plainstamp 0.7.6 → 0.7.8

package/docs/guides/fcc-tcpa-ai-voice-robocall-builder-guide.md

@@ -0,0 +1,314 @@
+# FCC TCPA AI-voice robocall ruling: a builder's guide
+
+> **Informational only — not legal advice.** Verify against the cited
+> regulator-published text and consult counsel for production deployments.
+> See `AI-DISCLOSURE.md` in this package.
+
+If your product places calls to consumers using a synthesized voice —
+AI-generated voice agents, IVR systems with AI text-to-speech, voice
+cloning for personalized outreach, AI-assisted political campaign
+calls, AI-voice notifications, or AI-voice telemarketing — the **FCC's
+February 2024 Declaratory Ruling** under the Telephone Consumer
+Protection Act applies. The headline rule, in one sentence:
+*AI-generated voices in calls to consumers are "artificial or
+prerecorded voices" under the TCPA, and every such call requires the
+same prior consent and disclosure regime as any other robocall.*
+Statutory damages of $500 per call (up to $1,500 per willful
+violation) make this one of the highest-exposure federal AI rules
+operating today. This guide covers what the ruling requires, how it
+stacks with state robocall laws and California's bot-disclosure rule,
+why the calling cadence and consent-collection design matter as much
+as the on-call disclosure, and what governance any voice-agent
+deployment needs in place before the first call.
+
+## What the FCC Declaratory Ruling actually says
+
+On February 8, 2024, the FCC released [Declaratory Ruling, CG Docket
+No. 23-362, FCC 24-17](https://www.fcc.gov/document/fcc-makes-ai-generated-voices-robocalls-illegal),
+*"Implications of Artificial Intelligence Technologies on Protecting
+Consumers from Unwanted Robocalls and Robotexts."*
+
+The ruling does not amend the Telephone Consumer Protection Act
+(47 U.S.C. § 227) or the Commission's implementing rules at 47 CFR
+§ 64.1200. It clarifies that **the existing definition of "artificial
+or prerecorded voice" in 47 U.S.C. § 227(b)(1)(A)–(B) covers AI-
+generated voices** — voice clones, AI-synthesized speech, and any
+other voice output produced by an artificial-intelligence or
+machine-learning system in lieu of a human speaker.
+
+Three operative consequences:
+
+1. **AI-voice calls require prior consent.** A call to a wireless
+   number using an AI voice requires *prior express consent* (for
+   non-telemarketing/informational calls) or *prior express written
+   consent* (for telemarketing). A call to a residential landline for
+   telemarketing purposes also requires prior express written
+   consent.
+2. **AI-voice calls require caller identification and opt-out
+   disclosures on the call.** The TCPA's existing rules (47 CFR
+   § 64.1200(b)) — caller identification at the start of the call,
+   callback number, and (for telemarketing) interactive opt-out —
+   apply on the same terms as for human-recorded prerecorded calls.
+3. **AI-voice calls are subject to TCPA statutory damages.** Each
+   non-compliant call is a violation. $500 per call. Up to $1,500
+   per call for willful or knowing violations.
+
+The ruling is **interpretive** of the existing statute, not regulatory
+new law. But it has been treated as binding by enforcement actors
+(state AGs, the FCC, plaintiffs' bar) since publication.
+
+## What "AI-generated voice" actually covers
+
+The ruling's language is intentionally broad. It includes:
+
+- **Voice cloning** (a synthesized voice modeled on a specific real
+  human's voice).
+- **Pure AI voice synthesis** (a non-human voice generated from a
+  text-to-speech model — ElevenLabs, OpenAI TTS, Amazon Polly's
+  neural voices, etc.).
+- **AI-assisted IVR** (interactive voice response trees where the
+  voice prompts are AI-synthesized rather than pre-recorded by a
+  human voice actor).
+- **Voice agents that speak conversationally** (real-time AI voice
+  generation for interactive sales, customer support, or appointment
+  setting).
+- **AI-modulated human speech** where the synthesized output is
+  meaningfully shaped by an AI (e.g., voice-conversion of a live
+  agent's words to a different voice).
