plainstamp 0.4.0 → 0.5.0

package/CHANGELOG.md

@@ -16,6 +16,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 
 Distribution is **npm-only**. Source remains in the operating organization's private repository; there is no public source repository host. Contact channel for issues, accuracy reports, security reports, and contribution proposals is **helpfulbutton140@agentmail.to** (see `docs/CONTRIBUTING.md`, `docs/SECURITY.md`).
 
+## [0.5.0] — 2026-05-08
+
+### Added
+
+- FDA Predetermined Change Control Plans for AI/ML-Enabled Device Software Functions — Final Guidance (December 4, 2024). Codified into the FD&C Act at § 515C (21 U.S.C. § 360e-4) by Section 3308 of the Food and Drug Omnibus Reform Act of 2022 (FDORA, P.L. 117-328). Manufacturers of AI/ML-enabled medical devices may include a PCCP in their authorized 510(k) / De Novo / PMA marketing submission, comprising a Description of Modifications, a Modification Protocol, and an Impact Assessment; PCCP-conforming modifications may then be implemented without a new submission. Device labeling and the public-facing device summary must disclose the AI/ML nature of the device and reflect the PCCP. Use case `healthcare`. Severity `mandatory`.
+- Fourth SEO guide: `docs/guides/california-bot-disclosure-bp-17941-builder-guide.md` — comprehensive coverage of California's B.O.T. Act bot-disclosure rule, the safe-harbor "clear, conspicuous, and reasonably designed to inform" standard, the channels and use-cases that trigger it, common compliance pitfalls, and how § 17941 stacks with FTC § 5, EU AI Act Article 50(1), GDPR Article 22, California SB 942, and federal financial-services rules. Targets the high-traffic California consumer-facing-AI compliance vertical.
+- Rule count 21 → 22. Tests still 51/51 passing.
+
 ## [0.4.0] — 2026-05-08
 
 ### Added

package/docs/guides/california-bot-disclosure-bp-17941-builder-guide.md

@@ -0,0 +1,230 @@
+# California bot disclosure (B&P § 17941): a builder's guide
+
+> **Informational only — not legal advice.** Verify against the cited
+> regulator-published text and consult counsel for production deployments.
+> See `AI-DISCLOSURE.md` in this package.
+
+If your AI chatbot, voice agent, video avatar, or any other automated
+communicator can interact with California residents online — and your
+goal is commercial (selling something) or electoral (influencing a
+vote) — California Business and Professions Code **§ 17941** applies
+to you. The statute has been in active enforcement since July 1, 2019.
+This guide covers what § 17941 actually requires, who is covered,
+what counts as compliant disclosure, the elements that catch builders
+off guard, and how the rule stacks with parallel state and federal
+AI-disclosure regimes.
+
+## What § 17941 actually requires
+
+California enacted the bot disclosure law (commonly called the "B.O.T.
+Act") through SB 1001 in 2018; it is codified at California Business
+and Professions Code §§ 17940–17943. Section 17941 makes it **unlawful
+for any person to use a bot to communicate or interact with another
+person in California online, with the intent to mislead the other
+person about its artificial identity** for either of two purposes:
+
+1. **Commercial transaction.** Knowingly deceiving the person about
+   the content of the communication in order to incentivize a
+   purchase or sale of goods or services.
+2. **Electoral influence.** Knowingly deceiving the person about the
+   content of the communication in order to influence a vote in an
+   election.
+
+The statute provides a **safe harbor**: a person using a bot does not
+violate § 17941 if the person discloses, in a manner that is "clear,
+conspicuous, and reasonably designed to inform persons with whom the
+bot communicates or interacts" that it is a bot.
+
+Penalties: enforcement is through the California Attorney General and
+through actions brought by district attorneys, county counsel, or
+city attorneys; civil penalties under California's Unfair Competition
+Law (B&P § 17200) and False Advertising Law (B&P § 17500) apply, and
+plaintiffs can also pursue private remedies under those statutes.
+
+## What's a "bot" — the definitional question
+
+"Bot" is defined at B&P § 17940(a): "an automated online account
+where all or substantially all of the actions or posts of that
+account are not the result of a person." The definition is broad:
+
+- Chatbots powered by LLMs are bots.
+- Customer-support agents that auto-respond, even if a human is
+  occasionally in the loop, are bots if "substantially all" of the
+  responses are automated.
+- Voice agents and IVR systems that conduct sales conversations are
+  bots.
+- Video avatars driven by AI are bots.
