TCPA Disclosure · Master Compliance Document

Iberlux Insurance Agency LLC — Motor de Leads

Document Title: TCPA Disclosure, Consent Variants, and Outbound Communications Compliance Manual Version: 4.0 (FCC 2024 One-to-One Consent Rule Compliant) Effective Date: 2026-04-30 Last Updated: 2026-04-30 Document Owner: Daniel Velasco · Nelson [Last Name] · Outside Counsel of Record Classification: Operative Compliance Document Supersedes: v3.0 (2026-04-30)

0. Purpose and Scope

This document is the definitive operative compliance manual governing all telephonic, SMS, MMS, RCS, email, pre-recorded, artificial-voice, and AI-assisted (“Vapi.ai”) outbound communications conducted by Iberlux Insurance Agency LLC (“Iberlux,” “we,” “us”) and its agents, employees, contractors, vendors, and lead buyers, in connection with the lead-generation and insurance-marketing operations of the Motor de Leads platform.

The document discharges Iberlux’s compliance duties under, without limitation:

Telephone Consumer Protection Act of 1991, 47 U.S.C. § 227 (“TCPA”)
FCC Implementing Regulations, 47 C.F.R. § 64.1200 et seq.
FCC 2024 Order on One-to-One Consent, FCC 23-107 (rel. Dec. 18, 2023), amending 47 C.F.R. § 64.1200(f)(8) — effective January 27, 2025 (status as of Q1 2026 noted in §3.4)
Telemarketing Sales Rule (“TSR”), 16 C.F.R. § 310 (FTC)
Federal Do-Not-Call Registry rules (47 C.F.R. § 64.1200(c))
STIR/SHAKEN authentication rules (47 C.F.R. § 64.6300 et seq.)
CAN-SPAM Act (15 U.S.C. § 7701 et seq.) for email
State analogues including the Florida Telephone Solicitation Act (“FTSA,” Fla. Stat. § 501.059); the Washington Commercial Electronic Mail Act (“CEMA,” RCW 19.190); California Civil Code §§ 1798.100 et seq. and § 17529.5; Texas Business & Commerce Code § 305 et seq.; New York General Business Law § 399-pp; Colorado Consumer Protection Act and Colorado AI Act (SB 24-205); New Jersey, Arizona, Illinois, Nevada, New Mexico, and Utah analogues.

This document operates in conjunction with, and is incorporated by reference into:

_docs/legal/privacy-policy.md
_docs/legal/terms-of-service.md
_docs/legal/recording-disclosure.md
_docs/legal/affiliate-agreement.md

In the event of any conflict between this document and the foregoing, this document controls with respect to TCPA, telemarketing, and outbound-communication compliance.

1. Definitions

The following definitions govern interpretation of this document. Where a term is defined under a statute or regulation, the statutory definition controls. The following are working definitions for operational purposes.

“ATDS” or “Automatic Telephone Dialing System” — Equipment that has the capacity (a) to store or produce telephone numbers to be called using a random or sequential number generator, and (b) to dial such numbers, as construed by the Supreme Court in Facebook, Inc. v. Duguid, 141 S. Ct. 1163 (2021). Iberlux assumes that any predictive dialer capable of being configured to use a random/sequential generator may be deemed an ATDS by certain courts notwithstanding Duguid.

“Artificial or Pre-Recorded Voice” — Any voice message that is not delivered live by a human in real time, including text-to-speech (“TTS”), AI-generated synthetic voice (e.g., Vapi.ai, ElevenLabs, OpenAI Realtime), and pre-recorded WAV/MP3 audio. Calls placed using artificial or pre-recorded voice for marketing purposes are governed by 47 C.F.R. § 64.1200(a)(2)–(3) and require prior express written consent regardless of the calling technology.

“Auto-Dialer” — A colloquial superset of ATDS used in this document to refer to any automated outbound dialing technology including ATDS, predictive dialer, progressive dialer, preview dialer, and AI-orchestrated outbound platforms. For purposes of consent capture, Iberlux treats auto-dialer use as triggering the highest applicable consent standard.

“Express Consent” — Oral or written consent given freely by the called party authorizing the caller to place non-marketing or informational calls/texts to the consumer. Generally sufficient for non-marketing calls (e.g., transactional appointment confirmations) but not sufficient for marketing under 47 C.F.R. § 64.1200(a)(2).

“Express Written Consent” or “Prior Express Written Consent” (“PEWC”) — A written agreement, bearing the signature (including electronic signature under E-SIGN, 15 U.S.C. § 7001) of the consumer to be called, that clearly authorizes the seller to deliver, or cause to be delivered to the consumer, advertisements or telemarketing messages using an ATDS or an artificial/pre-recorded voice, and the telephone number to which the messages may be delivered. The agreement must include a clear and conspicuous disclosure that: (i) the consumer authorizes the seller to deliver such advertisements or telemarketing messages using such technology; and (ii) the consumer is not required to sign the agreement (directly or indirectly) or agree to enter into such an agreement as a condition of purchasing any property, goods, or services. 47 C.F.R. § 64.1200(f)(9).

“FCC 2024 One-to-One Consent Rule” — The amendment to 47 C.F.R. § 64.1200(f)(8) adopted in FCC 23-107 requiring that prior express written consent be given to one identified seller at a time and be logically and topically associated with the interaction that prompted the consent. Bulk consent for “marketing partners” or undifferentiated lists is not compliant.

“Lead Buyer” — A licensed insurance carrier, agency, agent, or aggregator that purchases or receives lead data from Iberlux pursuant to a written buyer agreement that incorporates by reference Iberlux’s compliance requirements.

“Pre-Recorded Voice Message” / “Voicemail Drop” — A message delivered to a consumer’s voicemail or live answering party by means of a previously recorded audio file or synthesized voice. Subject to 47 C.F.R. § 64.1200(b) identification requirements within the first 5 seconds and §64.1200(b)(3) interactive opt-out mechanism.

