Cross-References:
- REGULATORY_COMPLIANCE_TRACKER.md — Master compliance tracker
- FCRA_TCPA_COMPLIANCE_TRACKING.md — HR TCPA tracking (SMS consent patterns applicable to CE)
docs/compliance/AUTHORITATIVE_REFERENCES.md— Authoritative External References
Overview
This document tracks communications and marketing compliance for the CE module, which manages CRM, campaigns, SMS messaging, call tracking, and community outreach. Key regulations include CAN-SPAM (email), TCPA (SMS/telephony), Arizona call recording law, and FCC telemarketing rules. Where CE handles PHI or SUD-related communications, HIPAA and 42 CFR Part 2 also apply.1. CAN-SPAM Act (Commercial Email)
2. TCPA (SMS and Telephony)
3. Arizona Call Recording (ARS 13-3005, HB 2038)
4. FCC Telemarketing Rules
5. Charitable Solicitation (if applicable)
6. Lead Conversion & PHI Handling (CE-29)
7. AI Triage PHI & SUD Compliance (CE-54)
CE-54 Initial Release Compliance Gate (Required Before Phase 1 Build)
- AI-01 through AI-08 are release-blocking controls for the initial CE-54 launch; they are not deferred to follow-up patches.
ai-triage-evaluatemust enforce SUD consent gating exactly as specified:consent_obtained = true AND consent_method IS NOT NULLbefore including SUD-tagged fields in prompts._shared/phi-detection.tsmust be wired on both request payload preflight and AI response post-processing; PHI detections must reject processing/storage.- Blocked SUD attempts and PHI rejections must create
pf_audit_logsentries; edge-function auth and authorization must enforceverifyOrgAccess()+pf_has_permission()for all CE-54 triage actions. - Every AI run must persist model metadata (
model_id,model_version,prompt_version,processing_time_ms,user_id,organization_id) in CE-54 audit/result records. - CE-54 spec, schema migrations, and RLS policies must include the controls above before release promotion; firm deployment target:
2026-06-30(SUD-handling compliance gate).
8. Authoritative External References
9. Periodic Review Schedule
Version History
1.4.0 (2026-05-13)
- Added CE-08-ENHANCEMENTS partial evidence for EN-01 + EN-02 execution slice:
- shared pre-send compliance gate (local consent/opt-out shim),
- MMS media constraints and PHI media warning,
- scheduled send execution-time consent and TCPA window checks.
- Updated TCPA rows TC-01, TC-02, TC-05, TC-06, and TC-08 to
🔜 In Progresswith current slice evidence notes.
1.3.0 (2026-05-12)
- Added Section 7: AI Triage PHI & SUD Compliance (CE-54)
- 8 compliance requirements tracked for AI triage pipeline (PHI in prompts, SUD consent gating, re-disclosure prevention, audit trail)
- Renumbered §8 → §9 (Periodic Review)
1.2.0 (2026-03-30)
- Merged duplicate §6/§7 (external references) and §7/§8 (periodic review) into canonical sections
- Updated LC-04 to reflect explicit deny policies for UPDATE/DELETE
- Renumbered sections for consistency
1.1.0 (2026-03-28)
- Added Section 6: Lead Conversion & PHI Handling (CE-29)
- 6 compliance requirements tracked for conversion pipeline
- PHI audit verified: event payloads, error messages, toasts, audit immutability
1.0.0 (2026-02-27)
- Initial CE communications compliance document
- Covers CAN-SPAM, TCPA (SMS), Arizona call recording (ARS 13-3005, HB 2038), FCC telemarketing, charitable solicitation
- 25+ compliance requirements tracked across 5 categories
Last Updated: 2026-05-13 Next Review: 2026-08-12