Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From privacy-legal
Detects gaps between privacy policy and actual data practices. Sweeps saved PIAs and DPAs to find policy drift, or answers queries about proposed new practices.
npx claudepluginhub anthropics/claude-for-legal --plugin privacy-legalHow this skill is triggered — by the user, by Claude, or both
Slash command
/privacy-legal:policy-monitor [describe a proposed new practice — or omit / use --sweep for crawl mode][describe a proposed new practice — or omit / use --sweep for crawl mode]The summary Claude sees in its skill listing — used to decide when to auto-load this skill
**Sweep mode** (no argument or `--sweep`):
Monitors KVKK/GDPR privacy policy, consent, and data inventory alignment with actual practice. Detects policy drift from audit outputs or checks new processing activities against existing documents.
Runs weekly sweeps of AI policy documents against approved AIAs and triage results to identify policy drift, and answers direct queries about proposed AI practices.
Diffs a regulatory change against an indexed policy library to identify gaps and required policy updates. Use when a regulation changes or for gap analysis.
Share bugs, ideas, or general feedback.
Sweep mode (no argument or --sweep):
~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md → outputs folder path, policy document, last sweep date.~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md.Direct query mode (with description argument):
~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md → current policy commitments + actual policy document.Schedule: Set up a recurring reminder in your own scheduler (calendar, task manager, or CI) to run /privacy-legal:policy-monitor weekly. Scheduled execution requires a scheduled-tasks integration, which is not bundled with this plugin.
/privacy-legal:policy-monitor
/privacy-legal:policy-monitor "We want to start using behavioral data to personalize onboarding emails"
Privacy policies drift from practice in one direction: practice moves forward, policy stays behind. A PIA approves a new data category. A DPA is signed with a subprocessor not listed anywhere. A triage result marks a new use case conditional with a disclosure requirement that the policy doesn't yet make. Months later, someone reads the policy and it doesn't reflect what actually happens.
This skill catches the drift before it becomes a problem — either by crawling the outputs folder weekly, or by answering the direct question: "we're about to start doing X, what does that mean for the policy?"
The output is always the same: here's the gap, here's the suggested language.
Read ~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md:
## Who we are → ## Regulatory footprint — the regimes in scope (GDPR, CCPA / CPRA / other state consumer privacy, GLBA, HIPAA, FERPA, COPPA, VPPA, CPNI, etc.)## Privacy policy commitments — the commitments extracted from the published policy## Outputs — outputs folder path, policy document location, last sweep dateIf ## Outputs contains [PLACEHOLDER]:
"Outputs aren't configured yet. I can still run a direct-query check — describe what you're planning to do and I'll diff it against your current policy. To enable the crawl sweep, run
/privacy-legal:cold-start-interviewand provide the outputs folder path."
Read the actual privacy policy document from the path in ## Outputs → Privacy
policy document. The commitments in the config CLAUDE.md are a summary; the actual document
is authoritative for suggesting edits.
The website privacy policy is one surface. Modern privacy programs make binding commitments in at least four more places that regulators actively scrutinize for inconsistencies:
Add fields to the practice profile for each surface's location and last-updated date. The sweep checks each against the current policy and flags divergence: "Privacy policy updated [date]. App Store label last updated [earlier date] — may not reflect the new data category. CMP last configured [date] — verify cookie purposes match the policy."
A company with a clean privacy policy and a stale App Store label is a company with an FTC complaint waiting to happen. Sweep the surfaces, not just the document.