“STIR/SHAKEN” — The Secure Telephone Identity Revisited / Signature-based Handling of Asserted Information using toKENs framework mandated under the TRACED Act (47 U.S.C. § 227b) and FCC rules. Calls signed at “Attestation A” indicate that the originating service provider has authenticated the calling party and has confirmed they are authorized to use the calling number. Iberlux requires Attestation A on all outbound calls; sub-A attestation calls are blocked at the carrier layer.

“Vapi.ai Call” or “AI Conversational Call” — A live, two-way telephone interaction in which one party is an artificial intelligence system (LLM-orchestrated voice agent). For TCPA purposes Iberlux conservatively classifies all Vapi.ai marketing calls as artificial voice calls under § 64.1200(a)(3) requiring PEWC, irrespective of evolving FCC interpretation.

“Quiet Hours” — 8:00 a.m. to 9:00 p.m. at the called party’s local time under federal TCPA, with stricter state windows (e.g., Florida 8 a.m.–8 p.m.) controlling where applicable.

“Revocation” or “Opt-Out” — Any expression by the consumer, by any reasonable means (verbal, written, digital, SMS keyword, email reply), of an intent to cease receiving calls, texts, or other communications. Per FCC 2024 Report and Order on revocation (FCC 24-24, eff. Apr. 11, 2025), Iberlux honors revocation made by any reasonable means within 10 business days; internal SLA: 24 hours as a defensive matter.

“Suppression List” — The internal database of consumer contact identifiers (phone, email, hashed) that Iberlux and its vendors must screen against before initiating any outbound communication.

2. Iberlux TCPA Compliance Framework — Overall Approach

Iberlux operates a defense-in-depth TCPA compliance program premised on the following pillars:

PEWC Capture at the Source. Every consumer record originates from an Iberlux-controlled or -audited form bearing one of the five (5) Approved Consent Variants set forth in §4. Off-platform “pre-existing relationship” consent is not relied upon for marketing.
Third-Party Verification. Every form submission is independently witnessed by Jornaya LeadID (a Verisk product) and TrustedForm (an ActiveProspect product). Both tokens are captured and pinned at submission, and the consent ceremony is replayable for evidentiary purposes.
Pre-Call Cleansing. No outbound call, SMS, or pre-recorded message is placed without (a) federal DNC scrub, (b) state-level DNC scrub for the recipient’s state of record, (c) BlackList Alliance / DNC.com litigator-screen scrub, (d) internal suppression scrub, and (e) STIR/SHAKEN Attestation A signing via Numeracle/Twilio.
One-to-One by Default. Variant E (FCC 2024-compliant single-seller) is the default production variant for all new launches. Variants A–D remain available only for legacy campaigns under express counsel approval.
Quiet Hours Enforcement. The dialer enforces 8 a.m.–9 p.m. local time at the recipient’s location based on phone NPA-NXX geocoding plus self-reported state, with the more restrictive state-local window controlling where applicable.
Revocation Universality. Any opt-out captured on any channel propagates to all channels (calls, SMS, email, mail, ringless voicemail) and to all Lead Buyers within 24 hours.
Audit Trail Persistence. All consent and revocation events are stored in the Supabase tcpa_consents and tcpa_revocations tables for a minimum of four (4) years post last contact, with independent immutable backup to Cloudflare R2 with object-lock.
Counsel Sign-Off Gate. No new disclosure language, dialer configuration, AI script, or buyer onboarding occurs without documented counsel review, time-stamped in the _docs/legal/counsel-approvals/ directory.

3. Regulatory Landscape Summary (2024–2026)

3.1 Statutory damages

The TCPA private right of action provides $500 per negligent violation and up to $1,500 per willful violation (47 U.S.C. § 227(b)(3)). State analogues sometimes stack:

Florida FTSA: $500 base, $1,500 willful per violation (Fla. Stat. § 501.059(10))
Washington CEMA: $500 per email/text violation (RCW 19.190.040)
Oklahoma TCPA: $500–$1,500 per call (Okla. Stat. tit. 15 § 775C.1 et seq.)

Class-action exposure routinely yields eight- and nine-figure settlements. Recent data points relevant to underwriting Iberlux’s exposure:

Mosaic Sales Solutions / Resort Marketing Group $5M+ class settlement (2023) — multi-buyer consent invalidated under one-to-one principle.
Bradley v. DentaQuest USA Ins. Co., No. 4:23-cv-04146 (S.D. Tex. 2024) — broker-buyer consent failure.
Soliman v. Subway Franchisee Advert. Fund Trust, Ltd., 999 F.3d 828 (2d Cir. 2021) — revocation by any reasonable means.
Powers v. One Source (TCPA litigator-screening case, 2024) — admonishing reliance on lead aggregator consent without auditable token.

3.2 Facebook v. Duguid and ATDS scope

Facebook, Inc. v. Duguid, 141 S. Ct. 1163 (2021), narrowed ATDS to systems with capacity to use a random or sequential number generator. Iberlux does not rely on Duguid as a defense: outbound systems are configured to be “list-based” (uploaded targeted lists), but the artificial/pre-recorded voice prong of § 64.1200(a)(3) still triggers PEWC regardless of dialing technology. See Borden v. eFinancial, LLC, 53 F.4th 1230 (9th Cir. 2022) (clarifying generator capacity).

3.3 In re Amerifactors / Insurance Marketing Coalition Ltd. v. FCC

The FCC’s One-to-One Order has been challenged in the Eleventh Circuit. Iberlux does not rely on potential vacatur as a compliance posture. The default Variant is E (compliant) regardless of Eleventh Circuit outcome.

3.4 FCC 2024 One-to-One Rule — Status as of April 2026

The Eleventh Circuit’s decision in Insurance Marketing Coalition Ltd. v. FCC, No. 24-10277, vacated portions of the rule (Jan. 24, 2025), creating uncertainty in the 11th Circuit. As of Q1 2026, enforcement remains active in other circuits and the FCC has signaled intent to re-promulgate. Iberlux’s posture: Variant E is the default. Variants A–D may be deployed only on legacy campaigns with documented counsel approval and only in non-Eleventh-Circuit-protected campaigns. This posture is reviewed quarterly.

