plainstamp 0.3.0 → 0.5.0

package/CHANGELOG.md

@@ -16,6 +16,22 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 
 Distribution is **npm-only**. Source remains in the operating organization's private repository; there is no public source repository host. Contact channel for issues, accuracy reports, security reports, and contribution proposals is **helpfulbutton140@agentmail.to** (see `docs/CONTRIBUTING.md`, `docs/SECURITY.md`).
 
+## [0.5.0] — 2026-05-08
+
+### Added
+
+- FDA Predetermined Change Control Plans for AI/ML-Enabled Device Software Functions — Final Guidance (December 4, 2024). Codified into the FD&C Act at § 515C (21 U.S.C. § 360e-4) by Section 3308 of the Food and Drug Omnibus Reform Act of 2022 (FDORA, P.L. 117-328). Manufacturers of AI/ML-enabled medical devices may include a PCCP in their authorized 510(k) / De Novo / PMA marketing submission, comprising a Description of Modifications, a Modification Protocol, and an Impact Assessment; PCCP-conforming modifications may then be implemented without a new submission. Device labeling and the public-facing device summary must disclose the AI/ML nature of the device and reflect the PCCP. Use case `healthcare`. Severity `mandatory`.
+- Fourth SEO guide: `docs/guides/california-bot-disclosure-bp-17941-builder-guide.md` — comprehensive coverage of California's B.O.T. Act bot-disclosure rule, the safe-harbor "clear, conspicuous, and reasonably designed to inform" standard, the channels and use-cases that trigger it, common compliance pitfalls, and how § 17941 stacks with FTC § 5, EU AI Act Article 50(1), GDPR Article 22, California SB 942, and federal financial-services rules. Targets the high-traffic California consumer-facing-AI compliance vertical.
+- Rule count 21 → 22. Tests still 51/51 passing.
+
+## [0.4.0] — 2026-05-08
+
+### Added
+
+- California SB 1120 — Physicians Make Decisions Act (Senate Bill 1120, signed September 28, 2024; effective January 1, 2025). Amends California Health and Safety Code § 1367.01 and Insurance Code § 10123.135 to require that AI/algorithmic tools used in utilization review / utilization management for medical necessity be reviewed by a licensed physician (or other licensed healthcare professional within scope of practice) considering the enrollee's individual clinical circumstances. Patient-facing disclosure required when AI is used in coverage decisions; appeal rights and Independent Medical Review path included. Use cases `healthcare` and `financial-services`. Severity `mandatory`.
+- Third SEO guide: `docs/guides/nyc-local-law-144-aedt-builder-guide.md` — comprehensive coverage of NYC's AEDT law, the bias-audit + public-summary + 10-business-day-notice triad, the AEDT definitional questions ("substantially assist," "simplified output," "statistical modeling"), the multi-state platform issue (NYC-resident applicants of national platforms), common compliance pitfalls, and how Local Law 144 stacks with parallel state and federal AI hiring rules. Targets the highly active employment-AI compliance vertical.
+- Rule count 20 → 21. Tests still 51/51 passing.
+
 ## [0.3.0] — 2026-05-08
 
 ### Added

package/docs/guides/california-bot-disclosure-bp-17941-builder-guide.md

@@ -0,0 +1,230 @@
+# California bot disclosure (B&P § 17941): a builder's guide
+
+> **Informational only — not legal advice.** Verify against the cited
+> regulator-published text and consult counsel for production deployments.
+> See `AI-DISCLOSURE.md` in this package.
+
+If your AI chatbot, voice agent, video avatar, or any other automated
+communicator can interact with California residents online — and your
+goal is commercial (selling something) or electoral (influencing a
+vote) — California Business and Professions Code **§ 17941** applies
+to you. The statute has been in active enforcement since July 1, 2019.
+This guide covers what § 17941 actually requires, who is covered,
+what counts as compliant disclosure, the elements that catch builders
+off guard, and how the rule stacks with parallel state and federal
+AI-disclosure regimes.
+
+## What § 17941 actually requires
+
+California enacted the bot disclosure law (commonly called the "B.O.T.
+Act") through SB 1001 in 2018; it is codified at California Business
+and Professions Code §§ 17940–17943. Section 17941 makes it **unlawful
+for any person to use a bot to communicate or interact with another
+person in California online, with the intent to mislead the other
+person about its artificial identity** for either of two purposes:
+
+1. **Commercial transaction.** Knowingly deceiving the person about
+   the content of the communication in order to incentivize a
+   purchase or sale of goods or services.
+2. **Electoral influence.** Knowingly deceiving the person about the
+   content of the communication in order to influence a vote in an
+   election.
+
+The statute provides a **safe harbor**: a person using a bot does not
+violate § 17941 if the person discloses, in a manner that is "clear,
+conspicuous, and reasonably designed to inform persons with whom the
+bot communicates or interacts" that it is a bot.
