appi", "pipeda", "dpdpa", "privacy-act-au", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa", "washington-mhmd" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [], "regulatorySignificance": "Third-party SDKs create data sharing relationships that may trigger GDPR controller/processor obligations, CCPA service provider requirements, and COPPA liability for child-directed services." }, { "id": "cross-device-sync", "name": "Cross-device sync", "icon": "🔄", "description": "User data synced across devices or platforms (shared accounts, cloud saves, cross-play)", "showMore": true, "triggerRegulations": [ "gdpr", "ccpa", "uk-aadc", "dsl", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Cross-device tracking and syncing may constitute profiling under GDPR, requiring transparency and potentially consent. State privacy laws increasingly regulate cross-context behavioral tracking." }, { "id": "background-collection", "name": "Background data collection", "icon": "📡", "description": "App collects data when not actively in use (background location, sync, health data)", "showMore": true, "triggerRegulations": [ "gdpr", "ccpa", "uk-aadc", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [], "regulatorySignificance": "Background data collection faces heightened scrutiny under GDPR data minimization, CCPA disclosure requirements, and platform policies. Enhanced restrictions typically apply for minor users." }, { "id": "offline-storage", "name": "Offline / local data storage", "icon": "💾", "description": "Storing data locally on device beyond the active session", "showMore": true, "triggerRegulations": [ "gdpr", "ccpa", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Offline data storage must comply with device security requirements, data retention limits, and encryption obligations under various privacy frameworks. Deletion rights must still be honored." }, { "id": "screen-recording", "name": "Screen recording / replay systems", "icon": "🎬", "description": "Recording or replaying user sessions, screens, or gameplay", "showMore": true, "triggerRegulations": [ "coppa", "gdpr", "ccpa", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Screen recording and session replay typically constitute personal data processing requiring consent under GDPR, disclosure under CCPA, and compliance with wiretapping laws in some jurisdictions." }, { "id": "clipboard-access", "name": "Clipboard access", "icon": "📋", "description": "Reading from or monitoring the device clipboard", "showMore": true, "triggerRegulations": [ "gdpr", "ccpa", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [ "apple" ], "triggerRatings": [], "regulatorySignificance": "Clipboard access involves collecting potentially sensitive data without explicit user action, triggering transparency and consent requirements under GDPR and platform privacy policies." }, { "id": "file-upload", "name": "File upload / cloud storage", "icon": "📁", "description": "Users can upload, store, or share files (documents, images, videos) on your servers", "showMore": false, "triggerRegulations": [ "gdpr", "ccpa", "lgpd", "pipl", "dpdpa", "pipeda", "dsa", "csl", "dsl", "nis2", "circia", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "File upload features involve processing user-submitted content, triggering data storage obligations, content scanning considerations, and size/type restrictions under platform policies." }, { "id": "geolocation", "name": "Geolocation services", "icon": "📍", "description": "Using GPS, IP-based, or Wi-Fi location data for features, content, or advertising", "showMore": false, "triggerRegulations": [ "gdpr", "ccpa", "coppa", "uk-aadc", "lgpd", "pipl", "bipa", "turkey-kvkk", "singapore-pdpa", "thailand-pdpa", "uae-pdp", "saudi-pdpl", "pipa-korea", "appi", "pipeda", "dpdpa", "privacy-act-au", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [], "regulatorySignificance": "Precise geolocation is classified as sensitive data under GDPR and most state privacy laws, typically requiring explicit opt-in consent and purpose limitation with enhanced protections for minors." }, { "id": "health-data-collection", "name": "Consumer health data", "icon": "🩺", "description": "Collects or infers consumer health data outside the HIPAA perimeter, including precise location that could reveal health-facility visits. Triggers consumer-health-data laws such as Washington's My Health My Data Act.", "showMore": false, "triggerRegulations": [ "washington-mhmd" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Collecting or inferring consumer health data outside HIPAA triggers consumer-health-data laws (Washington My Health My Data Act) requiring separate consent to collect, separate authorization to sell, and a standalone consumer-health-data privacy policy." } ] }, { "id": "device-sensors", "name": "Device & Sensors", "features": [ { "id": "camera-access", "name": "Camera access", "icon": "📷", "description": "Accessing the device camera for photos, video, scanning, or AR features", "showMore": false, "triggerRegulations": [ "coppa", "gdpr", "ccpa", "uk-aadc", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa", "texas-cubi" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [], "regulatorySignificance": "Camera access involves collecting visual data that may include biometric information, triggering BIPA consent requirements, GDPR special category processing rules, and platform permission policies." }, { "id": "microphone-audio", "name": "Microphone / audio / voice commands", "icon": "🎙️", "description": "Accessing the device microphone for voice input, audio recording, or voice command features", "showMore": false, "triggerRegulations": [ "coppa", "gdpr", "ccpa", "uk-aadc", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa", "texas-cubi" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [], "regulatorySignificance": "Microphone and audio access may capture voice biometrics and conversations, triggering BIPA, wiretapping consent laws, and COPPA requirements when processing children audio data." }, { "id": "ar-vr", "name": "AR/VR (spatial data, headset sensors)", "icon": "🥽", "description": "Augmented or virtual reality features that collect spatial data, eye tracking, hand tracking, or headset sensor data", "showMore": false, "triggerRegulations": [ "gdpr", "ccpa", "uk-aadc", "ai-act", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "AR/VR features may collect spatial, biometric, and behavioral data that triggers GDPR special category processing, emerging XR-specific regulations, and enhanced safety considerations for minors." }, { "id": "nfc-bluetooth", "name": "NFC / Bluetooth connectivity", "icon": "📶", "description": "Using NFC, Bluetooth, or similar short-range wireless protocols for pairing, data transfer, or proximity features", "showMore": true, "triggerRegulations": [ "gdpr", "ccpa", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "NFC and Bluetooth features involve proximity-based data collection that may trigger location tracking regulations, device fingerprinting restrictions, and Bluetooth beacon consent requirements." }, { "id": "connected-hardware", "name": "Connected hardware / IoT device", "icon": "📟", "description": "Ships a physical connected device, firmware, or other product with digital elements (not a pure web or mobile service). Triggers product-security regimes such as the EU Cyber Resilience Act and the UK PSTI rules.", "showMore": false, "triggerRegulations": [ "eu-cra", "eu-gpsr-2023", "uk-psti" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Connected hardware and products with digital elements trigger product-security regimes (EU Cyber Resilience Act, UK PSTI) imposing secure-by-design, coordinated vulnerability disclosure, and security-update obligations distinct from software-only services." } ] }, { "id": "ai-automation", "name": "AI & Automation", "features": [ { "id": "ai-content-gen", "name": "AI content generation (text, image, audio)", "icon": "🤖", "description": "Using AI models to generate text, images, audio, video, or other content within the product", "showMore": false, "triggerRegulations": [ "ai-act", "argentina-pdpa", "ccpa", "china-algorithm", "china-content-review", "colombia-1581", "colorado-ai-act", "dsa", "eu-dual-use", "gdpr", "indonesia-pdp-law", "kenya-dpa", "mexico-lfpdppp", "nigeria-ndpr", "philippines-dpa", "south-africa-popia", "uk-export-control-order", "us-ear", "vietnam-pdpd", "california-ab-1836", "california-ab-2013", "california-sb-53", "california-sb-942", "ftc-ai-advertising-guidance", "tennessee-elvis-act", "utah-sb-149", "california-sb-243" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "AI content generation may trigger EU AI Act transparency and disclosure obligations, intellectual property considerations, and content liability questions across jurisdictions." }, { "id": "ai-recommendations", "name": "AI recommendations / personalization", "icon": "🎯", "description": "Using AI or machine learning to personalize content, product suggestions, or user experiences", "showMore": false, "subQualifications": [ { "id": "content-recs", "label": "Content recommendations (feeds, suggestions)", "triggerModifier": "ai-content" }, { "id": "automated-decisions", "label": "Automated decisions affecting users (credit, moderation)", "triggerModifier": "ai-automated-decisions" } ], "triggerRegulations": [ "gdpr", "ai-act", "uk-aadc", "dsa", "ccpa", "ferpa", "china-algorithm", "colorado-ai-act", "japan-transparency-act", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa", "ftc-ai-advertising-guidance", "california-sb-976", "illinois-aivia" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "AI-powered recommendations may constitute profiling under GDPR Art. 22, trigger algorithmic transparency requirements under the DSA, and face enhanced scrutiny for minor users under KOSA." }, { "id": "algo-feeds", "name": "Algorithmic feeds / content ranking", "icon": "📊", "description": "Using algorithms to rank, sort, or curate content feeds rather than showing content chronologically", "showMore": false, "triggerRegulations": [ "argentina-pdpa", "austria-dst", "canada-dst", "china-algorithm", "colombia-1581", "dsa", "eu-competition-platforms", "eu-dma", "france-dst", "gdpr", "indonesia-pdp-law", "italy-dst", "japan-transparency-act", "kenya-dpa", "kosa", "mexico-lfpdppp", "nigeria-ndpr", "philippines-dpa", "south-africa-popia", "spain-dst", "turkiye-dst", "uk-aadc", "uk-competition-platforms", "uk-dst", "us-antitrust-platforms", "vietnam-pdpd", "california-sb-976" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Algorithmic content feeds face regulatory scrutiny under the DSA (recommendation transparency), KOSA (addictive design for minors), and UK AADC (best interests of children)." }, { "id": "ai-chat", "name": "AI chat / conversational AI", "icon": "💬", "description": "AI-powered chatbots, virtual assistants, or conversational interfaces that interact with users", "showMore": false, "triggerRegulations": [ "gdpr", "ai-act", "coppa", "uk-aadc", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa", "ftc-ai-advertising-guidance", "utah-sb-149", "california-sb-1001", "california-sb-243" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "AI chatbots may trigger EU AI Act transparency requirements, GDPR automated decision-making