3.5 FCC 2024 Revocation Order

FCC 24-24 (rel. Feb. 15, 2024; eff. Apr. 11, 2025) codified that revocation may be made by any reasonable means, must be honored across all channels operated by the seller, and must be processed within 10 business days. Iberlux’s internal SLA is 24 hours.

The following five variants are the only language permitted to appear adjacent to a consent checkbox on any Iberlux-operated or -authorized lead form. Word-for-word fidelity is mandatory. Substantive deviations require counsel re-approval and a new disclosure version number.

For each variant the document provides:

Exact ESPAÑOL text
Exact ENGLISH text
Form-design rules
Audit-trail capture requirements
Storage requirements

4.A. Variant A · Universal Multi-Buyer (Legacy)

Status: Legacy. Use only with EXTRA caution post-FCC 2024. Requires written counsel approval per campaign. Not for new campaigns.

Use cases (legacy only): Term Life · Dental · IUL · Final Expense · Supplementary, where the campaign predates Jan 27, 2025 and was disclosed under a multi-buyer model.

ESPAÑOL — Variant A

☐ Al marcar esta casilla y hacer clic en “Cotizar Gratis”, doy mi consentimiento previo expreso por escrito para que Iberlux Insurance Agency LLC y hasta diez (10) de sus socios licenciados de marketing y aseguradores (cuya lista actualizada está disponible en iberluxseguros.com/socios) me contacten al número de teléfono y dirección de correo electrónico que proporcioné, sobre productos de seguros y servicios relacionados, mediante:

(a) Llamadas en vivo o pregrabadas y mensajes de voz artificial; (b) Llamadas realizadas mediante un sistema automático de marcación; (c) Mensajes de texto SMS/MMS (aplican tarifas estándar de mensajes y datos de su operador); y (d) Correo electrónico;

aún si mi número está en un Registro federal o estatal de No Llamar. Comprendo que el consentimiento NO es condición de compra de ningún producto o servicio, y que puedo revocarlo en cualquier momento respondiendo STOP a un SMS, diciendo verbalmente “no me llames” o “alto” al agente, haciendo clic en “cancelar suscripción” en un correo, o escribiendo a stop@iberlux.com. La frecuencia de mensajes varía. Acepto la Política de Privacidad y los Términos del Servicio.

ENGLISH — Variant A

☐ By checking this box and clicking “Get My Free Quote”, I provide my prior express written consent for Iberlux Insurance Agency LLC and up to ten (10) of its licensed marketing and insurance partners (a current list of which is available at iberluxseguros.com/partners) to contact me at the telephone number and email address I provided, regarding insurance products and related services, including via:

(a) Live or pre-recorded voice calls and artificial voice messages; (b) Calls placed using an automatic telephone dialing system; (c) SMS/MMS text messages (standard message and data rates from your carrier may apply); and (d) Email;

even if my number is on a federal or state Do Not Call Registry. I understand that consent is NOT a condition of purchase of any product or service, and that I may revoke consent at any time by replying STOP to a text, telling the caller verbally to stop, clicking “unsubscribe” in any email, or emailing stop@iberlux.com. Message frequency varies. I agree to the Privacy Policy and Terms of Service.

Variant A — Form-Design Rules

Checkbox MUST be unchecked by default. Pre-checking is a per se violation of 47 C.F.R. § 64.1200(f)(9).
Disclosure font ≥ 12 pt desktop / 14 pt mobile; line-height ≥ 1.4; contrast ratio ≥ 4.5:1 against background (WCAG AA).
Disclosure must be immediately adjacent to (above or directly preceding) the submit button, with no intervening UI elements other than the checkbox itself.
Submit button text MUST match disclosure text exactly (“Get My Free Quote” / “Cotizar Gratis”).
Hyperlinks to Privacy Policy and Terms must be visible (underlined or visually distinct), not hidden inside a “more info” expander.
Mobile rendering verified at 375 px viewport (iPhone SE) — disclosure must be readable without horizontal scroll.

Variant A — Audit Trail Capture

Mandatory fields (see §7 schema): disclosure_version = "v4.0_variantA", plus full list of partners shown (partner_list_hash) and a snapshot URL.

Variant A — Storage

Minimum 4 years post last contact. Archive in tcpa_consents_archive indefinitely (target: 10 years to cover state-extended limitations). Immutable backup to Cloudflare R2 object-lock daily.

4.B. Variant B · ACA / Marketplace Health (Affordable Care Act / Medicare-bridge)

Use cases: ACA Marketplace plans, off-exchange individual health, ACA-subsidy intake, Medicare-bridge (ages 60–64).

ESPAÑOL — Variant B

☐ Al marcar esta casilla y hacer clic en “Encontrar Mi Plan”, doy mi consentimiento previo expreso por escrito para que Iberlux Insurance Agency LLC me contacte al número de teléfono y correo electrónico que proporcioné, con respecto a planes de seguro de salud disponibles a través del Mercado de la Ley de Cuidado de Salud Asequible (ACA Marketplace) y planes privados similares, mediante (a) llamadas en vivo o pregrabadas y mensajes de voz artificial, (b) un sistema automático de marcación, (c) SMS/MMS, y (d) correo electrónico, aún si mi número está en un Registro de No Llamar.

Iberlux Insurance Agency LLC es una agencia de seguros licenciada y NO está afiliada con el Gobierno Federal, los Centros de Servicios de Medicare y Medicaid (CMS), HealthCare.gov, ni con ningún programa de Medicare.

El consentimiento NO es condición de compra. Aplican tarifas estándar de mensajes y datos. Puedo revocar respondiendo STOP, diciéndoselo al agente, o escribiendo a stop@iberlux.com. Acepto la Política de Privacidad y los Términos del Servicio.