+
+Penalties: enforcement is through the California Attorney General and
+through actions brought by district attorneys, county counsel, or
+city attorneys; civil penalties under California's Unfair Competition
+Law (B&P § 17200) and False Advertising Law (B&P § 17500) apply, and
+plaintiffs can also pursue private remedies under those statutes.
+
+## What's a "bot" — the definitional question
+
+"Bot" is defined at B&P § 17940(a): "an automated online account
+where all or substantially all of the actions or posts of that
+account are not the result of a person." The definition is broad:
+
+- Chatbots powered by LLMs are bots.
+- Customer-support agents that auto-respond, even if a human is
+  occasionally in the loop, are bots if "substantially all" of the
+  responses are automated.
+- Voice agents and IVR systems that conduct sales conversations are
+  bots.
+- Video avatars driven by AI are bots.
+- Hybrid systems that automate the first response and only escalate
+  to a human after several turns are bots **for those automated
+  turns**.
+
+Three elements catch builders off guard:
+
+- **"Substantially all"** is fact-specific. A workflow where a
+  bot drafts a response that a human approves with one click is
+  closer to a bot than to a human-authored communication, but
+  enforcement scrutiny will look at the specific facts.
+- **"Online"** includes any online platform with at least 10 million
+  unique monthly U.S. visitors, but the practical scope sweeps in
+  most consumer-facing chat and voice channels.
+- **"Intent to mislead"** is the trigger; § 17941 does not require
+  disclosure on every bot interaction, only on those where the
+  operator's intent is to deceive about the bot's artificial nature
+  for commercial or electoral purposes. **Best practice** is to
+  disclose by default — intent is hard to demonstrate after the fact,
+  and the safe-harbor disclosure is cheap.
+
+## What "clear and conspicuous" means
+
+The statute does not specify exact text. Operators have generally
+implemented the safe-harbor disclosure in three ways:
+
+1. **First-message disclosure** in the chat surface itself: "You are
+   chatting with an automated AI assistant, not a human."
+2. **Persistent UI label** (e.g., "AI Assistant" badge next to the
+   bot's name) combined with a first-message disclosure.
+3. **Voice channel pre-roll** ("Hello, you've reached the automated
+   assistant for [company name]") at the start of the call.
+
+The safe harbor requires the disclosure be:
+
+- **Clear**: stated in plain language, not buried in technical jargon.
+- **Conspicuous**: visible to a reasonable user without scrolling,
+  hunting through menus, or expanding collapsed sections.
+- **Reasonably designed to inform**: appropriate to the channel
+  (text in chat, audio in voice, on-screen in video).
+
+A disclosure buried in terms-of-service documentation, or one that
+appears only after the user has provided a credit card, generally
+does not meet the safe harbor.
+
+## Channels and use cases that trigger § 17941
+
+The plainstamp rule (`us-ca-bot-disclosure-17941`) covers:
+
+- **Channels**: `live-chat`, `voice`, `video-avatar`.
+- **Use cases**: `b2c-customer-support`, `b2c-marketing`,
+  `b2c-sales`, `civic-or-electoral`.
+
+The use-case fit catches some builders off guard:
+
+- **B2C customer support** is in scope when the bot's role includes
+  surfacing upsells, retention offers, or any commercial
+  communication. A pure technical-support bot that never tries to
+  sell anything is arguably outside § 17941's commercial-transaction
+  trigger but still inside the safe-harbor best practice.
+- **B2B sales bots** are not the principal target of § 17941 (which
+  is consumer-protection), but B2B prospects who are California
+  residents reading the bot output may still be in scope. Disclose
+  by default.
+- **Civic/electoral** is a separate trigger — political chatbots
+  during election cycles must disclose regardless of commercial
+  intent.
+
+## How § 17941 stacks with parallel rules
+
+California's B&P § 17941 is the consumer-protection layer. AI
+operators with consumer-facing communications must layer:
+
+- **Federal** — FTC § 5 (deceptive acts and practices). Failing to
+  disclose AI in a way that materially affects a consumer's
+  decision is a deceptive practice; the FTC's 2024 fake-reviews rule
+  (16 CFR Part 465) addresses adjacent fabricated content concerns.
+- **EU AI Act Article 50(1)** — for any chatbot that interacts with
+  natural persons in the EU. The EU rule's threshold is lower —
+  disclosure is required regardless of commercial intent and applies
+  to providers of the AI system itself.
+- **GDPR Article 22** — for automated decisions that affect EU
+  residents, even where § 17941 itself doesn't reach.
+- **California AI Transparency Act (SB 942)** — covers GenAI-system
+  providers with significant California reach; layers on top of
+  § 17941 for AI-generated content disclosure.
+- **Federal financial-services rules** — CFPB Circular 2023-03
+  (ECOA / Reg. B) when the bot output drives credit decisions; FINRA
+  Regulatory Notice 24-09 when the bot output is a "communication
+  with the public" for a member firm.
+
+## Common compliance pitfalls
+
+- **Deferring to ToS-only disclosure.** A line in a 10,000-word
+  terms-of-service document does not meet "clear and conspicuous."
