Check your machine learning system against GDPR, CCPA, EU AI Act, and HIPAA requirements. Answer questions about your ML pipeline, get compliance scores per regulation, visualize your risk matrix, and export a prioritized action plan.
Choose all regulations that apply to your ML system based on data types and user locations.
Machine learning compliance is no longer optional. With the EU AI Act enforcement beginning in August 2026, organizations deploying ML systems face a complex regulatory landscape spanning multiple jurisdictions and frameworks. The challenge is that ML-specific compliance requirements are scattered across regulations that were not originally written with machine learning in mind (GDPR, HIPAA), combined with new AI-specific legislation (EU AI Act) that introduces entirely new obligation categories. This tool consolidates the ML-relevant requirements from all major regulations into a single assessment.
The compliance checker works by mapping your ML system characteristics to specific regulatory obligations. When you select applicable regulations and answer questions about your data handling, model transparency, and operational practices, the tool evaluates your compliance posture against the specific articles and provisions that apply to machine learning. The result is a per-regulation compliance score, a risk matrix showing where your gaps create the most exposure, and a prioritized list of action items to close those gaps.
The General Data Protection Regulation applies to any ML system processing personal data of EU residents, regardless of where the organization is based. For ML engineers, the most impactful GDPR provisions are Article 22 (automated decision-making), Article 17 (right to erasure, which creates the machine unlearning challenge), Article 35 (Data Protection Impact Assessment for high-risk processing), and Articles 13-14 (transparency obligations about how data is processed by ML models). The regulation also requires a lawful basis for processing, which for ML training data typically means consent, legitimate interest, or contractual necessity.
The right to explanation under GDPR is particularly challenging for complex ML models. While the regulation does not require full algorithmic transparency, it does require "meaningful information about the logic involved" in automated decisions. For deep learning models, this means implementing explainability tools (SHAP, LIME, attention visualization) that can provide decision-level explanations to affected individuals. The level of explanation required depends on the impact of the decision on the individual: higher-impact decisions require more detailed explanations.
The EU AI Act introduces a risk-based classification system that determines which obligations apply to your ML system. Unacceptable-risk AI is outright banned: social scoring systems, real-time biometric identification in public spaces (with narrow law enforcement exceptions), and AI that manipulates people through subliminal techniques. High-risk AI requires the most extensive compliance: this includes ML systems used in critical infrastructure, education, employment, credit scoring, law enforcement, migration, and healthcare diagnostics. Limited-risk AI (chatbots, emotion recognition, deepfake generation) requires transparency obligations. Minimal-risk AI has no specific requirements.
For high-risk ML systems, the EU AI Act mandates risk management systems (Article 9), data governance (Article 10), technical documentation (Article 11), record-keeping and logging (Article 12), transparency and user information (Article 13), human oversight mechanisms (Article 14), accuracy, robustness, and cybersecurity (Article 15). This is the most comprehensive AI-specific regulation globally and will serve as a template for regulations in other jurisdictions. The compliance checker evaluates each of these articles against your system characteristics.
The California Consumer Privacy Act (and its successor CPRA) gives California residents rights over how their personal information is used in ML systems. The right to know requires disclosure of what personal information is collected and how it is used for training. The right to delete requires removing personal information from training datasets and potentially retraining models. The right to opt-out of sale includes "sharing" personal information for behavioral advertising and cross-context profiling, which affects ML systems that create user profiles.
CPRA introduced specific provisions for automated decision-making technology (similar to GDPR Article 22), giving consumers the right to opt out of automated decisions and access information about the logic involved. For ML engineers, this means maintaining the ability to identify which personal information was used to train which model version, implementing data deletion workflows that propagate through the ML pipeline, and providing meaningful information about how the model uses personal information to make predictions.
HIPAA compliance for ML systems processing Protected Health Information (PHI) requires strict controls at every stage of the ML lifecycle. The Privacy Rule limits how PHI can be used and disclosed for ML training. The Security Rule requires administrative, physical, and technical safeguards for electronic PHI used in ML pipelines. The Breach Notification Rule applies if PHI is exposed through model memorization, training data leaks, or inference attacks.
Practical HIPAA compliance for ML includes: using de-identification (Safe Harbor method removing 18 identifiers, or Expert Determination method using statistical verification) before training, implementing minimum necessary access controls for training data, encrypting all data at rest and in transit, maintaining audit logs of all PHI access during model development and inference, and executing Business Associate Agreements with any third-party ML platforms or cloud providers. Federated learning is increasingly used in healthcare ML to keep PHI on-premise while still training collaborative models across institutions.
The compliance score for each regulation is calculated as the weighted percentage of applicable requirements that your system meets. Requirements with higher regulatory impact (mandatory obligations with significant penalties) are weighted more heavily than best-practice recommendations. A score above 80% indicates strong compliance with critical requirements addressed. Between 50-80% indicates significant gaps that create regulatory exposure. Below 50% indicates the system is likely non-compliant and at risk of enforcement action. The risk matrix plots each gap by likelihood of regulatory scrutiny and potential impact, helping you prioritize remediation efforts where they will reduce the most risk.
The primary regulations are GDPR (EU data protection, applies to ML processing EU residents' data), CCPA/CPRA (California consumer privacy), EU AI Act (comprehensive AI regulation, enforcement August 2026), and HIPAA (US healthcare data). Which apply depends on your data types, user locations, and industry. Most production ML systems are subject to at least one of these frameworks, and many are subject to multiple overlapping regulations.
Four tiers: Unacceptable risk (banned, e.g., social scoring), High risk (critical areas like healthcare, credit scoring, recruitment — requires conformity assessments and extensive documentation), Limited risk (chatbots, emotion recognition — transparency obligations), and Minimal risk (spam filters — no specific obligations). Most production ML systems fall into high-risk or limited-risk categories, requiring some level of compliance effort.
Lawful basis for processing training data, data minimization (only necessary features), purpose limitation, right to explanation for automated decisions (Article 22), right to erasure (machine unlearning challenge), Data Protection Impact Assessment for high-risk processing, and records of processing activities documenting the ML pipeline. The right to explanation requires implementing explainability tools like SHAP or LIME.
Business Associate Agreements with third-party platforms, de-identification using Safe Harbor or Expert Determination before training, minimum necessary access controls, encryption at rest and in transit, audit logs for all PHI access during development and inference, and regular risk assessments. Federated learning can keep PHI on-premise while enabling collaborative model training across institutions.
GDPR: up to 4% global revenue or 20M EUR. EU AI Act: up to 7% revenue or 35M EUR for banned practices, 3% or 15M EUR for high-risk violations. CCPA: $2,500 per unintentional violation, $7,500 per intentional. HIPAA: $100-$50,000 per violation, $1.5M annual max per category. Beyond fines, risks include enforcement orders to cease processing, reputational damage, and class action lawsuits.