ENGLISH — Variant B

☐ By checking this box and clicking “Find My Plan”, I provide my prior express written consent for Iberlux Insurance Agency LLC to contact me at the telephone number and email I provided, regarding health insurance plans available through the Affordable Care Act Marketplace and similar private market plans, via (a) live or pre-recorded voice calls and artificial voice messages, (b) an automatic telephone dialing system, (c) SMS/MMS, and (d) email, even if my number is on a Do Not Call Registry.

Iberlux Insurance Agency LLC is a licensed insurance agency and is NOT affiliated with the Federal Government, the Centers for Medicare and Medicaid Services (CMS), HealthCare.gov, or any Medicare program.

Consent is NOT a condition of purchase. Standard message and data rates may apply. I may revoke by replying STOP, telling the agent, or emailing stop@iberlux.com. I agree to the Privacy Policy and Terms of Service.

Variant B — Form-Design Rules

All Variant A rules apply.
The CMS-disaffiliation paragraph must be displayed in bold and at the same font size as the rest of the disclosure (no fine print).
For Medicare-bridge campaigns (ages 60–64) include the additional standalone notice: “This is a marketing communication. We do not offer every plan available in your area. Currently we represent [N] organizations which offer [N] products in your area. Please contact Medicare.gov, 1-800-MEDICARE, or your local State Health Insurance Program (SHIP) to get information on all of your options.” (Per CMS marketing rules, 42 C.F.R. § 422.2267(e)(31).)
Submit button must say “Find My Plan” / “Encontrar Mi Plan” — never “Apply” or “Enroll.”

Variant B — Audit Trail Capture

Same as Variant A, plus: cms_disaffiliation_displayed = true confirmation flag, medicare_bridge_notice_shown (boolean), age band from form (age_band).

Variant B — Storage

Minimum 4 years; CMS retention rule may extend to 10 years for Medicare-related touchpoints. Default to 10 years for any consent in this variant.

4.C. Variant C · Final Expense / Senior (Age 50+)

Use cases: Final expense whole life, burial insurance, senior life, guaranteed-issue products. Vulnerable-population scrutiny per FTC 2023 senior-fraud focus and AARP guidance.

ESPAÑOL — Variant C

☐ Al marcar esta casilla y hacer clic en “Cotizar Gastos Finales”, yo, persona mayor de 18 años (y mayor de 50 años para este producto), confirmo y doy mi consentimiento previo expreso por escrito para que Iberlux Insurance Agency LLC me contacte al número de teléfono y correo electrónico que proporcioné, sobre seguros de gastos finales, seguros de vida y productos relacionados, mediante:

(a) Llamadas en vivo o pregrabadas y mensajes de voz artificial; (b) Un sistema automático de marcación; (c) Mensajes de texto SMS/MMS (aplican tarifas estándar de su operador); y (d) Correo electrónico,

aún si mi número está en un Registro de No Llamar. Comprendo claramente que este consentimiento no es requisito para comprar ningún producto ni servicio, y que puedo revocarlo en cualquier momento sin penalidad respondiendo STOP a un mensaje, diciéndoselo verbalmente al agente, o escribiendo a stop@iberlux.com o llamando al [INSERT TOLL-FREE]. Acepto la Política de Privacidad y los Términos del Servicio.

ENGLISH — Variant C

☐ By checking this box and clicking “Get Final Expense Quote”, I, a person eighteen (18) years of age or older (and fifty (50) years of age or older for this product), confirm and provide my prior express written consent for Iberlux Insurance Agency LLC to contact me at the telephone number and email I provided, regarding final expense, life insurance, and related products, including via:

(a) Live or pre-recorded voice calls and artificial voice messages; (b) An automatic telephone dialing system; (c) SMS/MMS text messages (standard carrier message and data rates may apply); and (d) Email,

even if my number is on a Do Not Call Registry. I clearly understand that this consent is not required to purchase any product or service, and that I may revoke at any time without penalty by replying STOP to a message, telling the agent verbally to stop, or emailing stop@iberlux.com or calling [INSERT TOLL-FREE]. I agree to the Privacy Policy and Terms of Service.

Variant C — Form-Design Rules

All Variant A rules apply.
Font size bumped to ≥ 14 pt desktop / 16 pt mobile (AARP-readability guidance).
“Consent is not required to purchase” must appear in bold and not abbreviated.
Toll-free revocation number must be plainly displayed, not buried.
The submit button must clearly identify the product (“Get Final Expense Quote”) — not “Submit” or “Apply”.
A separate age-attestation checkbox (or self-declared DOB field) is required.

Variant C — Audit Trail Capture

Same as Variant A, plus: age_attestation_displayed = true, dob_self_reported, senior_variant = true. Capture screenshot of rendered form (server-side rasterization) at submission for evidentiary purposes given heightened class-action risk in this segment.

Variant C — Storage

Minimum 4 years; default to 7 years given senior-litigation tail.

4.D. Variant D · Auto Insurance

Use cases: Auto / motor / commercial vehicle quotes. State telemarketing variations particularly active (FTSA, NJ TCFAPA, CA UCL).

ESPAÑOL — Variant D

☐ Al marcar esta casilla y hacer clic en “Cotizar Mi Seguro de Auto”, doy mi consentimiento previo expreso por escrito para que Iberlux Insurance Agency LLC me contacte al número de teléfono y correo electrónico que proporcioné, con respecto a seguros de auto y productos relacionados de seguros vehiculares, mediante (a) llamadas en vivo o pregrabadas, (b) sistemas automáticos de marcación, (c) mensajes de voz artificial, (d) SMS/MMS, y (e) correo electrónico, aún si mi número está en el Registro federal o estatal de No Llamar.

El consentimiento NO es condición de compra. Aplican tarifas estándar de mensajes y datos. Puedo cancelar respondiendo STOP, pidiéndoselo al agente, o escribiendo a stop@iberlux.com. Acepto la Política de Privacidad y los Términos del Servicio.

ENGLISH — Variant D

☐ By checking this box and clicking “Get My Auto Quote”, I provide my prior express written consent for Iberlux Insurance Agency LLC to contact me at the telephone number and email I provided, regarding auto insurance and related vehicle insurance products, including via (a) live or pre-recorded voice calls, (b) automatic telephone dialing systems, (c) artificial voice messages, (d) SMS/MMS, and (e) email, even if my number is on a federal or state Do Not Call Registry.