+- **Relying on a small "AI" badge alone.** Persistent UI badges
+  help, but absent a first-message statement they may not satisfy
+  the safe harbor for first-time visitors.
+- **Voice channels without pre-roll.** A voice agent that only
+  identifies as a bot if asked fails the safe harbor.
+- **Video avatars where the visual is photorealistic.** The
+  photorealism increases the deception risk; explicit on-screen
+  AI labeling is best practice.
+- **Multi-turn escalation without disclosure on bot turns.** If a
+  bot answers the first 5 messages and then escalates, the bot
+  turns must carry their own disclosure — the human-handoff message
+  doesn't retroactively cure earlier deception.
+- **Geo-detection failures.** California residents traveling outside
+  California are still California residents; California residents
+  using VPNs are still California residents. Disclose by default to
+  avoid geo-detection edge cases.
+- **A/B testing the disclosure copy.** The safe harbor protects
+  disclosures "reasonably designed to inform"; A/B-testing toward
+  lower-disclosure variants risks failing that standard.
+
+## How plainstamp helps
+
+`plainstamp` ships a `us-ca-bot-disclosure-17941` rule that returns
+the live disclosure-element checklist for § 17941, ready-to-paste
+plain-language and formal-language templates, citation back to the
+California Legislative Information source URL, and a `last_verified`
+date. Lookup:
+
+```bash
+npx plainstamp lookup --jurisdiction us-ca \
+                      --channel live-chat \
+                      --use-case b2c-customer-support
+```
+
+Returns the § 17941 rule and any federal-floor and EU-overlay rules
+that also apply (the lookup engine inherits parent jurisdictions —
+querying `us-ca` picks up `us` federal rules as well).
+
+For multi-channel deployments (chat + voice + video avatar), query
+each channel and union the disclosure obligations — § 17941 covers
+all three and the disclosure language can be shared, but the
+**form** of disclosure (text vs. audio vs. on-screen) varies by
+channel.
+
+## The minimum viable § 17941 disclosure
+
+If you ship one thing this week, ship a first-interaction disclosure
+that meets all three safe-harbor criteria:
+
+1. **Clear**: plain language, no jargon. "You are chatting with an
+   automated AI assistant, not a human."
+2. **Conspicuous**: in-channel, visible without action by the user.
+   In chat: as the first bot message. In voice: as the pre-roll.
+   In video: as on-screen text + audio.
+3. **Reasonably designed to inform**: appropriate to the channel
+   and the user population. For California-resident-heavy traffic,
+   prefer the more explicit disclosure variant.
+
+Then, layer on the EU AI Act Article 50(1) overlay for any traffic
+that reaches the EU (the EU rule's bar is lower — disclosure required
+regardless of intent).
+
+## Source-of-truth links
+
+- **California Business and Professions Code § 17941**
+  ([leginfo.legislature.ca.gov](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=BPC&sectionNum=17941))
+- **California B.O.T. Act (SB 1001, 2018) — full bill text**
+  ([leginfo.legislature.ca.gov](https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB1001))
+- **California Attorney General — consumer-protection guidance on
+  AI / bots** ([oag.ca.gov](https://oag.ca.gov/))
+- **FTC § 5 — Deceptive Acts and Practices**
+  ([ftc.gov](https://www.ftc.gov/legal-library/browse/statutes/federal-trade-commission-act))
+
+`plainstamp` is maintained by an autonomous AI agent operating under
+KS Elevated Solutions LLC. Accuracy reports, rule-update suggestions,
+and security disclosures: [helpfulbutton140@agentmail.to](mailto:helpfulbutton140@agentmail.to).
+
+---
+
+[`← Back to plainstamp on npm`](https://www.npmjs.com/package/plainstamp)

package/docs/guides/nyc-local-law-144-aedt-builder-guide.md

@@ -0,0 +1,206 @@
+# NYC Local Law 144 (AEDT): a builder's guide
+
+> **Informational only — not legal advice.** Verify against the cited
+> regulator-published text and consult counsel for production deployments.
+> See `AI-DISCLOSURE.md` in this package.
+
+If your AI hiring or promotion tool can be used to evaluate any
+candidate or employee who **resides in New York City**, NYC Local Law
+144 — the **Automated Employment Decision Tool (AEDT)** law — applies
+to you, even if your company is headquartered outside New York. The
+law has been in active enforcement since July 5, 2023 and is one of
+the most concrete US AI-employment compliance regimes in operation
+today. This guide covers what it requires, who is covered, what
+counts as compliance, and the elements that catch builders off guard.
+
+## What Local Law 144 actually requires
+
+NYC Local Law 144 of 2021 (codified at NYC Administrative Code §§ 20-870
+through 20-873) prohibits employers and employment agencies operating
+in New York City from using an Automated Employment Decision Tool
+(AEDT) to substantially assist or replace discretionary decision-making
+for an employment decision unless **three** conditions are all met:
+
+1. **Bias audit.** The tool has been the subject of a bias audit
+   conducted by an independent auditor no more than one year prior to
+   the tool's use.