+
+It does **not** cover:
+
+- **Live human speech** placed via VoIP, even if AI is used for
+  routing, transcription, or screening.
+- **Live human speech with AI translation** played as a synthesized
+  voice (this is unsettled; conservative interpretation is that the
+  synthesized output is covered).
+- **Pre-recorded human voice prompts** in IVR (still covered by the
+  TCPA's "prerecorded voice" prong; not new under this ruling).
+
+## TCPA statutory damages: per-call exposure adds up fast
+
+The TCPA's statutory damages structure (47 U.S.C. § 227(b)(3))
+creates significant per-call exposure:
+
+- **$500 per call** in actual or statutory damages, whichever is
+  greater.
+- **Up to $1,500 per call** for willful or knowing violations
+  (judicial discretion).
+- **No cap** on aggregate damages; class actions routinely reach
+  $1M+ for moderate-volume non-compliant campaigns.
+- **Private right of action** in 47 U.S.C. § 227(b)(3) — consumers
+  can sue directly without involving the FCC.
+- **State Attorneys General** can also enforce, and many have AI-
+  voice initiatives.
+
+Concrete worst-case math: an AI-voice telemarketing campaign of
+10,000 calls placed without prior express written consent, identified
+in a class action: 10,000 × $500 = $5M minimum, up to $15M for
+willful violations.
+
+## Required elements of an AI-voice call
+
+Two layers of compliance: pre-call (consent collection) and at-call
+(in-message disclosures).
+
+### Pre-call: consent collection
+
+For any AI-voice call to a wireless number:
+- **Non-telemarketing / informational**: *prior express consent*
+  (oral or written).
+- **Telemarketing**: *prior express written consent*. Must be a
+  signed written agreement (electronic signatures count) that:
+  - Clearly authorizes the seller to place AI-voice or auto-dialed
+    calls.
+  - Includes the phone number to be called.
+  - Is not required as a condition of purchase.
+
+For residential landlines:
+- **Non-telemarketing / informational**: typically exempt; no consent
+  required.
+- **Telemarketing**: prior express written consent (some
+  exceptions for established business relationships, charitable
+  calls, calls by a tax-exempt non-profit).
+
+Production design implication: the consent UI that collects opt-in
+must capture the wireless/landline distinction, the call-purpose
+distinction (is this telemarketing?), and the specific phone number.
+A generic "I agree to receive communications" checkbox is insufficient
+for prior express written consent.
+
+### At-call: in-message required elements
+
+Every AI-voice call (47 CFR § 64.1200(b)):
+
+| Element | What it is |
+|---|---|
+| Caller identification | At the beginning of the message, state the identity of the business / individual / entity initiating the call. |
+| Callback number | Provide a phone number — *not* the autodialer or message player — that the consumer can use to make a do-not-call request. |
+| Interactive opt-out (telemarketing only) | An automated voice- or key-press-activated opt-out mechanism available throughout the call duration. Pressing the opt-out key must immediately end the call and add the consumer to the company-specific do-not-call list. |
+| AI-voice disclosure (best practice) | The FCC ruling does not strictly require a separate "this voice is AI" disclosure on the call, but commentary and several state laws strongly favor it. Conservative deployments add it. |
+
+Plain-language template that satisfies the federal requirements
+plus best-practice AI-voice disclosure:
+
+> *"This is an automated call from [business name]. The voice you
+> are hearing is an artificial or AI-generated voice, not a live
+> person. To stop receiving calls from us, please press [digit] or
+> call [phone number]."*
+
+Each element is mandatory; missing any of them is a TCPA violation
+on its own, regardless of the others.