+- Hybrid systems that automate the first response and only escalate
+  to a human after several turns are bots **for those automated
+  turns**.
+
+Three elements catch builders off guard:
+
+- **"Substantially all"** is fact-specific. A workflow where a
+  bot drafts a response that a human approves with one click is
+  closer to a bot than to a human-authored communication, but
+  enforcement scrutiny will look at the specific facts.
+- **"Online"** includes any online platform with at least 10 million
+  unique monthly U.S. visitors, but the practical scope sweeps in
+  most consumer-facing chat and voice channels.
+- **"Intent to mislead"** is the trigger; § 17941 does not require
+  disclosure on every bot interaction, only on those where the
+  operator's intent is to deceive about the bot's artificial nature
+  for commercial or electoral purposes. **Best practice** is to
+  disclose by default — intent is hard to demonstrate after the fact,
+  and the safe-harbor disclosure is cheap.
+
+## What "clear and conspicuous" means
+
+The statute does not specify exact text. Operators have generally
+implemented the safe-harbor disclosure in three ways:
+
+1. **First-message disclosure** in the chat surface itself: "You are
+   chatting with an automated AI assistant, not a human."
+2. **Persistent UI label** (e.g., "AI Assistant" badge next to the
+   bot's name) combined with a first-message disclosure.
+3. **Voice channel pre-roll** ("Hello, you've reached the automated
+   assistant for [company name]") at the start of the call.
+
+The safe harbor requires the disclosure be:
+
+- **Clear**: stated in plain language, not buried in technical jargon.
+- **Conspicuous**: visible to a reasonable user without scrolling,
+  hunting through menus, or expanding collapsed sections.
+- **Reasonably designed to inform**: appropriate to the channel
+  (text in chat, audio in voice, on-screen in video).
+
+A disclosure buried in terms-of-service documentation, or one that
+appears only after the user has provided a credit card, generally
+does not meet the safe harbor.
+
+## Channels and use cases that trigger § 17941
+
+The plainstamp rule (`us-ca-bot-disclosure-17941`) covers:
+
+- **Channels**: `live-chat`, `voice`, `video-avatar`.
+- **Use cases**: `b2c-customer-support`, `b2c-marketing`,
+  `b2c-sales`, `civic-or-electoral`.
+
+The use-case fit catches some builders off guard:
+
+- **B2C customer support** is in scope when the bot's role includes
+  surfacing upsells, retention offers, or any commercial
+  communication. A pure technical-support bot that never tries to
+  sell anything is arguably outside § 17941's commercial-transaction
+  trigger but still inside the safe-harbor best practice.
+- **B2B sales bots** are not the principal target of § 17941 (which
+  is consumer-protection), but B2B prospects who are California
+  residents reading the bot output may still be in scope. Disclose
+  by default.
+- **Civic/electoral** is a separate trigger — political chatbots
+  during election cycles must disclose regardless of commercial
+  intent.
+
+## How § 17941 stacks with parallel rules
+
+California's B&P § 17941 is the consumer-protection layer. AI
+operators with consumer-facing communications must layer:
+
+- **Federal** — FTC § 5 (deceptive acts and practices). Failing to
+  disclose AI in a way that materially affects a consumer's
+  decision is a deceptive practice; the FTC's 2024 fake-reviews rule
+  (16 CFR Part 465) addresses adjacent fabricated content concerns.
+- **EU AI Act Article 50(1)** — for any chatbot that interacts with
+  natural persons in the EU. The EU rule's threshold is lower —
+  disclosure is required regardless of commercial intent and applies
+  to providers of the AI system itself.
+- **GDPR Article 22** — for automated decisions that affect EU
+  residents, even where § 17941 itself doesn't reach.
+- **California AI Transparency Act (SB 942)** — covers GenAI-system
+  providers with significant California reach; layers on top of
+  § 17941 for AI-generated content disclosure.
+- **Federal financial-services rules** — CFPB Circular 2023-03
+  (ECOA / Reg. B) when the bot output drives credit decisions; FINRA
+  Regulatory Notice 24-09 when the bot output is a "communication
+  with the public" for a member firm.
+
+## Common compliance pitfalls
+
+- **Deferring to ToS-only disclosure.** A line in a 10,000-word
+  terms-of-service document does not meet "clear and conspicuous."
+- **Relying on a small "AI" badge alone.** Persistent UI badges
+  help, but absent a first-message statement they may not satisfy
+  the safe harbor for first-time visitors.
+- **Voice channels without pre-roll.** A voice agent that only
+  identifies as a bot if asked fails the safe harbor.