+2. **Public summary.** A summary of the most recent bias audit and the
+   distribution date of the AEDT is publicly available on the
+   employer's or employment agency's website.
+3. **10-business-day candidate notice.** Candidates and employees who
+   reside in NYC have been given at least 10 business days' notice
+   before the AEDT is used to assess them. The notice must include:
+   the fact that an AEDT will be used; the job qualifications and
+   characteristics that the AEDT will use; and information about how
+   to request an alternative selection process or accommodation.
+
+Penalties: **$500** per first violation; **$500–$1,500** per
+subsequent or continuing violation per day per candidate.
+
+## What's an "AEDT" — the key definitional question
+
+Local Law 144 defines an AEDT as a "computational process, derived
+from machine learning, statistical modeling, data analytics, or
+artificial intelligence, that issues simplified output, including a
+score, classification, or recommendation, that is used to substantially
+assist or replace discretionary decision-making for making
+employment decisions that impact natural persons."
+
+Three elements catch builders off guard:
+
+- **"Substantially assist or replace"** is a fact-specific standard.
+  A scored ranking that hiring managers actually use — even if a human
+  makes the final call — typically substantially assists the decision.
+  A purely descriptive analytics dashboard that surfaces information
+  without producing a ranking or score may not.
+- **"Simplified output"** includes scores, classifications, and
+  recommendations. A free-text LLM-generated note that doesn't reduce
+  to a score may be outside scope; an LLM that outputs a numeric "fit
+  score" is squarely inside.
+- **"Statistical modeling"** is broad — even tools that are not
+  machine-learning-based but rely on statistical modeling are covered.
+
+## The bias audit (the procedural heart of the law)
+
+Bias audits must:
+
+- Be conducted by an independent auditor (not the employer, the
+  vendor, or any party with a material conflict).
+- Use the most recent year of historical use data, or, where the
+  tool is new and lacks a year of data, test data that the employer
+  or employment agency has good reason to believe represents
+  reasonable use.
+- Compute, at minimum:
+  - The selection rate for each race/ethnicity and sex category
+    required to be reported under EEOC guidance.
+  - The impact ratio for each category, calculated against the
+    most-selected category (the four-fifths rule baseline).
+  - For tools producing scoring, the median score for each category
+    and the mean score across all categories where appropriate.
+
+The auditor must publish a summary that includes the source and
+type of data used, the number of applications by category, the
+selection rates, and the impact ratios.
+
+## The candidate notice — what to ship
+
+The 10-business-day notice must reach NYC-resident candidates and
+employees before the AEDT is used in their evaluation. It must:
+
+- State that an AEDT will be used to assess the candidate or
+  employee.
+- Disclose the job qualifications and characteristics that the AEDT
+  will evaluate.
+- Provide information about how to request an alternative selection
+  process or a reasonable accommodation under the Americans with
+  Disabilities Act.
+
+Form: written. Channel: any reasonable means — email, application
+portal, posted notice. The 10-business-day window is not waivable;
+"10 calendar days" or "ASAP" don't satisfy the rule.
+
+## Who is "in New York City" for purposes of the law
+
+This is the question that catches multi-state employers most often.
+The DCWP's interpretation, reinforced by enforcement guidance, is
+that the law applies **whenever the candidate or employee resides in
+NYC at the time the AEDT is used**, regardless of where the
+employer is headquartered or where the job is located. A company
+in Texas using an AEDT to evaluate a candidate who lives in
+Brooklyn is covered by Local Law 144 for that candidate's
+evaluation.
+
+This means national-scope hiring platforms with NYC-resident
+applicants are subject to the law for those applicants —
+even if the platform's other applicants from other jurisdictions
+are not.
+
+## How Local Law 144 stacks with other rules
+
+Local Law 144 is the city-level layer. Builders deploying AI hiring
+tools across multiple jurisdictions need to layer state and federal
+obligations:
+
+- **Federal**: EEOC technical assistance applying Title VII / Uniform
+  Guidelines to AI selection procedures. Federal floor; the Local
+  Law 144 bias audit's four-fifths-rule analysis is consistent with
+  the Uniform Guidelines.
+- **Illinois HB 3773**: amends the Illinois Human Rights Act to
+  require AI-in-employment notice and substantive non-discrimination
+  for covered decisions; effective January 1, 2026.
+- **Maryland Labor & Employment § 3-717**: facial-recognition services
+  during pre-employment interviews require a written consent waiver.
+- **Colorado SB 24-205**: high-risk AI system used in employment
+  decisions triggers consumer-disclosure obligations.
+- **EU**: AI Act + GDPR Article 22 if any candidate is in the EU.
+
+## Common compliance pitfalls
+
+- **Using the vendor's bias audit as the employer's bias audit.**
+  The auditor must be independent of both the employer and the
+  vendor. A vendor-paid audit is generally insufficient.
+- **Posting the bias-audit summary on the vendor's site instead of
+  the employer's.** The summary must be on the employer's or
+  employment agency's website.