+
+## How the ruling stacks with state robocall laws
+
+Several states have AI-voice or robocall rules that **add** to the
+federal floor:
+
+| Jurisdiction | Layer it adds |
+|---|---|
+| California (B&P § 17941, the "bot disclosure" law) | Bot must self-disclose its nature when interacting with a Californian for incentivizing a sale or influencing a vote. AI-voice agents that fall under this scope must disclose their nature on the call. |
+| California (AB 1018, vetoed Sep 2024 — monitor for re-introduction) | Would have specifically targeted AI voice clones in commercial contexts. |
+| Florida (501.059, the Florida Telephone Solicitation Act / "mini-TCPA") | Stricter than federal: prior express written consent for any auto-dialed solicitation call, $500 per violation, broad attorney's fee provision. AI-voice calls fall under the "auto-dialed" definition. |
+| Oklahoma (Telephonic Communications Act, OK Stat § 15-775C.1) | Requires consent for telemarketing calls; some AI-voice provisions in pending amendments. |
+| Pennsylvania (73 P.S. § 2241) | Requires opt-out keypress mechanism similar to TCPA. |
+| Washington (RCW 80.36.400) | Bans pre-recorded commercial calls absent consent; AI voice covered. |
+
+For multi-state callers, the right rule is the strictest applicable
+state rule, not federal alone. A national AI-voice telemarketing
+campaign must comply with Florida's mini-TCPA when reaching Florida
+numbers, the federal TCPA elsewhere, and California's bot disclosure
+when the recipient is in California.
+
+## How the ruling stacks with the EU AI Act
+
+If your AI-voice system reaches EU residents:
+
+- **EU AI Act Article 50(1)** (chatbot disclosure, applies from
+  August 2026): when an AI system is intended to interact directly
+  with natural persons, the persons must be informed they are
+  interacting with an AI system. AI voice agents fall under this.
+- **GDPR** generally: phone numbers + voice recordings are personal
+  data; lawful-basis and consent obligations apply on top of the AI
+  Act disclosure.
+
+For EU + US deployments, the disclosure copy must satisfy both. A
+single template that meets TCPA + EU AI Act 50(1) + California B&P
+§ 17941 is feasible — see `plainstamp lookup` queries below.
+
+## Why STIR/SHAKEN matters for AI-voice senders
+
+Separately from the Declaratory Ruling, the FCC has been advancing
+STIR/SHAKEN caller-ID authentication as the technical infrastructure
+for combating spoofed and AI-voice scam calls. Voice service
+providers must:
+
+- Authenticate calls leaving their network (sign with a SHAKEN
+  attestation level: A, B, or C).
+- Verify attestation on incoming calls.
+- Block calls that fail authentication or come from non-authenticated
+  providers under FCC rules.
+
+For legitimate AI-voice senders, the practical implication is that
+your call origination must be authenticated to a SHAKEN level that
+downstream carriers won't block. AI-voice calls placed without
+SHAKEN A-level attestation increasingly get filtered, blocked, or
+labeled "Likely Spam" / "Spam Risk" by mobile carriers, dramatically
+reducing reach.
+
+## Common compliance failure patterns
+
+- **No prior express written consent for telemarketing.** AI-voice
+  campaign uses a generic opt-in (e.g., "I agree to communications")
+  that doesn't meet the prior express written consent standard.
+  Per-call statutory exposure on every call placed.
+- **Caller identification missing or buried.** AI-voice call opens
+  with the marketing pitch instead of identifying the calling
+  business. TCPA violation per 47 CFR § 64.1200(b)(1).
+- **Callback number is the autodialer's number.** The opt-out path
+  must not be the autodialer / robocall service phone number — it
+  must be a separately-staffed or interactive line.
+- **No interactive opt-out on telemarketing calls.** Voice agent
+  doesn't honor "press 9 to opt out" or similar mechanism.
+- **Calling DNC-listed consumers.** AI-voice call placed to a
+  consumer who has previously opted out (via TCPA company-specific
+  DNC, the National DNC Registry, or a state DNC list).
+- **No SHAKEN attestation on call origination.** Calls get filtered
+  or labeled "Spam Risk," compliance issue downstream and reach
+  collapses.
+- **Multi-state campaign defaulting to federal alone.** Calls to
+  Florida numbers without Florida-mini-TCPA prior express written
+  consent; calls to California consumers without B&P § 17941 bot
+  disclosure.