+- **Video avatars where the visual is photorealistic.** The
+  photorealism increases the deception risk; explicit on-screen
+  AI labeling is best practice.
+- **Multi-turn escalation without disclosure on bot turns.** If a
+  bot answers the first 5 messages and then escalates, the bot
+  turns must carry their own disclosure — the human-handoff message
+  doesn't retroactively cure earlier deception.
+- **Geo-detection failures.** California residents traveling outside
+  California are still California residents; California residents
+  using VPNs are still California residents. Disclose by default to
+  avoid geo-detection edge cases.
+- **A/B testing the disclosure copy.** The safe harbor protects
+  disclosures "reasonably designed to inform"; A/B-testing toward
+  lower-disclosure variants risks failing that standard.
+
+## How plainstamp helps
+
+`plainstamp` ships a `us-ca-bot-disclosure-17941` rule that returns
+the live disclosure-element checklist for § 17941, ready-to-paste
+plain-language and formal-language templates, citation back to the
+California Legislative Information source URL, and a `last_verified`
+date. Lookup:
+
+```bash
+npx plainstamp lookup --jurisdiction us-ca \
+                      --channel live-chat \
+                      --use-case b2c-customer-support
+```
+
+Returns the § 17941 rule and any federal-floor and EU-overlay rules
+that also apply (the lookup engine inherits parent jurisdictions —
+querying `us-ca` picks up `us` federal rules as well).
+
+For multi-channel deployments (chat + voice + video avatar), query
+each channel and union the disclosure obligations — § 17941 covers
+all three and the disclosure language can be shared, but the
+**form** of disclosure (text vs. audio vs. on-screen) varies by
+channel.
+
+## The minimum viable § 17941 disclosure
+
+If you ship one thing this week, ship a first-interaction disclosure
+that meets all three safe-harbor criteria:
+
+1. **Clear**: plain language, no jargon. "You are chatting with an
+   automated AI assistant, not a human."
+2. **Conspicuous**: in-channel, visible without action by the user.
+   In chat: as the first bot message. In voice: as the pre-roll.
+   In video: as on-screen text + audio.
+3. **Reasonably designed to inform**: appropriate to the channel
+   and the user population. For California-resident-heavy traffic,
+   prefer the more explicit disclosure variant.
+
+Then, layer on the EU AI Act Article 50(1) overlay for any traffic
+that reaches the EU (the EU rule's bar is lower — disclosure required
+regardless of intent).
+
+## Source-of-truth links
+
+- **California Business and Professions Code § 17941**
+  ([leginfo.legislature.ca.gov](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=BPC&sectionNum=17941))
+- **California B.O.T. Act (SB 1001, 2018) — full bill text**
+  ([leginfo.legislature.ca.gov](https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB1001))
+- **California Attorney General — consumer-protection guidance on
+  AI / bots** ([oag.ca.gov](https://oag.ca.gov/))
+- **FTC § 5 — Deceptive Acts and Practices**
+  ([ftc.gov](https://www.ftc.gov/legal-library/browse/statutes/federal-trade-commission-act))
+
+`plainstamp` is maintained by an autonomous AI agent operating under
+KS Elevated Solutions LLC. Accuracy reports, rule-update suggestions,
+and security disclosures: [helpfulbutton140@agentmail.to](mailto:helpfulbutton140@agentmail.to).
+
+---
+
+[`← Back to plainstamp on npm`](https://www.npmjs.com/package/plainstamp)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "plainstamp",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "AI disclosure compliance assistant — generates legally-grounded AI disclosure text per (jurisdiction × channel × use-case) and tracks regulatory updates. Operated by an autonomous AI agent under KS Elevated Solutions LLC.",
   "type": "module",
   "license": "MIT",

package/rules/seed.json

@@ -958,6 +958,52 @@
         "formal": "Notice under California SB 1120 — Physicians Make Decisions Act, codified at California Health and Safety Code § 1367.01 (or Insurance Code § 10123.135 for plans regulated by the Department of Insurance): An artificial-intelligence, algorithmic, or other software tool was used by [plan / insurer name] in the utilization review or utilization management process for this coverage determination. The tool's output was reviewed by [licensed physician or other licensed healthcare professional acting within scope of practice] who considered the enrollee's individual clinical circumstances before this decision was made. The tool is fairly and equitably applied; the plan / insurer's use of AI in utilization review has been disclosed to the appropriate California regulator. The enrollee may appeal this determination through internal grievance and through Independent Medical Review under California law."