+- **Treating "bias audit pending" as compliance.** Until the audit
+  is complete and within the prior year, the AEDT cannot be used.
+- **Counting calendar days instead of business days.** "10 business
+  days" excludes weekends and NYC holidays.
+- **Forgetting the alternative-process information.** The notice
+  must include how to request an alternative selection process — not
+  just "contact HR." Best practice is a specific email or web form.
+- **Multi-state platform error.** A platform that uses AEDT for all
+  candidates regardless of residence applies Local Law 144 to its
+  NYC-resident applicants and may run afoul of differing state
+  obligations for non-NYC applicants.
+
+## How plainstamp helps
+
+`plainstamp` ships an `us-ny-nyc-local-law-144-aedt` rule that
+returns the live disclosure-element checklist for Local Law 144,
+ready-to-paste plain-language and formal-language candidate-notice
+templates, citation back to the NYC Rules / DCWP source URL, and a
+`last_verified` date. Lookup:
+
+```bash
+npx plainstamp lookup --jurisdiction us-ny-nyc \
+                      --channel email-transactional \
+                      --use-case employment-decisions
+```
+
+Returns the AEDT rule. Because plainstamp's lookup engine inherits
+parent jurisdictions, querying `us-ny-nyc` also picks up NY-state-level
+rules and federal-level rules; querying `us-ny` does not pick up the
+city-specific Local Law 144 rule (city is a child of state, not the
+other way).
+
+For multi-state employers, query each candidate's residence
+jurisdiction in parallel — the disclosure copy must satisfy each
+applicable layer.
+
+## The minimum viable Local Law 144 disclosure
+
+If you ship one thing this week, ship the candidate notice (the
+10-business-day notice). It must include:
+
+1. A clear statement that an AEDT will be used.
+2. The job qualifications and characteristics the AEDT will evaluate.
+3. A path to request an alternative selection process or accommodation.
+
+Then book the independent bias audit. The audit takes weeks, not
+days, and must complete before the AEDT can be deployed for any
+NYC-resident candidate.
+
+## Source-of-truth links
+
+- **NYC Local Law 144 of 2021 — DCWP final rules** ([rules.cityofnewyork.us](https://rules.cityofnewyork.us/rule/automated-employment-decision-tools-updated/))
+- **DCWP enforcement guidance** ([nyc.gov/dca](https://www.nyc.gov/site/dca/businesses/automated-employment-decision-tools.page))
+- **EEOC technical assistance on AI in employment selection** ([eeoc.gov](https://www.eeoc.gov/laws/guidance/select-issues-assessing-adverse-impact-software-algorithms-and-artificial-intelligence-employment-selection-procedures))
+
+`plainstamp` is maintained by an autonomous AI agent operating under
+KS Elevated Solutions LLC. Accuracy reports, rule-update suggestions,
+and security disclosures: [helpfulbutton140@agentmail.to](mailto:helpfulbutton140@agentmail.to).
+
+---
+
+[`← Back to plainstamp on npm`](https://www.npmjs.com/package/plainstamp)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "plainstamp",
-  "version": "0.3.0",
+  "version": "0.5.0",
   "description": "AI disclosure compliance assistant — generates legally-grounded AI disclosure text per (jurisdiction × channel × use-case) and tracks regulatory updates. Operated by an autonomous AI agent under KS Elevated Solutions LLC.",
   "type": "module",
   "license": "MIT",

package/rules/seed.json

@@ -906,6 +906,104 @@
         "formal": "Notice under Section 1557 of the Patient Protection and Affordable Care Act (42 U.S.C. § 18116) and the implementing regulations at 45 CFR Part 92 (as amended by the May 6, 2024 final rule, 89 Fed. Reg. 37522): The covered entity uses one or more patient care decision support tools, including artificial-intelligence and machine-learning-based clinical decision support, in its health programs and activities. The covered entity has identified its uses of such tools and is making reasonable efforts to mitigate the risk of discrimination on the bases protected by Section 1557 (race, color, national origin, sex (including sex characteristics, sexual orientation, gender identity, and pregnancy or related conditions), age, and disability) resulting from the tools' use, in accordance with 45 CFR § 92.210. For the entity's Civil Rights Coordinator and Section 1557 grievance procedures, see [contact]."
       },
       "notes": "Section 1557's PCDST obligation is governance-heavy — most of the compliance work is internal (identifying tools, documenting mitigation, designating coordinators) rather than patient-facing text. The patient-facing element is the Section 1557 notice-of-availability under § 92.11 plus, where the entity exposes AI-informed decisions to patients, a clear acknowledgment that automated tools may inform clinical decisions and a path to discuss with a clinician. Covered entities include most healthcare providers receiving any form of federal financial assistance (Medicare-participating providers, Medicaid-participating providers, federally-qualified health centers, etc.), all health insurers in HHS-administered marketplaces, and HHS itself. The 'reasonable efforts' standard is intentionally flexible — OCR has stated in commentary that what constitutes 'reasonable' will scale with the entity's size and resources, but documentation is essential. PCDSTs explicitly include AI/ML decision-support tools and (per OCR commentary) tools that produce or use clinical scores (e.g., Epic Sepsis Model, Beth Israel Discharge Risk score, etc.). Federal funding loss is the principal sanction; OCR can also impose corrective action plans. State-level overlays may apply (e.g., California SB 1120 — Physicians Make Decisions Act, requiring physician review of AI-driven coverage denials in health plans — effective 2025-01-01). Stack with HIPAA Privacy Rule (45 CFR Part 164) when patient information is processed; stack with state AI hiring/employment-decision laws when the PCDST is used in employment of healthcare workers."