+
+## How plainstamp helps
+
+`plainstamp` ships a `us-fcc-tcpa-ai-voice-robocall-2024` rule that
+returns the in-message disclosure-element checklist for AI-voice
+calls under the federal floor, plain-language and formal-language
+templates, citation back to TCPA + 47 CFR § 64.1200 + the FCC
+Declaratory Ruling, and a `last_verified` date. Lookup:
+
+```bash
+npx plainstamp lookup --jurisdiction us \
+                      --channel voice \
+                      --use-case b2c-marketing
+```
+
+For multi-state telemarketing, query state-level overlays:
+
+```bash
+npx plainstamp lookup --jurisdiction us-ca --channel voice --use-case b2c-marketing
+```
+
+For EU-reach calls:
+
+```bash
+npx plainstamp lookup --jurisdiction eu --channel voice --use-case b2c-marketing
+```
+
+The disclosure copy must satisfy each applicable layer.
+
+## The minimum viable compliance posture
+
+If your AI-voice deployment is starting from zero on TCPA + Declaratory
+Ruling compliance, ship these six artifacts in order:
+
+1. **Prior express written consent collection UI.** A consent flow
+   that captures the wireless/landline distinction, the call-purpose
+   distinction (telemarketing vs informational), and the specific
+   phone number to be called. Stored with audit-trail timestamps.
+2. **AI-voice call opening template.** Caller identification at the
+   start of the call, plus best-practice AI-voice disclosure.
+3. **Callback number infrastructure.** A separately-routed callback
+   number (not the autodialer) that consumers can use to make a
+   do-not-call request, with company-specific DNC list integration.
+4. **Interactive opt-out mechanism.** For telemarketing, voice and
+   key-press opt-out available throughout the call. Immediate
+   call-end + DNC-list update on activation.
+5. **DNC list checking.** Pre-call check against company-specific,
+   National DNC Registry, and applicable state DNC lists.
+6. **SHAKEN A-level attestation on call origination.** Through your
+   voice service provider; without this, AI-voice calls are
+   increasingly blocked or labeled.
+
+Then layer the higher-fidelity work — state-by-state overlays,
+political-campaign carve-outs (where applicable), legal-services
+restrictions, EU AI Act Article 50(1) compliance for EU-reach calls
+— onto the higher-volume use cases first.
+
+## Source-of-truth links
+
+- **FCC Declaratory Ruling (CG Docket No. 23-362, FCC 24-17)** ([fcc.gov](https://www.fcc.gov/document/fcc-makes-ai-generated-voices-robocalls-illegal))
+- **TCPA, 47 U.S.C. § 227** ([uscode.house.gov](https://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title47-section227&num=0&edition=prelim))
+- **FCC implementing rules, 47 CFR § 64.1200** ([ecfr.gov](https://www.ecfr.gov/current/title-47/chapter-I/subchapter-B/part-64/subpart-L/section-64.1200))
+- **FCC Notice of Proposed Rulemaking on AI in calls and texts (April 2024)** ([fcc.gov](https://www.fcc.gov/document/fcc-proposes-disclosure-ai-generated-content-calls-and-texts))
+- **STIR/SHAKEN at the FCC** ([fcc.gov](https://www.fcc.gov/call-authentication))
+- **California B&P § 17941 (bot disclosure)** ([leginfo.legislature.ca.gov](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=BPC&sectionNum=17941))
+
+`plainstamp` is maintained by an autonomous AI agent operating under
+KS Elevated Solutions LLC. Accuracy reports, rule-update suggestions,
+and security disclosures: [helpfulbutton140@agentmail.to](mailto:helpfulbutton140@agentmail.to).
+
+---
+
+[`← Back to plainstamp`](https://plainstamp.pages.dev/)

package/docs/guides/fda-pccp-aiml-medical-device-builder-guide.md

@@ -0,0 +1,333 @@
+# FDA PCCP for AI/ML medical devices: a builder's guide
+
+> **Informational only — not legal advice.** Verify against the cited
+> regulator-published text and consult counsel for production deployments.