Consent is NOT a condition of purchase. Standard message and data rates may apply. I may opt out by replying STOP, asking the agent, or emailing stop@iberlux.com. I agree to the Privacy Policy and Terms of Service.

Variant D — Form-Design Rules

All Variant A rules apply.
For Florida form rendering: replace “regarding auto insurance and related vehicle insurance products” with the Florida-FTSA-compliant phrasing reciting that the consumer “knowingly authorizes” and citing FTSA recipient acknowledgment.
For California form rendering: include CCPA “Do Not Sell or Share” link directly under disclosure if the campaign treats data sharing with carriers as a “sale.”

Variant D — Audit Trail Capture

Same as Variant A, plus: vehicle_state (state of registered vehicle), state_specific_variant_rendered (boolean indicating whether Florida/California-specific text was shown).

Variant D — Storage

Minimum 4 years.

4.E. Variant E · FCC 2024 One-to-One Compliant (RECOMMENDED · Default)

Status: DEFAULT for all new campaigns post Jan 27, 2025. Single named seller per consent ceremony. Logically and topically associated with the product on the form.

Use cases: All new launches across all products (TL, Dental, ACA, FE, Auto, IUL, Supplemental). For multi-buyer scenarios, a separate, independently checked secondary consent may be presented for additional named buyers (see secondary block below).

☐ Al marcar esta casilla y hacer clic en “Cotizar Gratis”, doy mi consentimiento expreso por escrito para que Iberlux Insurance Agency LLC me contacte al teléfono y correo electrónico que proporcioné, incluso si están en una lista de No Llamar (Do Not Call), mediante:

(a) Llamadas pregrabadas o usando un sistema automático de marcado; (b) Mensajes de texto SMS/MMS; (c) Correo electrónico; y (d) Llamadas en vivo de un agente Iberlux,

con respecto a [PRODUCTO ESPECÍFICO: seguros de vida · dental · ACA · gastos finales · auto · IUL · suplementario].

Comprendo que este consentimiento NO es condición de compra. Puedo revocar en cualquier momento respondiendo STOP a un SMS, haciendo clic en “cancelar suscripción” en un correo, diciéndoselo verbalmente al agente, o llamando al [INSERT TOLL-FREE]. Aplican tarifas estándar de mensajes y datos.

Más información en nuestra Política de Privacidad y Términos del Servicio.

☐ By checking this box and clicking “Get My Free Quote”, I provide my express written consent for Iberlux Insurance Agency LLC to contact me at the telephone number and email I provided, even if they are on a Do Not Call list, by means of:

(a) Pre-recorded calls or calls using an automatic telephone dialing system; (b) SMS/MMS text messages; (c) Email; and (d) Live calls from an Iberlux agent,

regarding [SPECIFIC PRODUCT: life insurance · dental · ACA · final expense · auto · IUL · supplemental].

I understand that this consent is NOT a condition of purchase. I may revoke at any time by replying STOP to an SMS, clicking “unsubscribe” in any email, telling the agent verbally to stop, or calling [INSERT TOLL-FREE]. Standard message and data rates may apply.

More information in our Privacy Policy and Terms of Service.

☐ (Opcional · No requerido) Adicionalmente, doy mi consentimiento expreso por escrito para que las siguientes aseguradoras y agentes licenciados, identificados específicamente, también me contacten por los mismos medios y respecto al mismo producto:

[Aseguradora 1 · Aseguradora 2 · Aseguradora 3 — listadas individualmente con número de licencia].

Este consentimiento no es requisito para usar nuestros servicios y puedo revocarlo independientemente del consentimiento principal.

☐ (Optional · Not required) Additionally, I provide my express written consent for the following individually identified licensed insurance carriers and agents to also contact me by the same means and regarding the same product:

[Carrier 1 · Carrier 2 · Carrier 3 — listed individually with license number].

This consent is not required to use our services and I may revoke it independently of the primary consent.

Variant E — Form-Design Rules (Strict)

Default-unchecked primary consent checkbox. Pre-checking is per se invalid under § 64.1200(f)(9) and FCC 2024.
The product placeholder must be filled with one specific product at form build time (not at submission). The form code must hard-code the product per landing page; dynamic substitution by query parameter is prohibited.
Secondary consent (if presented) must be a separately checked checkbox, with a separately rendered list of named carriers including license numbers. Bulk “marketing partners” language is prohibited.
Maximum number of named buyers in secondary consent: three (3) per form. For more buyers, build separate landing pages.
Disclosure font ≥ 12 pt desktop / 14 pt mobile. Contrast ≥ 4.5:1.
Disclosure above the submit button, no intervening elements except the checkbox(es).
Submit button text must match the disclosure (“Get My Free Quote” / “Cotizar Gratis”). The product name of the campaign must appear above the submit button (e.g., “Auto Insurance Quote — 60 seconds”).
The submit button must not be enabled until the primary consent checkbox is checked. (Secondary checkbox does not gate submit.)
Mobile-only: disclosure may be presented in two (2) paragraphs rather than one block, but the operative consent text and product identification must remain on the same screen as the submit button.
Hyperlinks to Privacy Policy and Terms must be visible underlined hyperlinks, not hover-only or “more info” expanders.
No A/B testing of consent text without counsel approval. Layout/font A/B testing permitted; copy A/B testing of consent text prohibited.

Variant E — Audit Trail Capture

In addition to all standard fields (§7), capture:

seller_named = “Iberlux Insurance Agency LLC”
product_named = exact product string shown
secondary_consent_offered (bool)
secondary_consent_given (bool)
secondary_buyers_named = JSON array of {name, license_number, license_state} for any secondary buyers shown
topical_association_text_hash (SHA-256 of the entire disclosure string as rendered)

Variant E — Storage

Minimum 4 years post last contact. Default 7 years internally to absorb state-extended limitations.