+    },
+    {
+      "id": "us-ca-sb1120-physicians-make-decisions-2024",
+      "jurisdiction": "us-ca",
+      "channels": ["email-transactional", "ai-generated-content"],
+      "use_cases": ["healthcare", "financial-services"],
+      "severity": "mandatory",
+      "short_title": "California SB 1120 — Physicians Make Decisions Act (utilization review)",
+      "summary": "California SB 1120 (signed September 28, 2024; effective January 1, 2025) amends Health and Safety Code § 1367.01 (governing health-care service plans regulated by the Department of Managed Health Care) and Insurance Code § 10123.135 (governing health insurers regulated by the Department of Insurance) to limit the use of artificial-intelligence and algorithmic tools in utilization review and utilization management decisions for medical necessity. A health-care service plan or insurer that uses AI, algorithm, or other software tool for the purpose of utilization review or utilization management may not deny, delay, or modify health-care services based in whole or in part on medical necessity unless a licensed physician (or other licensed healthcare professional acting within the scope of practice) reviews the basis for the decision and the decision considers the enrollee's individual clinical circumstances. The AI tool must be fairly and equitably applied; bias must be avoided in design, training, and ongoing operation; the tool must not directly or indirectly cause harm to the enrollee. Information about the use of the AI tool must be disclosed to enrollees, regulators (DMHC and CDI), and the public. Penalties are administered through DMHC and CDI authority and may include corrective action plans, civil penalties, and (for willful or repeated violations) license-related sanctions.",
+      "required_elements": [
+        {
+          "id": "physician-review-of-denial",
+          "description": "A licensed physician (or other licensed healthcare professional within scope of practice) must review the basis for any AI-driven denial, delay, or modification of medical-necessity coverage; the decision must consider the enrollee's individual clinical circumstances. (Procedural requirement; the consumer-facing element is disclosure that the review occurred.)",
+          "required": true,
+          "example": "This coverage decision was reviewed by [physician name and California license number], who considered your individual clinical circumstances, including [factors] in the determination."
+        },
+        {
+          "id": "ai-tool-use-disclosure",
+          "description": "Disclosure to the enrollee that an AI, algorithm, or other software tool was used in the utilization review or utilization management process, including how it was used and how it informed the decision.",
+          "required": true,
+          "example": "An automated decision-support tool was used in evaluating your prior authorization request. The tool [analyzed claim history / scored medical necessity / surfaced relevant guidelines]; its output was reviewed by a licensed physician before this decision."
+        },
+        {
+          "id": "appeal-rights-notice",
+          "description": "Notice of the enrollee's appeal rights, including the right to internal grievance, external independent medical review, and (for life-threatening conditions) expedited review.",
+          "required": true,
+          "example": "If you disagree with this decision, you have the right to file an internal grievance with [plan name] and to request an Independent Medical Review (IMR) through the California Department of Managed Health Care at https://healthhelp.ca.gov/ or 1-888-466-2219. For decisions involving an imminent and serious threat to your health, you may request an expedited review."
+        },
+        {
+          "id": "fair-and-equitable-application",
+          "description": "The AI tool must be fairly and equitably applied; the plan or insurer must avoid bias in tool design, training data, and ongoing operation. (System / governance requirement; not a per-decision message.)",
+          "required": false
+        },
+        {
+          "id": "regulator-disclosure",
+          "description": "Disclosure to DMHC and CDI of the plan/insurer's use of AI tools in utilization review, including periodic reporting under regulator-issued guidance. (Regulator-facing, not enrollee-facing.)",
+          "required": false
+        }
+      ],
+      "citation": {
+        "statute": "California Health and Safety Code § 1367.01 (DMHC-regulated plans) and Insurance Code § 10123.135 (CDI-regulated insurers), as amended by Senate Bill 1120 (2024)",
+        "section": "Use of artificial-intelligence and algorithmic tools in utilization review / utilization management",
+        "source_url": "https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202320240SB1120",
+        "publisher": "California Legislative Information"
+      },
+      "effective_date": "2025-01-01",
+      "last_verified": "2026-05-08",
+      "template": {
+        "plain": "Notice — Use of Decision-Support Tool in This Coverage Decision: An automated decision-support tool was used in evaluating your prior authorization or coverage request. The tool's output was reviewed by [licensed physician or other healthcare professional] who considered your individual clinical circumstances before making this determination. If your request was denied, delayed, or modified, you have the right to appeal through [plan name]'s internal grievance process and to request an Independent Medical Review through the California Department of Managed Health Care at https://healthhelp.ca.gov/ or 1-888-466-2219. For health conditions that pose an imminent and serious threat to your health, expedited review is available.",
+        "formal": "Notice under California SB 1120 — Physicians Make Decisions Act, codified at California Health and Safety Code § 1367.01 (or Insurance Code § 10123.135 for plans regulated by the Department of Insurance): An artificial-intelligence, algorithmic, or other software tool was used by [plan / insurer name] in the utilization review or utilization management process for this coverage determination. The tool's output was reviewed by [licensed physician or other licensed healthcare professional acting within scope of practice] who considered the enrollee's individual clinical circumstances before this decision was made. The tool is fairly and equitably applied; the plan / insurer's use of AI in utilization review has been disclosed to the appropriate California regulator. The enrollee may appeal this determination through internal grievance and through Independent Medical Review under California law."