+> See `AI-DISCLOSURE.md` in this package.
+
+If you're building an AI/ML-enabled medical device or device software
+function — a clinical decision-support tool that gets cleared by FDA,
+an imaging algorithm in a 510(k)-cleared scanner, an AI radiology
+triage system, an AI-driven continuous glucose monitor, or any other
+software-as-a-medical-device (SaMD) that uses machine learning — the
+**FDA Predetermined Change Control Plan (PCCP) framework** is the
+specific federal regulatory vehicle that lets you iterate on the
+model after authorization without filing a new submission for every
+update. This guide covers what § 515C of the FD&C Act actually
+requires, what a PCCP looks like in production, the labeling and
+public-summary disclosure obligations that come with it, how it
+stacks with HHS Section 1557 and state-level rules, and what
+governance any AI/ML device team needs in place before submission.
+
+## What FDA PCCP actually is
+
+The Federal Food, Drug, and Cosmetic Act § 515C (21 U.S.C. § 360e-4)
+was added by **Section 3308 of the Food and Drug Omnibus Reform Act
+of 2022** (FDORA, P.L. 117-328). It authorizes FDA to clear or
+approve a Predetermined Change Control Plan as part of an AI/ML
+device's marketing submission — meaning: the manufacturer pre-
+specifies the kinds of modifications it intends to make to the AI/ML
+algorithm post-authorization, the methods it will use to validate
+those modifications, and the assessment of their impact. Once FDA
+authorizes the PCCP, the manufacturer can implement modifications
+that conform to the plan without a new marketing submission.
+
+On December 4, 2024, FDA issued the [final guidance](https://www.fda.gov/regulatory-information/search-fda-guidance-documents/predetermined-change-control-plans-artificial-intelligence-enabled-device-software-functions),
+*"Predetermined Change Control Plans for Artificial Intelligence-
+Enabled Device Software Functions."* The final guidance applies to
+all medical devices regardless of pathway (510(k), De Novo, PMA)
+and supersedes the April 2023 draft. It is the authoritative
+reference for what a PCCP must contain, how to validate
+modifications, and how to disclose the AI/ML nature of the device
+to clinicians and patients.
+
+The framework solves a real problem. Before § 515C, any change to
+the algorithm of a cleared or authorized AI/ML device that affected
+the device's safety or effectiveness typically required a new
+510(k), De Novo, or PMA submission. Iterative model improvement
+became impractical: every meaningful retrain triggered a new
+regulatory cycle. PCCP lets manufacturers pre-authorize a bounded
+set of modifications (and the validation methods for each) so
+iteration can happen within the bounds the agency has reviewed.
+
+## What a PCCP must contain
+
+Per the final guidance, every PCCP comprises three components:
+
+### 1. Description of Modifications
+
+A specific list of the modifications the manufacturer intends to
+make to the AI-enabled device software function under the PCCP.
+Each modification must be:
+
+- **Specific.** "We may improve the algorithm" is not a modification
+  description. "We may retrain the model on additional pediatric
+  data drawn from the same patient population, with retrained
+  weights deployed only after the validation in the Modification
+  Protocol shows non-inferior sensitivity and specificity at the
+  authorized device's operating point" is.
+- **Bounded.** The set of permissible modifications is finite. The
+  PCCP must enumerate them; modifications outside the enumeration
+  require a new marketing submission.
+- **Predictable in impact.** The Description of Modifications
+  pairs with the Impact Assessment to show that the predicted impact
+  is positive or neutral, and that risks have been characterized.
+
+Common modification categories:
+- Retraining on additional data (with bounded data-distribution
+  assumptions).
+- Updates to feature engineering or input preprocessing.
+- Threshold adjustments at the operating point.
+- Performance improvements on specific subgroups.
+- Compatibility updates for new sensor inputs.
+
+### 2. Modification Protocol
+
+Methods to develop, validate, and implement the planned modifications.
+The Modification Protocol is the testable specification of how the
+manufacturer will know whether a proposed modification meets the
+required performance bar. It must include:
+
+- **Data management.** What data will be used for retraining; how
+  it's sourced; how data quality is maintained; how patient
+  populations are represented.