       },
       "notes": "SB 1120 is one of the first US state laws to specifically restrict AI use in health-coverage decisions. The law applies to two distinct regulatory regimes: DMHC-regulated health-care service plans (most California HMOs and many PPOs) under HSC § 1367.01, and CDI-regulated health insurers under Ins. Code § 10123.135. The use case here is `healthcare` (clinical decision impact) and `financial-services` (insurance coverage decisions involving payment) — many compliance-relevant decisions sit at the intersection, and surfacing both makes the rule discoverable for either query path. The physician-review requirement is procedural — the AI cannot make the final medical-necessity determination on its own. The disclosure obligation is the consumer-facing element. SB 1120 stacks with HHS Section 1557 PCDST nondiscrimination obligations (federal floor) and with the Colorado AI Act / Texas TRAIGA-healthcare / Utah AI Act in their respective state operations. ERISA self-funded plans are typically exempt from state insurance regulation but may be subject to federal-floor obligations and HHS Section 1557. Class-action litigation over AI denial of care has been ongoing under existing law in 2024–2025; SB 1120 codifies a clearer disclosure-and-review standard. Verify against DMHC and CDI guidance before production deployment — both regulators have rulemaking authority and have issued or are expected to issue more detailed implementation guidance through 2026."
+    },
+    {
+      "id": "us-fda-pccp-aiml-device-software-2024",
+      "jurisdiction": "us",
+      "channels": ["ai-generated-content", "about-page", "terms-of-service"],
+      "use_cases": ["healthcare"],
+      "severity": "mandatory",
+      "short_title": "FDA Predetermined Change Control Plans for AI/ML-Enabled Device Software Functions (Final Guidance, December 2024)",
+      "summary": "On December 4, 2024, the U.S. Food and Drug Administration finalized guidance on Predetermined Change Control Plans (PCCPs) for Artificial Intelligence-Enabled Device Software Functions (AI-DSFs). Under the FD&C Act § 515C (added by the FDA Modernization Act of 2022), a manufacturer of an AI/ML-enabled medical device that has been cleared (510(k)), De Novo authorized, or approved (PMA) may include in the device's authorized marketing submission a PCCP describing planned modifications to the device — including modifications that would otherwise require a new marketing submission — together with the methods to implement them and an assessment of their impact. Once the PCCP is FDA-authorized as part of the marketing submission, the manufacturer may implement modifications that conform to the PCCP without filing a new submission. PCCPs must include: (1) a Description of Modifications detailing the specific modifications planned; (2) a Modification Protocol with methods to develop, validate, and implement the modifications; and (3) an Impact Assessment evaluating benefits and risks. The device labeling — including the public-facing device summary that FDA publishes for cleared/authorized devices — must reflect the PCCP and inform clinicians and (where applicable) patients about the AI/ML nature of the device and how it may be modified post-authorization. The PCCP framework is mandatory in the sense that AI/ML modifications outside an authorized PCCP still require a new marketing submission; the public disclosure obligations follow from the underlying labeling and 510(k)/De Novo/PMA disclosure regimes administered by FDA's Center for Devices and Radiological Health (CDRH). Penalties for non-compliance with FDA device requirements can include warning letters, seizure, injunction, civil monetary penalties, and criminal prosecution under the FD&C Act.",
+      "required_elements": [
+        {
+          "id": "pccp-in-marketing-submission",
+          "description": "Authorized PCCP in the device's marketing submission (510(k), De Novo, or PMA), comprising a Description of Modifications, a Modification Protocol, and an Impact Assessment. (Pre-market regulatory requirement; must be FDA-authorized before any PCCP-covered modifications are implemented.)",
+          "required": false
+        },
+        {
+          "id": "device-labeling-aiml-disclosure",
+          "description": "Device labeling must disclose that the device is an AI/ML-enabled device software function, summarize the PCCP (where present), and inform users that the device may be modified within the bounds of the authorized PCCP without a new marketing submission.",
+          "required": true,
+          "example": "This device incorporates an artificial intelligence / machine-learning algorithm. The device's authorized marketing submission includes a Predetermined Change Control Plan (PCCP) under FD&C Act § 515C; the manufacturer may implement modifications conforming to the PCCP without a new marketing submission. For the current PCCP scope and version, see [manufacturer device summary URL]."