The website privacy policy is one notice. Federally-regulated practices require a separate, sector-specific notice that the website policy does not substitute for. If ## Regulatory footprint includes any of the following, the sweep diffs practice against that notice in addition to the website policy — or flags its absence if no such notice has been configured:
| Footprint entry | Sectoral notice to diff against | What to flag |
|---|---|---|
| GLBA / Reg P (financial institution handling NPI) | GLBA initial + annual privacy notice (12 C.F.R. Part 1016, or the functional regulator's equivalent) | Outputs implying new NPI categories, sharing with non-affiliated third parties, or changes to opt-out mechanics that the Reg P notice doesn't reflect. A DPA signed with an analytics vendor receiving NPI with no matching Reg P notice update is a gap. |
| HIPAA (covered entity or BA) | Notice of Privacy Practices (45 C.F.R. § 164.520) | Outputs implying new uses or disclosures, new routine categories, or changes to patient-rights mechanics. A BAA signed with a new subcontractor flowing PHI with no matching NPP refresh is a gap. |
| FERPA (school or school service provider) | Annual directory-information / rights notice (34 C.F.R. § 99.37) | Outputs implying new disclosure categories to service providers under the school-official exception, new directory-information elements, or changes that implicate parental-consent flow-through. |
| COPPA (operator of service directed to children <13) | Direct notice to parents + online notice (16 C.F.R. § 312.4) | Outputs implying new data categories collected from children, new third-party disclosures, or changes to the verifiable-parental-consent mechanic. |
| VPPA / CPNI / DPPA / other sectoral | The regime's specific notice or consent regime | Processing activities the regime restricts that aren't reflected in the configured notice. |
If no sectoral notice is configured for a regime in the footprint, surface this as a standing gap on every sweep, not a one-time finding. The sweep output should include:
Sectoral notice coverage:
- [regime]: [configured notice path + last updated, or "NOT CONFIGURED — flag each sweep until resolved"]
If the sweep cannot locate the sectoral notice, say so explicitly — do not silently default to diffing only against the website policy. A fintech DPO relying on a policy-monitor sweep that ignored GLBA would ship with an outdated regulator-facing notice and no warning. Surface the gap loudly.
Ask the user if the footprint is ambiguous. If ## Regulatory footprint says "GDPR / CCPA" but the outputs scan surfaces PHI, NPI, or student data categories, surface the footprint-vs-practice mismatch before proceeding: "Your footprint doesn't list [GLBA / HIPAA / FERPA / COPPA] but this sweep is looking at outputs that involve [category]. Should this regime be added to the footprint, and is there a sectoral notice to diff against?"
Sweep mode: No argument, --sweep, or triggered by schedule.
→ Scan the outputs folder. Diff all outputs since last sweep against current policy.
Direct query mode: User provides a description of a proposed new practice. → Diff that practice against current policy. Suggest updates.
Read ## Outputs → Last policy sweep date. Scan for output files in the
outputs folder that are dated after that date. If no date is recorded, scan all
files and note: "First sweep — scanning all outputs."
If the outputs folder is empty or has no new files since the last sweep:
"No new outputs since [last sweep date]. Policy appears current with recent practice. Next scheduled sweep: [date]."
Update Last policy sweep in ~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md to today's date after completing the sweep.
PIAs (Privacy Impact Assessments):
DPA reviews (signed or approved):
Triage results (PIA REQUIRED / PROCEED outcomes):
DSAR responses:
For each flagged item, assess:
REQUIRED update — the policy makes a commitment that this output contradicts, or the processing is occurring and the policy has no coverage at all. Not updating creates a material misrepresentation.
Example: Policy says "we collect name, email, and payment information." A PIA approved collection of location data. Policy says nothing about location. That's a REQUIRED update — you're collecting data you haven't disclosed.
ADVISABLE update — the policy is silent but not in conflict. The processing is defensible without updating, but cleaner with it.
Example: Policy says "we may share data with service providers." A DPA was signed with a new analytics vendor. Policy doesn't name the vendor but doesn't exclude them either. Advisable to add to a named subprocessor list if one is maintained.