+- **Retraining methodology.** The algorithmic procedure used to
+  produce a candidate modified model.
+- **Performance evaluation.** The metrics the modified model must
+  meet — typically including sensitivity, specificity, AUC, and
+  fairness across demographic subgroups — and the operating points.
+- **Update procedures.** How the modification is deployed to the
+  device, including version control, rollback, and clinician
+  notification.
+
+The Modification Protocol is the most consequential part of a PCCP.
+A weak Modification Protocol can result in FDA limiting the PCCP's
+scope or refusing authorization.
+
+### 3. Impact Assessment
+
+Evaluation of the benefits and risks of each anticipated modification,
+including:
+
+- **Benefit characterization.** What the modification is intended to
+  improve and how it will be measured.
+- **Risk characterization.** Foreseeable risks the modification
+  introduces, and the controls that will detect or mitigate them.
+- **Cumulative-impact analysis.** Where multiple modifications could
+  compound, the assessment must consider their combined effect.
+- **Comparison against the authorized baseline.** Each modification
+  must perform at least as well as the originally authorized device
+  on the metrics that drove the original authorization.
+
+## Labeling and public-disclosure obligations
+
+PCCP doesn't change the underlying labeling regime under 21 CFR
+Part 801; it adds specific disclosure expectations on top.
+
+The device labeling (which includes the user manual, the
+manufacturer's product page, and FDA's public-facing 510(k) Summary,
+De Novo Decision Summary, or PMA Approval Order) must:
+
+1. **Disclose the AI/ML nature** of the device. State that the
+   device is an AI-enabled device software function and identify
+   the regulatory pathway and submission number.
+2. **Summarize the PCCP** where one is authorized. State the bounds
+   of the modifications that may be implemented without a new
+   submission.
+3. **Inform clinicians** that the device may be modified within the
+   PCCP without further FDA review.
+4. **Provide a current device summary** that reflects the current
+   model version, the validation data for that version, and the
+   cumulative record of PCCP-conforming modifications implemented to
+   date.
+
+A public-facing device-summary page, updated each time a PCCP-
+conforming modification is implemented, is the de facto best practice
+emerging from the December 2024 final guidance. FDA's own public-
+facing pages (510(k) Summary, etc.) reflect the original
+authorization; the manufacturer page is where current model state
+lives.
+
+Plain-language template that satisfies the labeling requirements:
+
+> *"This device incorporates an artificial intelligence or machine-
+> learning algorithm. The device has been authorized for marketing
+> by the U.S. Food and Drug Administration under [510(k) / De Novo
+> / PMA number]. The manufacturer's authorized marketing submission
+> includes a Predetermined Change Control Plan (PCCP) describing the
+> modifications that may be implemented to the device's algorithm
+> without a new FDA submission. For the current PCCP scope, the
+> device's intended use, validated performance, and the latest model
+> version, see the manufacturer's device summary at [URL]."*
+
+## How PCCP applies across pathways
+
+The final guidance applies to all device-pathway pathways, but the
+mechanics differ slightly:
+
+| Pathway | When PCCP fits | Common AI/ML device classes |
+|---|---|---|
+| **510(k)** (substantial equivalence) | PCCP filed alongside the 510(k) submission; FDA reviews and authorizes within the 510(k) timeframe. | Class II AI/ML devices: imaging triage, decision support, glucose monitors, ECG analyzers. |
+| **De Novo** (low-to-moderate-risk novel device) | PCCP filed in the De Novo request; authorized as part of the request. | Novel AI/ML diagnostics with no predicate device. |
+| **PMA** (premarket approval, Class III) | PCCP filed in the PMA module; supplemental approval. | High-risk AI/ML devices: certain implantables, some high-acuity diagnostics. |
+
+The 510(k) pathway is by far the most common for AI/ML devices —
+about 95% of FDA-authorized AI/ML medical devices are 510(k)-cleared.
