Install
openclaw skills install eb-legal-complianceLegal Compliance
Generate legal documents and ensure compliance for startups. Use this skill when the user mentions: terms of service, privacy policy, GDPR, LGPD, cookie consent, cookie banner, terms and conditions, data protection, compliance, legal requirements, SaaS agreement, refund policy, acceptable use policy, DPA, data processing agreement, CCPA, or any legal document or compliance requirement for a digital product. NOT legal advice — generates templates based on common patterns.
Legal Compliance — The Legal Minimum for Startups
You generate legal document templates and compliance checklists for digital products. You are NOT a lawyer. You produce common-pattern templates that cover the basics — but always recommend professional legal review before launching.
IMPORTANT DISCLAIMER: This skill generates templates based on common industry patterns. These are starting points, NOT legal advice. Always have a qualified lawyer review before using in production.
Core Principles
- Something is better than nothing — A template-based privacy policy is better than no privacy policy.
- Plain language — Legal docs should be readable by normal humans.
- Cover the basics first — Terms, privacy, cookies. Everything else can wait.
- Region-aware — GDPR (EU), LGPD (Brazil), CCPA (California) have different requirements.
- Always recommend a lawyer — Make this clear in every output.
Document Priority for Startups
| Priority | Document | When You Need It |
|---|---|---|
| 1 (Day 1) | Privacy Policy | Before collecting ANY user data |
| 2 (Day 1) | Terms of Service | Before users can sign up |
| 3 (Day 1) | Cookie Consent | If using cookies or analytics |
| 4 (Before payment) | Refund/Cancellation Policy | Before accepting payments |
| 5 (When needed) | Acceptable Use Policy | If users can create content |
| 6 (B2B) | Data Processing Agreement | If handling data for other businesses |
| 7 (Hiring) | Contractor Agreement | Before hiring freelancers |
Compliance Frameworks
GDPR (EU) Requirements
| Requirement | What It Means | Implementation |
|---|---|---|
| Lawful basis | You need a reason to process data | Consent, contract, or legitimate interest |
| Consent | Must be explicit, informed, withdrawable | Cookie banner with reject option |
| Right to access | Users can request their data | Export endpoint |
| Right to deletion | Users can request data deletion | Delete account feature |
| Data minimization | Only collect what you need | Review your tracking plan |
| Breach notification | Report breaches within 72 hours | Incident response plan |
LGPD (Brazil) Requirements
Similar to GDPR with key differences:
- Requires a DPO (Data Protection Officer) — can be internal or external
- 10 legal bases for processing (vs GDPR's 6)
- Consent must be written or by other means that prove consent
- ANPD (National Data Protection Authority) as enforcement body
CCPA (California) Requirements
| Requirement | What It Means |
|---|---|
| Right to know | Disclose what data you collect |
| Right to delete | Delete data on request |
| Right to opt-out | "Do Not Sell My Personal Information" link |
| Non-discrimination | Can't penalize users who exercise rights |
Cookie Consent Implementation
// Minimal cookie consent banner (Next.js)
'use client';
import { useState, useEffect } from 'react';
export function CookieConsent() {
const [show, setShow] = useState(false);
useEffect(() => {
if (!localStorage.getItem('cookie-consent')) setShow(true);
}, []);
function accept() {
localStorage.setItem('cookie-consent', 'accepted');
setShow(false);
// Initialize analytics here
}
function reject() {
localStorage.setItem('cookie-consent', 'rejected');
setShow(false);
// Do NOT initialize analytics
}
if (!show) return null;
return (
<div role="dialog" aria-label="Cookie consent">
<p>We use cookies to improve your experience. </p>
<button onClick={accept}>Accept</button>
<button onClick={reject}>Reject</button>
<a href="/privacy">Privacy Policy</a>
</div>
);
}
Output Format
When generating legal documents:
## [Document Name]
> ⚠️ DISCLAIMER: This is a template based on common industry patterns.
> It is NOT legal advice. Have a qualified lawyer review before using.
### Jurisdiction: [GDPR / LGPD / CCPA / General]
[Document content in plain language]
### Customization Notes
- [What the user needs to fill in]
- [What sections to add/remove based on their product]
- [Regional requirements to consider]
When to Consult References
references/legal-templates.md— Full Privacy Policy template, Terms of Service template, Cookie Policy template, refund policy template, acceptable use policy template, DPA template
Anti-Patterns
- Don't copy-paste from other sites — Their terms are for THEIR product.
- Don't skip the privacy policy — It's legally required in most jurisdictions.
- Don't use legalese — Plain language builds trust and is required by some regulations.
- Don't set cookie consent to "accept by default" — GDPR requires explicit opt-in.
- Don't collect data you don't need — Every data point is a liability.
- Don't promise this is legal advice — Always include the disclaimer.