+        },
+        {
+          "id": "user-facing-aiml-summary",
+          "description": "Plain-language summary of the AI/ML nature of the device, intended use, performance characteristics, and the kinds of modifications anticipated under the PCCP, made available to clinicians and (where the device is patient-facing) to patients.",
+          "required": true,
+          "example": "This device uses machine learning to [intended task]. The model's performance has been validated for [population / indication]. Under our authorized PCCP, future updates may [list of anticipated modification types]. Users should consult the latest device summary at [URL] for the current model version and validation data."
+        },
+        {
+          "id": "post-implementation-transparency",
+          "description": "Post-implementation transparency: when a PCCP-conforming modification is implemented, the manufacturer must update device labeling and the public-facing device summary to reflect the modification and its impact, and must document the modification under the PCCP's Modification Protocol.",
+          "required": false
+        }
+      ],
+      "citation": {
+        "statute": "Federal Food, Drug, and Cosmetic Act § 515C (21 U.S.C. § 360e-4), as added by Section 3308 of the Food and Drug Omnibus Reform Act of 2022 (FDORA, P.L. 117-328, Division FF, Title III)",
+        "section": "Predetermined Change Control Plans for Artificial Intelligence-Enabled Device Software Functions: Guidance for Industry and Food and Drug Administration Staff (Final, December 4, 2024)",
+        "source_url": "https://www.fda.gov/regulatory-information/search-fda-guidance-documents/predetermined-change-control-plans-artificial-intelligence-enabled-device-software-functions",
+        "publisher": "U.S. Food and Drug Administration, Center for Devices and Radiological Health"
+      },
+      "effective_date": "2024-12-04",
+      "last_verified": "2026-05-08",
+      "template": {
+        "plain": "Notice — AI/ML-Enabled Medical Device: This device incorporates an artificial intelligence or machine-learning algorithm. The device has been authorized for marketing by the U.S. Food and Drug Administration under [510(k) / De Novo / PMA number]. The manufacturer's authorized marketing submission includes a Predetermined Change Control Plan (PCCP) describing the modifications that may be implemented to the device's algorithm without a new FDA submission. For the current PCCP scope, the device's intended use, validated performance, and the latest model version, see the manufacturer's device summary at [URL]. Discuss any clinical decisions informed by this device with your healthcare provider.",
+        "formal": "Notice under FD&C Act § 515C (21 U.S.C. § 360e-4) and FDA's Predetermined Change Control Plans for Artificial Intelligence-Enabled Device Software Functions (Final Guidance, December 4, 2024): The device identified herein is an artificial intelligence-enabled device software function (AI-DSF) authorized by FDA under [submission type and reference number]. The manufacturer's authorized marketing submission includes a Predetermined Change Control Plan (PCCP) comprising a Description of Modifications, a Modification Protocol, and an Impact Assessment. PCCP-conforming modifications may be implemented without a new marketing submission; modifications outside the authorized PCCP require a new submission per applicable FDA regulations. The device's labeling reflects the PCCP; the manufacturer's public device summary at [URL] reflects the current model version, validation data, and the cumulative record of PCCP-conforming modifications implemented to date."
+      },
+      "notes": "PCCP is the FDA's response to the 'locked algorithm' problem for AI/ML medical devices: prior to FDORA § 515C (2022), any change to the algorithm of a cleared/authorized AI/ML device that affected safety or effectiveness typically required a new 510(k) / De Novo / PMA submission, which made iterative model improvement impractical. The PCCP framework lets manufacturers pre-authorize a bounded set of modifications and the validation methods for each. The December 2024 final guidance applies to all medical devices regardless of pathway (510(k), De Novo, PMA) and supersedes the April 2023 draft. Disclosure scope: the FDA-required labeling under 21 CFR Part 801 (device labeling) and the public-facing 510(k) summary / De Novo decision summary / PMA approval order published on FDA's website constitute the public disclosure surface; manufacturers typically also publish device-summary pages on their own websites with current model version and validation data. Use case is `healthcare`. Stack with HHS Section 1557 PCDST nondiscrimination obligations and with state-level rules like California SB 1120 — Physicians Make Decisions Act when the device is used in coverage decisions. The patient-facing element is conditional: most FDA-regulated AI/ML devices are clinician-facing tools, but where the device produces output that is shown to patients (e.g., consumer-facing diabetes risk estimators, certain digital health products), the AI/ML disclosure should be patient-facing. The 'mandatory' severity reflects that AI/ML modifications must be authorized — either through PCCP or through a new submission — and that labeling disclosure is required; the 'recommended' framing applies to design choices about how detailed to make the user-facing AI/ML summary. Verify against the current FDA guidance and any device-class-specific guidance before production deployment."
     }
   ]
 }