Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.closient.com/llms.txt

Use this file to discover all available pages before exploring further.

Both US state ingredient disclosure laws and the EU Digital Product Passport regime require that consumer-facing product information be under manufacturer control. The two regimes converge on the same architectural pattern: neutral resolver infrastructure plus manufacturer editorial control over the content. Custom domains owned by individual brands are an anti-pattern under both regimes — for different but compatible reasons. This page makes the architectural case in detail. It is the rationale behind Closient’s posture that every customer should use https://www.closient.com/01/{gtin} as the printed QR target, and that brand-owned custom domains should be reserved for brand marketing surfaces, not for the regulated disclosure surface.
Not legal advice. This is engineering and architectural reasoning informed by reading the statutes, not a regulatory opinion. The interpretation below has not been adjudicated. Consult counsel before relying on this reasoning for compliance positioning.

What the regimes actually say

Louisiana SB 14

LA R.S. 40:661(B)(2) (as enacted by Act 463 of 2025):
“…the manufacturer shall ensure that the [QR code] links to a web page that is under the control of the manufacturer…”
The phrase “under the control of the manufacturer” is the operative requirement. The statute does not define “control” — it does not say “on a domain owned by the manufacturer,” it does not say “self-hosted,” it does not say “on infrastructure operated by the manufacturer.” The natural reading is functional editorial control: the manufacturer determines what is published on that page, can update it, can take it down, and is responsible for its accuracy.

Texas SB 25

The Texas statute does not contain the explicit “control of the manufacturer” phrasing. It assigns responsibility to the manufacturer for the disclosure but is silent on hosting topology. The Texas case for resolver-based architecture is therefore even simpler: nothing in the statute forecloses it, and the operational case below applies in full.

EU ESPR / Digital Product Passport

Regulation (EU) 2024/1781 — the Ecodesign for Sustainable Products Regulation — creates the Digital Product Passport (DPP) for goods sold in the EU. Two provisions are load-bearing for the architecture argument: Article 2(32) — defines a “DPP service provider” as:
“…a natural or legal person… that processes information related to the digital product passport on behalf of an economic operator…”
The DPP service provider is explicitly framed as a separate legal person from the economic operator (the brand). The regulation contemplates a market of independent service providers — not brand-self-hosted infrastructure. Article 11 — provides for backup continuity:
“Member States and economic operators shall ensure that the information contained in the digital product passport remains available for the period… including in the event of the insolvency, liquidation or cessation of activity in the Union of the economic operator that placed the product on the market…”
In plain terms: the DPP must survive the brand’s bankruptcy. If the brand goes under, the disclosure must still resolve. A custom domain owned by the brand fails this requirement the moment the registration lapses.

Why custom domains are the wrong architecture

1. Brand insolvency breaks resolution

A custom domain — compliance.examplebrand.com — is held by the brand. When the brand goes under, the registration lapses, the DNS goes dark, and every QR code printed on every package the brand ever shipped becomes a dead link. The statutory disclosure obligation does not vanish with the brand; the products it sold are still on shelves, still being scanned, still owed a disclosure surface. This is the exact failure mode EU ESPR Article 11 is written to prevent. A neutral resolver operated by an independent service provider survives any single brand’s insolvency. The brand’s editorial content can be migrated to a successor or archived; the resolution chain stays intact. This is also why LA SB 14’s “control of the manufacturer” language should be read as functional editorial control, not infrastructure ownership: the legislature’s clear intent is that the disclosure works. An interpretation that requires brand-owned hosting is an interpretation that mandates the disclosure break the day the brand files Chapter 7. That cannot be what the legislature meant.

2. One QR per product, not one per regime

Brand-owned custom domains do not scale across the copycat wave. If a brand prints compliance.examplebrand.com/sku123 on the package for Louisiana, and a year later New York passes its own law with different ingredient terminology, the brand has two choices: re-print the package (impossible for products already in distribution) or have one URL satisfy two different state regimes (which the brand has to maintain content for, on the same surface, indefinitely). A neutral resolver inverts the problem. The QR target is stable: https://www.closient.com/01/{gtin}. State-specific disclosure variants are routed via link types, locale parameters, or geographic resolution at the resolver layer. The package is printed once; the regulatory routing is reconfigurable indefinitely.

3. Independence is a regulatory feature

EU ESPR Article 2(32) defines DPP service providers as legally independent from the economic operator on purpose. The European legislature wanted a market of compliance infrastructure providers, not brand-self-attestation. The “service provider as separate legal person” structure protects the consumer (independent custodian, harder to backdate edits) and the regulator (single point of audit per provider, not per-brand). US state ingredient disclosure laws have not yet adopted this framing, but the direction of travel is clearly toward it. The architecture that satisfies LA SB 14 and TX SB 25 and the EU DPP without rework is the architecture where the resolver is operated by an independent neutral party. That is the architecture Closient offers.

4. Operational reality

Even setting aside the regulatory case, custom domains for compliance disclosure are operationally bad:
  • TLS certificate management: every brand must maintain a valid certificate on its disclosure subdomain forever; one expiry, one regulatory exposure.
  • Uptime monitoring: a 404 or a timeout on a regulated disclosure URL is a labeling defect, not an availability incident. Brands underinvest in this and regulators don’t care.
  • DNS / WHOIS provenance: regulators investigating a misleading disclosure want to know who controls the page. A brand-owned subdomain gives them a WHOIS record; a neutral resolver gives them a single, well-known, audit-friendly intermediary.
  • Cross-jurisdiction content: a single URL hard-coded into the QR cannot carry per-jurisdiction variants without server-side routing. Brands end up either over-disclosing (showing California Prop 65 warnings to Texas consumers) or under-disclosing (missing the LA SB 14 disclosure for shipments into LA).

What “manufacturer control” actually means in practice

Editorial control over the content. The manufacturer:
  • Authors the disclosure page text via the Closient dashboard or the Content API — the same way they author any other product-page surface.
  • Owns the page in the sense that they determine what is published, when it changes, and what is taken down. The resolver does not edit the content; it routes the request.
  • Is responsible for the accuracy of the disclosure under the relevant state statute. Closient’s role is custodial, not editorial.
This is the same relationship a brand has with any neutral infrastructure provider — a CDN, an email service provider, a cloud storage bucket. The provider operates the infrastructure; the brand controls the content. No one argues that hosting marketing emails on a third-party ESP means the brand has “lost control” of the marketing content; the same logic applies to a compliance disclosure surface hosted on a neutral resolver.

When a custom URL is the right answer

The architecture above does not preclude custom URLs. The resolver supports destination_type: CUSTOM_URL precisely so that brands with sophisticated existing infrastructure can route the disclosure surface to their own systems. The recommendation in this page is that the printed QR target on the package should be the resolver URL, not the custom URL — so that:
  • Routing decisions are made at the resolver, not baked into the QR.
  • Multi-jurisdiction support is configuration, not a re-print.
  • The brand’s bankruptcy does not break the resolution chain — the resolver can fall back to a hosted page or to a successor’s content at the configuration layer.
Use a custom URL when the disclosure content lives natively in a system the brand operates (an existing PIM, a regulated-affairs CMS). Do not use a custom domain as the QR target unless your counsel has signed off on the bankruptcy/continuity argument for your specific product line.
Not legal advice. The architectural argument above is engineering reasoning, not a regulatory opinion. Consult counsel before relying on this reasoning for compliance positioning, especially when the question involves cross-border content (EU DPP) or insolvency-continuity scenarios.