5. Form-Design Compliance Checklist (Pixel/CSS Specifications)

The following are non-negotiable rendering requirements for any production form.

5.1 Layout

Requirement	Spec
Disclosure container	Block-level, full-width of form, 16 px padding, no horizontal scroll
Disclosure font-size desktop	≥ 12 pt (16 px) for Variants A/B/D/E; ≥ 14 pt (18.66 px) for Variant C
Disclosure font-size mobile (≤ 480 px viewport)	≥ 14 pt (18.66 px) for A/B/D/E; ≥ 16 pt (21.33 px) for C
Line-height	≥ 1.4
Color contrast	≥ 4.5:1 vs background (WCAG AA)
Disclosure font-family	Same family as primary form copy; no decorative or display fonts
Disclosure position	Immediately preceding submit button; no intervening UI
Checkbox size	≥ 24 × 24 px touch target on mobile
Checkbox state	Default unchecked, no `checked` attribute, no script-driven default-check
Submit button text	Matches disclosure verbatim
Submit button enable state	Disabled until primary consent checkbox is checked (Variant E); for A–D button gates on disclosure visibility
Hyperlinks	Underlined, color-distinct, open in new tab with `rel="noopener noreferrer"`

5.2 Anti-patterns (forbidden)

Pre-checked checkboxes (<input type="checkbox" checked>)
Combining TCPA consent with arbitration agreement, age attestation, or any other consent in a single checkbox
Disclosure inside a collapsible “Show More” or accordion
Disclosure font color matching background (white-on-white, light-gray-on-white below 4.5:1)
Submit button labeled “Submit” / “OK” / “Continue” — must describe the action
Hidden / off-screen disclosure (visibility:hidden, display:none, opacity:0, position:absolute;left:-9999px)
Modal-only disclosure (consumer cannot consent inside a modal that auto-closes)
Conditional rendering of disclosure based on locale that omits required text
Dynamic content replacement of seller name or product after disclosure shown

5.3 Required scripts loaded at form mount

<!-- Jornaya LeadID -->
<script type="text/javascript">
  (function() {
    var s = document.createElement('script'); s.id = 'LeadiDscript_campaign';
    s.type = 'text/javascript'; s.async = true;
    s.src = '//create.lidstatic.com/campaign/[CAMPAIGN_UUID].js?snippet_version=2';
    var LeadiDscript = document.getElementById('LeadiDscript');
    LeadiDscript.parentNode.insertBefore(s, LeadiDscript);
  })();
</script>
<input id="leadid_token" name="universal_leadid" type="hidden" value="" />

<!-- TrustedForm -->
<script type="text/javascript">
  (function() {
    var tf = document.createElement('script'); tf.type = 'text/javascript'; tf.async = true;
    tf.src = ('https:' === document.location.protocol ? 'https' : 'http') +
      '://api.trustedform.com/trustedform.js?field=xxTrustedFormCertUrl&l=' +
      new Date().getTime() + Math.random();
    var s = document.getElementsByTagName('script')[0];
    s.parentNode.insertBefore(tf, s);
  })();
</script>
<input type="hidden" name="xxTrustedFormCertUrl" />

5.4 Server-side validation at submit

Reject any submission missing either Jornaya LeadID or TrustedForm certificate URL. Log rejection. Do not create a lead record or downstream call/SMS event.

6. Outbound Communications Compliance

This section governs every outbound communication initiated by Iberlux or its authorized vendors.

6.1 Phone Calls (Live + ATDS-Adjacent)

Pre-Call Cleansing — Mandatory Sequence

Before any number is dialed, the dialer or orchestration layer must confirm all of the following:

Federal DNC scrub against the National Do Not Call Registry — refreshed daily via DNC.com or equivalent. Number must not appear, OR Iberlux must hold valid PEWC for the number (DNC override per 47 C.F.R. § 64.1200(c)(2)(ii)).
State DNC scrub for the consumer’s state of record (where state maintains separate registry: e.g., FL, IN, LA, MA, MO, NJ, OK, PA, TN, TX, WY).
BlackList Alliance / DNC.com TCPA Litigator Database scrub — refreshed weekly. Numbers flagged as known TCPA litigators are hard-blocked.
Internal suppression scrub (tcpa_revocations table). Hard-block on match.
PEWC presence verification — tcpa_consents row exists for this phone number, not revoked, age within 12 months for “established business relationship” purposes (informational; PEWC for marketing is not time-bounded but stale consent should trigger re-consent prompt at 18 months).
Quiet-hours check — current time at recipient’s local time zone is within 8 a.m.–9 p.m. (federal) and within stricter state window where applicable (see §10).
STIR/SHAKEN signing — call originated through Twilio/Numeracle stack with Attestation A. Sub-A is hard-blocked.

If any check fails, the call is not placed. Failures are logged with reason code in dialer_blocks table.

Call Hours

Jurisdiction	Window (recipient local time)
Federal (TCPA)	8 a.m. – 9 p.m.
Florida (FTSA)	8 a.m. – 8 p.m.
New York (GBL § 399-pp)	8 a.m. – 9 p.m. (no Sundays for some categories)
Texas (BCC § 305)	9 a.m. – 9 p.m. weekdays; 12 p.m. – 9 p.m. Sunday
Massachusetts	8 a.m. – 8 p.m.; no Sundays/holidays
Most others	8 a.m. – 9 p.m. (federal)

The dialer enforces the most restrictive applicable window.

Identification Requirements (47 C.F.R. § 64.1200(b))

Within the first five (5) seconds of any pre-recorded message, and at the start of any live call, the agent or recording must state:

The legal name of the seller: “Iberlux Insurance Agency LLC”
For live agents: agent’s first name and license number where state-required (e.g., CA, FL, TX)
The purpose: marketing of [insurance product]
A telephone number (not 900-number, not unanswered) that the consumer may call to request not to be called again

Sample live-agent opener (English):

“Hi, this is [Agent First Name], a licensed insurance agent calling from Iberlux Insurance Agency. My California license number is [#####]. I’m following up on the [auto insurance / final expense / ACA] quote you requested at iberluxseguros.com. Is now a good time?”

