Screener

Product Risk Screener

Q1. What are you looking to do?

Select one

Your answer records the context you are working in. It does not change what you are asked.

Your answer provides context for your results — the questions and risk areas are the same regardless of what you select.

Q2. Who are your customers — the people or organizations that use or pay for your product or service?

Select all that apply

Your audience determines which risk areas are even in play. Consumer products — apps, platforms, anything a member of the public signs up for — attract the widest set of obligations. Things like online safety rules and children's protections only apply when real people use your product or service, not in B2B or internal tools.

Your audience determines which risk areas apply — consumer products face the widest set of obligations.

Q3. For people who are NOT your direct customers or users, does your product or service collect data about, or make decisions that affect them?

For example: children of your users, patients of your healthcare customers, people whose content you process but who are not directly interacting with you.

Select one

This is the question product teams most often get wrong. Lots of products touch people who never signed up — job applicants processed by an HR tool, patients whose records flow through a healthcare platform, children of users in a family app. Those people have rights even though they're not your customer. If your product or service affects them, it affects your obligations.

Products often affect people who never signed up — those people have the same legal rights as your direct users.

Q4. Do people interact with your product or service directly — either themselves, or through a staff member acting on their behalf?

Select one

Some products and services are used directly by the people they affect — someone downloads an app and uses it themselves. Others are operated by a staff member on behalf of someone else: a call center agent entering details while talking to a customer, a GP using a clinical tool during a consultation, a financial adviser running an assessment while speaking with a client. The distinction matters for online safety — content moderation rules don't apply to agent-operated tools — but privacy and AI obligations are just as strong either way. The person on the other end of the phone has full rights over their data and over any decisions the tool makes about them.

Whether people use the product directly or through a staff member affects which online safety obligations apply.

Q5. Does your product or service collect or use information about people?

Select all that apply

This is the core privacy question. It covers the three main ways products and services handle personal data: people give it to you directly (or a staff member enters it on their behalf), you observe their behavior, or you receive it from somewhere else. Many teams underestimate this — even basic product analytics (what pages people visit, how long sessions last) counts as personal data in most jurisdictions. Select everything that applies; most products and services tick more than one.

Select every way your product handles personal data — even basic analytics counts in most jurisdictions.

Q6. Does your product or service use AI, machine learning, or automated algorithms to do anything?

Select one

'AI' here means any system that uses LLM, generative AI, machine learning, or automated decision logic — recommendation engines, fraud detection, pricing algorithms, content classifiers — not just obvious AI features like chatbots. It also includes third-party AI tools you've integrated. The reason this matters: if an AI component in your product or service makes or contributes to a decision about a user, you're still responsible for that decision regardless of which vendor's model you're using.

AI includes any automated decision logic or third-party model — not just obvious features like chatbots.

Q7. Can people on your product or service interact with each other or create content?

Select all that apply

Online safety rules kick in when users can do things — post content, message each other, leave reviews. If your product or service hosts any of this, you have responsibilities around what happens there: processes for handling illegal content, basic moderation policies, and for larger platforms, more extensive obligations. Small platforms aren't exempt — the obligations scale with size, but they apply from the start.

Online safety obligations apply whenever users can post content, message each other, or leave reviews.

Q8. Could someone under 18 realistically use your product or service, or be affected by its decisions?

Select one

Even if you haven't collected data tagged as 'children's data', minors may still use your product or service. The UK's children's design rules apply if children are a meaningful part of your user base — regulators interpret this broadly. If teenagers realistically use your platform, the features they access need to meet age-appropriate design standards, even if the product or service isn't aimed at them.

Even without data tagged as children's, minors may still use your product — and design obligations follow.

Q9. Where will your users or affected individuals be?

Select all that apply

This question doesn't change which risk areas apply — it changes which specific rules apply within them, and how urgently. The EU has the most comprehensive set of requirements across all four areas. The UK has its own parallel framework. The US has no single federal privacy law but a growing set of state laws. Wherever your users are, that's the jurisdiction that governs your obligations — regardless of where your company is based.

Jurisdiction doesn't change which risk areas apply — it determines which specific laws govern your obligations.