provisions, and enhanced disclosure obligations when interacting with minors." }, { "id": "automated-decisions", "name": "Automated decision-making (moderation, fraud, eligibility)", "icon": "⚖️", "description": "Using automated systems to make decisions that affect users, such as content moderation, fraud detection, credit scoring, or eligibility determinations", "showMore": false, "triggerRegulations": [ "gdpr", "ai-act", "ccpa", "china-algorithm", "colorado-ai-act", "nyc-ll144", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa", "connecticut-sb-1103", "ftc-ai-advertising-guidance", "utah-sb-149", "california-sb-1001", "illinois-aivia" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Automated decision-making triggers GDPR Art. 22 rights (human review, explanation), EU AI Act risk classification, and emerging US state algorithmic accountability requirements." }, { "id": "emotion-recognition", "name": "Emotion recognition / sentiment analysis", "icon": "😐", "description": "Detecting or analyzing user emotions through facial expressions, voice tone, text sentiment, or physiological signals", "showMore": true, "triggerRegulations": [ "gdpr", "ai-act", "bipa", "pipl", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa", "texas-cubi", "washington-hb1493" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Emotion recognition is classified as high-risk or prohibited under the EU AI Act, triggers biometric processing rules under GDPR, and faces bans in some US jurisdictions." } ] }, { "id": "trust-safety", "name": "Trust & Safety", "features": [ { "id": "content-moderation", "name": "Content moderation system", "icon": "🛡️", "description": "Systems for reviewing, filtering, or removing user content including automated moderation, human review, and reporting workflows", "showMore": false, "triggerRegulations": [ "dsa", "uk-osa", "kosa", "india-it-rules", "brazil-marco-civil", "section-230", "netzdg", "take-it-down-act", "saudi-anti-cyber" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [], "regulatorySignificance": "Content moderation systems are required under the EU DSA and UK Online Safety Act, with specific obligations for transparency reporting, appeal mechanisms, and enhanced duties for minor users." }, { "id": "parental-controls", "name": "Parental controls", "icon": "👪", "description": "Tools that let parents or guardians manage, monitor, or restrict their child's experience within the product", "showMore": false, "triggerRegulations": [ "coppa", "uk-aadc", "kosa" ], "triggerPlatforms": [ "apple", "google-play" ], "triggerRatings": [], "regulatorySignificance": "Parental control features help demonstrate COPPA compliance and UK AADC adherence. Implementation details may affect whether a service is classified as directed to children." }, { "id": "accessibility", "name": "Accessibility features", "icon": "♿", "description": "Features supporting users with disabilities, including screen readers, alternative inputs, captions, and other accommodations", "showMore": false, "triggerRegulations": [ "ada", "eaa", "en-301-549", "section-508", "equality-act-2010", "aca", "dda-australia" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Accessibility features implicate ADA, EU Accessibility Act, WCAG compliance requirements, and may affect GDPR legitimate interest assessments for inclusive design." }, { "id": "anti-cheat", "name": "Anti-cheat / automated enforcement", "icon": "🚫", "description": "Systems that detect cheating, exploits, or policy violations and automatically enforce penalties like bans or restrictions", "showMore": true, "triggerRegulations": [ "gdpr", "ccpa", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Anti-cheat systems may involve device scanning and behavioral monitoring that triggers GDPR data processing requirements, platform policies, and potentially computer fraud law considerations." } ] }, { "id": "infrastructure", "name": "Infrastructure & Integration", "features": [ { "id": "api-webhooks", "name": "API / webhook integrations", "icon": "🔌", "description": "Exposing APIs or webhooks that allow third parties to access or receive user data", "showMore": false, "triggerRegulations": [ "gdpr", "ccpa", "pipl", "dpdpa", "csl", "dsl", "nis2", "circia", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "APIs and webhooks create data sharing channels that trigger GDPR data processing agreements, API security requirements, and rate-limiting obligations to prevent data scraping." }, { "id": "multi-tenancy", "name": "Multi-tenant / white-label", "icon": "🏢", "description": "Hosting multiple organizations or brands on shared infrastructure with separate data", "showMore": true, "triggerRegulations": [ "gdpr", "ccpa", "pipl", "dpdpa", "pipeda", "dsl", "nis2", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Multi-tenant architectures must ensure data isolation between tenants, comply with cross-border data transfer restrictions, and maintain separate processing records under GDPR." }, { "id": "search-functionality", "name": "Search engine / content indexing", "icon": "🔍", "description": "Indexing and searching user content, third-party content, or web content", "showMore": true, "triggerRegulations": [ "gdpr", "dsa", "ccpa", "japan-transparency-act", "mexico-lfpdppp", "colombia-1581", "argentina-pdpa", "vietnam-pdpd", "indonesia-pdp-law", "philippines-dpa", "south-africa-popia", "nigeria-ndpr", "kenya-dpa" ], "triggerPlatforms": [], "triggerRatings": [], "regulatorySignificance": "Search features involve processing user queries as personal data under GDPR, may enable profiling, and trigger DSA obligations for content ranking transparency." } ] } ] }