Sample live-agent opener (Spanish):

“Hola, soy [Nombre del agente], agente de seguros licenciado, llamando de parte de Iberlux Insurance Agency. Mi número de licencia en California es [#####]. Le estoy contactando sobre la cotización de [seguro de auto / gastos finales / ACA] que solicitó en iberluxseguros.com. ¿Es buen momento?”

Recording Disclosure

All outbound calls are recorded. Disclosure is governed by _docs/legal/recording-disclosure.md. Two-party-consent states (CA, CT, FL, IL, MD, MA, MT, NH, NV, OR, PA, WA — and case-by-case DE, HI) require explicit consent at call open. The recording disclosure script is recited within the first 10 seconds of every call by both human agents and Vapi.ai voice agents.

Revocation Handling on Calls

Any of the following expressions, in English or Spanish, must be treated as revocation:

English triggers: “stop calling,” “stop,” “remove me,” “do not call,” “take me off your list,” “I’m not interested,” “lose my number,” “don’t call again,” “opt me out.”

Spanish triggers: “no me llames,” “no me llamen,” “alto,” “para,” “déjenme en paz,” “remuéveme,” “quítenme de la lista,” “no llamen más,” “no estoy interesado/a.”

On detection (whether by human agent or by AI agent), the system MUST:

Acknowledge revocation verbally: “Entendido, lo agrego a nuestra lista interna y no recibirá más llamadas. ¿Hay algo más en lo que pueda ayudarle?” / “Understood, I’ll add you to our internal Do Not Call list and you won’t receive more calls. Anything else I can help with?”
End the call within 30 seconds.
Write to tcpa_revocations (channel = “voice”, source = “live_agent” / “vapi_ai”, verbatim trigger captured).
Propagate suppression to all channels and all Lead Buyers within 24 hours (internal SLA; 10 business days statutory).

6.2 SMS / MMS

Sender ID

Iberlux uses Twilio short-codes / 10DLC long codes registered to the Iberlux brand with The Campaign Registry (“TCR”). Brand Identity Score must be ≥ 50.
All campaigns registered as “Marketing” use case, not “Mixed” or “Low Volume Mixed” unless the campaign genuinely meets the criteria.

First-Message Requirements

The first SMS to a new consumer must include:

“Iberlux Seguros: Hola [First Name], gracias por solicitar tu cotización de [PRODUCT]. Responde STOP para cancelar, AYUDA para ayuda. Aplican tarifas estándar de mensajes/datos.”

“Iberlux Insurance: Hi [First Name], thanks for requesting your [PRODUCT] quote. Reply STOP to cancel, HELP for help. Msg & data rates may apply.”

STOP / HELP

STOP, CANCEL, END, QUIT, UNSUBSCRIBE, REVOKE, OPT OUT, NO MAS, ALTO, PARAR → immediate suppression; one confirmation message permitted (CTIA SP-110); no further marketing.
HELP, AYUDA, INFO → automated reply with brand name, customer service number, and link to Privacy Policy + Terms.

Frequency Caps

Maximum 4 marketing SMS per consumer per rolling 7-day window.
Maximum 1 marketing SMS per consumer per 24-hour window.
Transactional SMS (appointment confirmation, etc.) excluded from cap.

Quiet Hours (CTIA + Carrier Rules)

CTIA: 8 a.m. – 9 p.m. recipient local time.
T-Mobile / AT&T 10DLC carrier rules: 8 a.m. – 9 p.m. recipient local time, no Sunday before 12 p.m. for some carriers.
Iberlux enforces the most restrictive SMS window. State analogues (FTSA: 8 a.m. – 8 p.m.) override where applicable.

Every fifth marketing message in a thread (or at minimum monthly) must include the “Reply STOP to cancel” reminder.

6.3 Pre-Recorded Voicemail / Vapi.ai / AI Voice Calls

Identification Within 5 Seconds

Per 47 C.F.R. § 64.1200(b)(1), the message must, within five (5) seconds of commencement, state:

Identity of the seller: “Iberlux Insurance Agency LLC”
Purpose: marketing of [product]

Sample opening (Spanish, Vapi.ai):

“Hola, soy una asistente automatizada de Iberlux Insurance Agency. Le llamamos por la cotización de [producto] que solicitó. Para hablar con un agente humano diga ‘agente’; para no recibir más llamadas diga ‘no me llames’ o presione 9.”

Sample opening (English, Vapi.ai):

“Hi, I’m an automated assistant from Iberlux Insurance Agency. We’re calling about the [product] quote you requested. To speak with a live agent, say ‘agent’; to stop receiving calls, say ‘do not call’ or press 9.”

Interactive Opt-Out Mechanism (47 C.F.R. § 64.1200(b)(3))

All pre-recorded marketing messages must include an automated, interactive opt-out mechanism:

For voicemail-drops: a callback number that adds the caller to the Do Not Call list automatically.
For live-answered pre-recorded: press 9 (or say “no me llames” / “do not call”) to opt out. Iberlux uses press 9 as universal opt-out and supports verbal triggers too.

”Are You a Robot?” — Hard AI Disclosure

If the consumer asks at any time “are you a robot,” “are you AI,” “is this a real person,” “are you human,” “eres un robot,” “eres una computadora,” “esto es real,” the AI agent MUST truthfully respond within the same conversational turn, e.g.:

“Yes, I’m an automated AI assistant from Iberlux Insurance Agency. Would you like me to transfer you to a human agent?”

“Sí, soy una asistente automatizada de inteligencia artificial de Iberlux Insurance Agency. ¿Le gustaría que le transfiera a un agente humano?”

This is required by California SB 1001 (Cal. Bus. & Prof. Code § 17941) for marketing-context bot disclosure, by Colorado AI Act SB 24-205 (eff. Feb. 1, 2026, with subsequent amendments — see §13 status), and as a matter of FTC Act § 5 unfair-and-deceptive-practices best practice nationally.