[WORK-PRODUCT HEADER — per plugin config ## Outputs — differs by role; see `## Who's using this`]
# Privacy Policy Monitor — Sweep Report
**Date:** [date]
**Outputs scanned:** [N files] | **New since last sweep:** [N files]
**Gaps found:** [N] REQUIRED | [N] ADVISABLE
---
## REQUIRED updates
### [Gap 1 short name]
**Source:** [filename / output type that triggered this]
**What's happening:** [plain description of the new practice]
**Current policy:** [quote the relevant section — or "No coverage"]
**Gap:** [what's missing or inconsistent]
**Suggested language:**
> *Add to [section name]:*
> "[Drafted policy text — specific, consistent with house style of the actual policy]"
---
[repeat for each REQUIRED gap]
---
## ADVISABLE updates
### [Gap name]
**Source:** [filename]
**What's happening:** [description]
**Current policy:** [quote or "Silent"]
**Suggested language:**
> *Add to / update [section]:*
> "[Drafted text]"
---
## No action needed
[List outputs scanned where no gaps were found — confirms they were reviewed]
---
## Next steps
- [ ] Review REQUIRED updates — each needs a decision before the associated
feature/processing goes live (or immediately if already live)
- [ ] Review ADVISABLE updates — lower urgency but worth addressing at next
policy refresh
- [ ] Next scheduled sweep: [date]
Extract from the user's description:
If the description is vague, ask one clarifying question before proceeding. Don't run a long intake — this mode should be fast.
Check the proposed practice against every relevant section of the current policy:
| Check | Current policy says | Proposed practice | Verdict |
|---|---|---|---|
| Data categories | [what policy lists] | [new category if any] | 🟢 Covered / 🟡 Gap / 🔴 Conflict |
| Purposes | [stated purposes] | [new purpose] | |
| Third parties / subprocessors | [stated parties] | [new party if any] | |
| Retention | [retention commitment] | [implied retention] | |
| User rights | [rights offered] | [any new rights implications] | |
| Disclosure / notice | [what policy says about telling users] | [what this practice requires] |
[WORK-PRODUCT HEADER — per plugin config ## Outputs — differs by role; see `## Who's using this`]
# Privacy Policy Check: [Proposed practice in one line]
**Bottom line:** [POLICY UPDATE REQUIRED / ADVISABLE / NO UPDATE NEEDED]
---
## What's covered
[List aspects of the proposed practice already addressed by the current policy —
brief, confirms they don't need to change]
## What's missing
### [Gap 1]
**Current policy:** [quote or "Silent"]
**What's needed:** [why this gap matters — legal, reputational, or consistency reason]
**Suggested language:**
> *Add to [section]:*
> "[Drafted text]"
### [Gap 2]
[same format]
## What conflicts
### [Conflict 1 — if any]
**Current policy says:** [quote]
**Proposed practice does:** [what conflicts]
**Resolution:** [which one needs to change and why — usually the practice adjusts
to match the policy, or the policy gets updated to a defensible new position]
---
## Timing
[If any gap is REQUIRED: "Policy update should happen before this goes live."
If ADVISABLE: "Can proceed; update at next policy refresh."]
Policy language should:
When drafting, always say which section to add to. If the right section doesn't exist, say so and suggest creating it.
Set up a recurring reminder in your own scheduler (calendar, task manager, or CI)
to run /privacy-legal:policy-monitor weekly. Scheduled execution requires a
scheduled-tasks integration, which is not bundled with this plugin.
Whenever the sweep runs, it updates ## Outputs → Last policy sweep in
~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md, so the next sweep only looks at new files.
End with the next-steps decision tree per CLAUDE.md ## Outputs. Customize the options to what this skill just produced — the five default branches (draft the X, escalate, get more facts, watch and wait, something else) are a starting point, not a lock-in. The tree is the output; the lawyer picks.
If the sweep surfaced more than ~10 drift findings, or any time the user asks: offer the dashboard (see CLAUDE.md ## Outputs → Dashboard offer for data-heavy outputs). Shape the offer for this output — counts by surface (policy clause / PIA / DPA / triage), counts by severity, and a sortable grid of findings with source artifact and recommended remediation.
reg-gap-analysis. This skill
monitors internal practice drift, not external legal changes.