+
+## How PCCP stacks with HHS Section 1557
+
+Section 1557's Patient Care Decision Support Tool (PCDST)
+nondiscrimination obligations (45 CFR § 92.210, effective 2025-05-01)
+operate at the **deployer** level — the covered entity that uses the
+device. PCCP operates at the **manufacturer** level — the entity
+that builds and authorizes the device.
+
+Both apply to the same AI/ML medical device:
+
+- **Manufacturer obligations** under FDA: PCCP-bounded modifications,
+  labeling disclosure, post-implementation transparency, ongoing
+  performance monitoring under 21 CFR Part 803 (medical device
+  reporting).
+- **Deployer obligations** under HHS Section 1557: PCDST inventory,
+  mitigation of discrimination risk, designated Civil Rights
+  Coordinator coverage, patient-facing notice where applicable.
+
+A hospital using an FDA-cleared AI radiology triage tool: the
+manufacturer's PCCP governs how the tool is updated; the hospital's
+Section 1557 PCDST process governs whether and how the tool is used,
+and how the hospital monitors for discriminatory output. Both
+obligations apply. See the [HHS Section 1557 builder's guide](/guides/hhs-section-1557-pcdst-builder-guide/)
+for the deployer side.
+
+## How PCCP stacks with state laws
+
+| State rule | How it stacks |
+|---|---|
+| **California SB 1120 (Physicians Make Decisions Act)** | Effective 2025-01-01. AI used in utilization review for medical-necessity decisions must be reviewed by a licensed physician. Layers on top of FDA pathway: FDA clears the device, SB 1120 governs how it can be used in California. |
+| **NYDFS October 2024 cybersecurity / AI guidance** | Applies to NYDFS-licensed entities. AI tool risks must be addressed in cybersecurity programs. AI/ML medical devices held by NY-licensed insurers fall in scope. |
+| **State medical-board AI rules** (TX, several others) | Govern how clinicians may use AI in scope of practice. Layer on top of the manufacturer-level FDA framework. |
+
+The right rule for production deployment is the strictest applicable
+overlay, not FDA alone.
+
+## How the public-facing device summary should evolve
+
+The December 2024 final guidance treats post-implementation
+transparency as integral to PCCP compliance. The public-facing
+device summary on the manufacturer's site is the practical surface.
+What it should contain:
+
+- **Current model version.** A version identifier the clinician can
+  cross-reference against the device labeling.
+- **Date of last modification.** When the most recent PCCP-conforming
+  change was implemented.
+- **Validation data for the current version.** Performance metrics
+  on the validation set, including subgroup performance where the
+  device is intended for diverse patient populations.
+- **PCCP scope.** The bounds of authorized modifications, summarized
+  for non-regulator readers.
+- **Cumulative modification log.** A chronological list of PCCP-
+  conforming modifications implemented since authorization.
+- **Contact for questions.** A path for clinicians and patients to
+  reach the manufacturer about the AI/ML nature of the device.
+
+A device summary that omits these elements is not yet aligned with
+the final guidance's expectations. Expect FDA to lean on this in
+post-market surveillance.
+
+## Common compliance failure patterns
+
+- **Modifications outside the authorized PCCP.** A retraining run
+  that uses a data source not covered in the Description of
+  Modifications. Even if the resulting model is "better," it
+  requires a new marketing submission.
+- **Modification Protocol that doesn't enforce its own metrics.** A
+  PCCP whose Modification Protocol describes validation but doesn't
+  state explicit pass/fail thresholds. FDA may treat post-
+  authorization changes as outside the PCCP's scope.
+- **No public-facing device summary.** Device labeling references a
+  PCCP but the manufacturer doesn't provide an updatable public
+  summary; clinicians can't tell what model version is currently
+  deployed.
+- **Section 1557 deployer obligations treated as the manufacturer's
+  responsibility.** The covered entity (hospital, FQHC, etc.) is
+  responsible for its own PCDST inventory and mitigation —
+  the manufacturer's FDA labeling does not satisfy the deployer's
+  HHS Section 1557 obligations.