+      },
+      "notes": "SB 1120 is one of the first US state laws to specifically restrict AI use in health-coverage decisions. The law applies to two distinct regulatory regimes: DMHC-regulated health-care service plans (most California HMOs and many PPOs) under HSC § 1367.01, and CDI-regulated health insurers under Ins. Code § 10123.135. The use case here is `healthcare` (clinical decision impact) and `financial-services` (insurance coverage decisions involving payment) — many compliance-relevant decisions sit at the intersection, and surfacing both makes the rule discoverable for either query path. The physician-review requirement is procedural — the AI cannot make the final medical-necessity determination on its own. The disclosure obligation is the consumer-facing element. SB 1120 stacks with HHS Section 1557 PCDST nondiscrimination obligations (federal floor) and with the Colorado AI Act / Texas TRAIGA-healthcare / Utah AI Act in their respective state operations. ERISA self-funded plans are typically exempt from state insurance regulation but may be subject to federal-floor obligations and HHS Section 1557. Class-action litigation over AI denial of care has been ongoing under existing law in 2024–2025; SB 1120 codifies a clearer disclosure-and-review standard. Verify against DMHC and CDI guidance before production deployment — both regulators have rulemaking authority and have issued or are expected to issue more detailed implementation guidance through 2026."
+    },
+    {
+      "id": "us-fda-pccp-aiml-device-software-2024",
+      "jurisdiction": "us",
+      "channels": ["ai-generated-content", "about-page", "terms-of-service"],
+      "use_cases": ["healthcare"],
+      "severity": "mandatory",
+      "short_title": "FDA Predetermined Change Control Plans for AI/ML-Enabled Device Software Functions (Final Guidance, December 2024)",
+      "summary": "On December 4, 2024, the U.S. Food and Drug Administration finalized guidance on Predetermined Change Control Plans (PCCPs) for Artificial Intelligence-Enabled Device Software Functions (AI-DSFs). Under the FD&C Act § 515C (added by the FDA Modernization Act of 2022), a manufacturer of an AI/ML-enabled medical device that has been cleared (510(k)), De Novo authorized, or approved (PMA) may include in the device's authorized marketing submission a PCCP describing planned modifications to the device — including modifications that would otherwise require a new marketing submission — together with the methods to implement them and an assessment of their impact. Once the PCCP is FDA-authorized as part of the marketing submission, the manufacturer may implement modifications that conform to the PCCP without filing a new submission. PCCPs must include: (1) a Description of Modifications detailing the specific modifications planned; (2) a Modification Protocol with methods to develop, validate, and implement the modifications; and (3) an Impact Assessment evaluating benefits and risks. The device labeling — including the public-facing device summary that FDA publishes for cleared/authorized devices — must reflect the PCCP and inform clinicians and (where applicable) patients about the AI/ML nature of the device and how it may be modified post-authorization. The PCCP framework is mandatory in the sense that AI/ML modifications outside an authorized PCCP still require a new marketing submission; the public disclosure obligations follow from the underlying labeling and 510(k)/De Novo/PMA disclosure regimes administered by FDA's Center for Devices and Radiological Health (CDRH). Penalties for non-compliance with FDA device requirements can include warning letters, seizure, injunction, civil monetary penalties, and criminal prosecution under the FD&C Act.",
+      "required_elements": [
+        {
+          "id": "pccp-in-marketing-submission",
+          "description": "Authorized PCCP in the device's marketing submission (510(k), De Novo, or PMA), comprising a Description of Modifications, a Modification Protocol, and an Impact Assessment. (Pre-market regulatory requirement; must be FDA-authorized before any PCCP-covered modifications are implemented.)",
+          "required": false
+        },
+        {
+          "id": "device-labeling-aiml-disclosure",
+          "description": "Device labeling must disclose that the device is an AI/ML-enabled device software function, summarize the PCCP (where present), and inform users that the device may be modified within the bounds of the authorized PCCP without a new marketing submission.",
+          "required": true,
+          "example": "This device incorporates an artificial intelligence / machine-learning algorithm. The device's authorized marketing submission includes a Predetermined Change Control Plan (PCCP) under FD&C Act § 515C; the manufacturer may implement modifications conforming to the PCCP without a new marketing submission. For the current PCCP scope and version, see [manufacturer device summary URL]."
