Methodology & sources
RuleGoose is only useful if you can trust it. So here's exactly what each checker is based on, where the rule comes from, when we last reviewed it, and what we do (and don't) do with your data. Clause reads the actual regulations — and shows his work.
🪿 Reviewed on a rolling cadence. We re-check each rule against its primary source regularly and whenever a change lands. Last full pass: June 26, 2026. Rule-Watch subscribers get alerted the moment any of these move.
The rules we check, and their sources
EU AI Act — content labeling (Article 50)
We check whether AI-generated images, audio, video and text — and AI chatbots — are disclosed and labeled as Art. 50 requires.
Official text on EUR-Lex →EU product safety — GPSR
We check for an EU Responsible Person, manufacturer details, product identifiers, warnings, and listing disclosures.
Official text on EUR-Lex →FTC fake-reviews & endorsements
We check for fake/AI reviews, bought engagement, undisclosed insiders or influencers, review suppression, and unsupported testimonial claims.
Official text on eCFR →European Accessibility Act (WCAG 2.1 AA)
We check the practices behind WCAG 2.1 AA — alt text, keyboard access, contrast, labeled forms, captions, structure — and your accessibility statement.
Official text on EUR-Lex →US subscription auto-renewal
We check signup disclosure & consent, terms-before-billing, easy cancellation, and renewal reminders. Note: the FTC's federal "click-to-cancel" Negative Option Rule was vacated by the Eighth Circuit in July 2025; ROSCA and state laws remain in force, and the FTC reopened rulemaking in Jan 2026 — so we check against the law that is actually in effect today.
ROSCA on Cornell LII →Etsy 2025 Creativity Standards
We check listing production fields and description against the "made by the seller" rules for AI-assisted and digital products.
Etsy's Creativity Standards →GDPR privacy & cookie consent
We check for a published privacy policy, lawful basis, prior opt-in for non-essential cookies with an equal Reject option, third-party disclosure, and a route to exercise data rights.
Official GDPR text on EUR-Lex →US state privacy (CCPA/CPRA)
We check for a current privacy notice, disclosure of data categories & purposes, a "Do Not Sell or Share" opt-out, honoring of GPC signals, consumer rights, and non-discrimination.
California AG — CCPA →CAN-SPAM email marketing
We check marketing emails for a clear unsubscribe, honoring opt-outs within 10 business days, a valid physical postal address, and honest headers/subjects.
Official CAN-SPAM Rule on eCFR →TCPA — SMS / text marketing
We check for prior express written consent before marketing texts, a working STOP opt-out, sender identification, quiet hours, and consent records.
TCPA (47 U.S.C. 227) on Cornell LII →PCI DSS — payment security
We check that card data never touches your server (hosted/tokenized processor), the site is HTTPS, full card numbers/CVV aren't stored, your SAQ is done, software is patched, and admin access uses MFA.
PCI Security Standards Council →ADA web accessibility (US)
We check the WCAG 2.1 AA basics (alt text, keyboard, contrast, labeled forms), whether you rely only on an accessibility overlay, your accessibility statement, and assistive-tech testing.
ADA.gov — web accessibility guidance →COPPA — children's privacy (US)
We check for verifiable parental consent before collecting from under-13s, a children's privacy policy and direct notice to parents, data minimization, parental review/delete rights, a written retention limit, and a separate opt-in before any third-party or ad sharing — including the FTC's 2025 amendments.
Official COPPA Rule on eCFR →EU packaging & EPR — PPWR
We check whether you're registered for packaging EPR in each EU country you sell to, have your EPR number(s) on file for marketplaces, report volumes and pay the eco-contributions, label packaging for sorting where required (e.g. France's Triman), appoint an EU authorised representative where needed, and design recyclable, minimal packaging under the PPWR.
Official PPWR text on EUR-Lex →EU consumer rights — distance selling
We check distance-selling contracts for a 14-day right of withdrawal, withdrawal information given before the order (missing it extends the period by 12 months), the model withdrawal form, the mandatory pre-contractual information, a clearly labelled "obligation to pay" order button, order confirmation on a durable medium, and a 14-day refund including standard delivery.
Official text on EUR-Lex →How the checker works
Deterministic + heuristic
Each checker combines exact field rules (e.g. "is an EU Responsible Person named?") with keyword heuristics on the text you paste. It explains every gap and a specific fix.
Runs in your browser
The free checks run client-side. We don't need an account, and your answers aren't sent anywhere unless you explicitly ask us to email your results.
Conservative by design
We'd rather flag something for review than wave it through. The checker never "fake-passes" — items it can't verify from text are surfaced as manual to-dos.
Kept current
Rules change. We review the sources above and, with Rule-Watch, monitor for changes and alert subscribers — so a "compliant" today doesn't quietly rot.
Privacy
We practice what we check. No third-party tracking or ad scripts. No cookies for the checkers. Fonts are self-hosted, so visiting RuleGoose doesn't leak your IP to a font CDN. Nothing you type is stored unless you submit it to us on purpose (e.g. the email-my-score form).
RuleGoose is an informational tool, not legal advice, and isn't affiliated with the EU, the FTC, or Etsy. Source links are to official texts; review dates indicate when we last checked our logic against them.
Free, no signup — one RuleGoose Score across every rule that applies to you. Get your RuleGoose Score →