+- **Cumulative-impact analysis missing.** PCCP allows multiple
+  modifications. Without a cumulative-impact assessment, drift over
+  many modifications can leave the device performing meaningfully
+  differently from the originally authorized baseline.
+- **Fairness / subgroup performance not in the Modification
+  Protocol.** A PCCP whose Modification Protocol only checks aggregate
+  performance metrics misses subgroup-level performance changes.
+  These can trigger Section 1557 disparate-impact concerns at the
+  deployer level — and create FDA postmarket safety issues.
+
+## How plainstamp helps
+
+`plainstamp` ships a `us-fda-pccp-aiml-device-software-2024` rule
+that returns the labeling-disclosure checklist, plain-language and
+formal-language device-labeling templates, citation back to FD&C Act
+§ 515C and the December 2024 FDA final guidance, and a
+`last_verified` date. Lookup:
+
+```bash
+npx plainstamp lookup --jurisdiction us \
+                      --channel about-page \
+                      --use-case healthcare
+```
+
+For California-operating manufacturers, layer SB 1120 on top:
+
+```bash
+npx plainstamp lookup --jurisdiction us-ca \
+                      --channel about-page \
+                      --use-case healthcare
+```
+
+## The minimum viable compliance posture
+
+If your AI/ML medical device is starting from zero on PCCP / labeling
+compliance, ship these six artifacts in order:
+
+1. **Authorized PCCP** in your marketing submission. Description of
+   Modifications, Modification Protocol with explicit pass/fail
+   thresholds, Impact Assessment with cumulative-impact analysis.
+2. **Device labeling** that discloses the AI/ML nature, summarizes
+   the PCCP, and points to the public-facing device summary URL.
+3. **Public-facing device summary page** with current model version,
+   date of last modification, validation data for the current
+   version, PCCP scope, cumulative modification log, contact path.
+4. **Modification implementation runbook.** A documented procedure
+   for going from "candidate modification" to "deployed PCCP-
+   conforming modification": validation against the Modification
+   Protocol, version-control update, labeling/summary update,
+   clinician notification, audit-trail entry.
+5. **Subgroup performance monitoring.** Ongoing monitoring that
+   detects performance drift overall AND across protected-class
+   subgroups, with thresholds that escalate to a new marketing
+   submission if exceeded.
+6. **Coordination path with deployers.** A documented contact and
+   escalation channel for hospital / FQHC / insurer customers
+   who need to satisfy their Section 1557 PCDST obligations.
+
+Then layer the higher-fidelity work — postmarket surveillance under
+21 CFR Part 803, risk-class-specific quality-system requirements
+under 21 CFR Part 820, sector-specific overlays — onto the higher-
+risk modification categories first.
+
+## Source-of-truth links
+
+- **FDA Final Guidance — PCCP for AI-Enabled Device Software Functions (December 2024)** ([fda.gov](https://www.fda.gov/regulatory-information/search-fda-guidance-documents/predetermined-change-control-plans-artificial-intelligence-enabled-device-software-functions))
+- **FD&C Act § 515C, 21 U.S.C. § 360e-4** ([uscode.house.gov](https://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title21-section360e-4&num=0&edition=prelim))
+- **FDA Modernization Act of 2022 / FDORA (P.L. 117-328 Division FF Title III)** ([congress.gov](https://www.congress.gov/bill/117th-congress/house-bill/2617))
+- **21 CFR Part 801 (Device Labeling)** ([ecfr.gov](https://www.ecfr.gov/current/title-21/chapter-I/subchapter-H/part-801))
+- **FDA AI/ML-enabled medical device list** ([fda.gov](https://www.fda.gov/medical-devices/software-medical-device-samd/artificial-intelligence-and-machine-learning-aiml-enabled-medical-devices))
+
+`plainstamp` is maintained by an autonomous AI agent operating under
+KS Elevated Solutions LLC. Accuracy reports, rule-update suggestions,
+and security disclosures: [helpfulbutton140@agentmail.to](mailto:helpfulbutton140@agentmail.to).
+
+---
+
+[`← Back to plainstamp`](https://plainstamp.pages.dev/)