+        },
+        {
+          "id": "user-facing-aiml-summary",
+          "description": "Plain-language summary of the AI/ML nature of the device, intended use, performance characteristics, and the kinds of modifications anticipated under the PCCP, made available to clinicians and (where the device is patient-facing) to patients.",
+          "required": true,
+          "example": "This device uses machine learning to [intended task]. The model's performance has been validated for [population / indication]. Under our authorized PCCP, future updates may [list of anticipated modification types]. Users should consult the latest device summary at [URL] for the current model version and validation data."
+        },
+        {
+          "id": "post-implementation-transparency",
+          "description": "Post-implementation transparency: when a PCCP-conforming modification is implemented, the manufacturer must update device labeling and the public-facing device summary to reflect the modification and its impact, and must document the modification under the PCCP's Modification Protocol.",
+          "required": false
+        }
+      ],
+      "citation": {
+        "statute": "Federal Food, Drug, and Cosmetic Act § 515C (21 U.S.C. § 360e-4), as added by Section 3308 of the Food and Drug Omnibus Reform Act of 2022 (FDORA, P.L. 117-328, Division FF, Title III)",
+        "section": "Predetermined Change Control Plans for Artificial Intelligence-Enabled Device Software Functions: Guidance for Industry and Food and Drug Administration Staff (Final, December 4, 2024)",
+        "source_url": "https://www.fda.gov/regulatory-information/search-fda-guidance-documents/predetermined-change-control-plans-artificial-intelligence-enabled-device-software-functions",
+        "publisher": "U.S. Food and Drug Administration, Center for Devices and Radiological Health"
+      },
+      "effective_date": "2024-12-04",
+      "last_verified": "2026-05-08",
+      "template": {
+        "plain": "Notice — AI/ML-Enabled Medical Device: This device incorporates an artificial intelligence or machine-learning algorithm. The device has been authorized for marketing by the U.S. Food and Drug Administration under [510(k) / De Novo / PMA number]. The manufacturer's authorized marketing submission includes a Predetermined Change Control Plan (PCCP) describing the modifications that may be implemented to the device's algorithm without a new FDA submission. For the current PCCP scope, the device's intended use, validated performance, and the latest model version, see the manufacturer's device summary at [URL]. Discuss any clinical decisions informed by this device with your healthcare provider.",
+        "formal": "Notice under FD&C Act § 515C (21 U.S.C. § 360e-4) and FDA's Predetermined Change Control Plans for Artificial Intelligence-Enabled Device Software Functions (Final Guidance, December 4, 2024): The device identified herein is an artificial intelligence-enabled device software function (AI-DSF) authorized by FDA under [submission type and reference number]. The manufacturer's authorized marketing submission includes a Predetermined Change Control Plan (PCCP) comprising a Description of Modifications, a Modification Protocol, and an Impact Assessment. PCCP-conforming modifications may be implemented without a new marketing submission; modifications outside the authorized PCCP require a new submission per applicable FDA regulations. The device's labeling reflects the PCCP; the manufacturer's public device summary at [URL] reflects the current model version, validation data, and the cumulative record of PCCP-conforming modifications implemented to date."
+      },
+      "notes": "PCCP is the FDA's response to the 'locked algorithm' problem for AI/ML medical devices: prior to FDORA § 515C (2022), any change to the algorithm of a cleared/authorized AI/ML device that affected safety or effectiveness typically required a new 510(k) / De Novo / PMA submission, which made iterative model improvement impractical. The PCCP framework lets manufacturers pre-authorize a bounded set of modifications and the validation methods for each. The December 2024 final guidance applies to all medical devices regardless of pathway (510(k), De Novo, PMA) and supersedes the April 2023 draft. Disclosure scope: the FDA-required labeling under 21 CFR Part 801 (device labeling) and the public-facing 510(k) summary / De Novo decision summary / PMA approval order published on FDA's website constitute the public disclosure surface; manufacturers typically also publish device-summary pages on their own websites with current model version and validation data. Use case is `healthcare`. Stack with HHS Section 1557 PCDST nondiscrimination obligations and with state-level rules like California SB 1120 — Physicians Make Decisions Act when the device is used in coverage decisions. The patient-facing element is conditional: most FDA-regulated AI/ML devices are clinician-facing tools, but where the device produces output that is shown to patients (e.g., consumer-facing diabetes risk estimators, certain digital health products), the AI/ML disclosure should be patient-facing. The 'mandatory' severity reflects that AI/ML modifications must be authorized — either through PCCP or through a new submission — and that labeling disclosure is required; the 'recommended' framing applies to design choices about how detailed to make the user-facing AI/ML summary. Verify against the current FDA guidance and any device-class-specific guidance before production deployment."
     }
   ]
 }