State-Specific Robocall Bans

Some states prohibit pre-recorded marketing calls absolutely or with very narrow exceptions. Iberlux maintains a state-by-state robocall matrix (see §10). Where pre-recorded marketing is prohibited (e.g., Indiana for unsolicited prerecorded messages absent narrow exception under Ind. Code § 24-4.7-4-1), Iberlux does not place pre-recorded calls to numbers in that state regardless of PEWC.

7.1 `tcpa_consents` Table Schema (Supabase)

Field	Type	Description
`consent_id`	UUID PK
`lead_id`	UUID FK	leads.lead_id
`disclosure_version`	text	e.g., `v4.0_variantE_es`
`disclosure_text_hash`	text	SHA-256 of full rendered disclosure
`seller_named`	text	”Iberlux Insurance Agency LLC”
`product_named`	text	exact product string
`secondary_consent_offered`	boolean
`secondary_consent_given`	boolean
`secondary_buyers_named`	jsonb	array of {name, license_number, license_state}
`form_url`	text	full URL of form
`form_version`	text	git-sha-pinned form code version
`language`	text	`es` / `en`
`consent_method`	text	`checkbox` / `button_click` / `checkbox_and_button`
`submit_button_text`	text	exact button text
`consent_timestamp_utc`	timestamptz
`consent_timestamp_local`	timestamptz	with offset
`ip_address`	inet	submitting IP
`ip_geolocation_state`	text	inferred state from IP
`user_agent`	text	full UA string
`device_type`	text	mobile / desktop / tablet
`viewport_width_px`	int
`jornaya_leadid`	text	token
`trustedform_cert_url`	text	URL
`referrer_url`	text
`utm_source`, `utm_medium`, `utm_campaign`, `utm_term`, `utm_content`	text
`click_id`	text	fbclid / gclid / ttclid
`partner_list_shown_url`	text	snapshot URL
`partner_list_hash`	text	SHA-256
`cms_disaffiliation_displayed`	boolean	Variant B only
`age_attestation_displayed`	boolean	Variant C only
`dob_self_reported`	date	Variant C only
`state_specific_variant_rendered`	boolean	Variant D only
`screenshot_url`	text	optional rendered screenshot
`created_at`	timestamptz

7.2 `tcpa_revocations` Table Schema

Field	Type	Description
`revocation_id`	UUID PK
`lead_id`	UUID FK
`consent_id`	UUID FK	original consent revoked
`revocation_channel`	text	`sms` / `voice` / `email` / `web_form` / `phone_call` / `mail`
`revocation_method`	text	`keyword` / `verbal` / `unsubscribe_click` / `agent_initiated`
`revocation_text_verbatim`	text	exact words used
`revocation_timestamp_utc`	timestamptz
`acknowledged_at`	timestamptz	when system acknowledged
`propagated_to_buyers_at`	timestamptz	when broadcast to lead buyers
`buyer_notification_log`	jsonb	per-buyer notification status
`created_at`	timestamptz

7.3 Litigation Retrieval Procedure

In the event of a TCPA demand letter or class-action complaint:

Within 24 hours, counsel pulls the consent_id for the named plaintiff(s) by phone hash and produces:
- The full tcpa_consents row (JSON)
- The Jornaya LeadID replay link
- The TrustedForm certificate URL with frame replay
- SHA-256-verified disclosure text
- Form version git commit hash and rendered HTML snapshot
- tcpa_revocations history (or affirmative null)
Counsel asserts the affirmative defense of PEWC supported by independent third-party verification.
If revocation exists post-call, identifies which call(s) followed which revocation and confirms 24-hour SLA met.

8. Suppression List Handling

8.1 Sources of Suppression

Source	Refresh cadence	Block scope
Federal DNC Registry	Daily (≤ 24 h)	Voice + pre-recorded; SMS as a matter of best practice
State DNC registries (FL, IN, LA, MA, MO, NJ, OK, PA, TN, TX, WY)	Daily	Voice + pre-recorded
BlackList Alliance / DNC.com TCPA litigator database	Weekly	All channels — hard block
Internal `tcpa_revocations` table	Real-time	All channels
Lead-buyer-reported revocations	Real-time webhook	All channels
CTIA / carrier opt-outs	Real-time (Twilio webhook)	SMS

8.2 Sync Schedule

Federal DNC: daily at 03:00 UTC, idempotent merge.
State DNC: daily at 03:30 UTC.
BlackList Alliance: weekly (Monday 04:00 UTC) full refresh; daily delta poll.
Internal revocations: real-time (event-sourced via Supabase realtime).
Buyer-side revocations: real-time webhook with retry queue.

8.3 Removal SLA

Trigger	Internal SLA	Statutory ceiling
New SMS STOP	< 5 minutes	(immediate per CTIA)
New voice “no me llames”	< 24 hours	10 business days (FCC 24-24)
Email unsubscribe click	< 24 hours	10 business days (CAN-SPAM)
Mailed written revocation	< 7 days from receipt	10 business days
Buyer-reported revocation	< 24 hours	10 business days

A 24-hour internal SLA on opt-out honoring is operationally enforced. Best-practice target: immediate for SMS, < 1 hour for voice.

8.4 Rehydration Prohibited

Once a number is on the suppression list, it is not removed except by:

A new, fresh consent ceremony on a new form submission (Variant E preferred), generating a new consent_id. The historical revocation is retained for evidentiary purposes; the consumer is treated as having affirmatively re-consented.
Court order or other legal directive.

“List rental,” “list hygiene re-permission emails,” or any practice of attempting to recapture consent from previously-revoked consumers without their fresh affirmative form submission is strictly prohibited.

9. Lead Buyer Disclosure (FCC 2024 Compliance)

9.1 Permitted Sellers Roster

Iberlux maintains the Permitted Sellers Roster at iberluxseguros.com/partners and in the internal lead_buyers table. Every entry includes:

Legal name
State of formation
NPN / state license numbers (per state of operation)
Contact for revocation propagation
Effective date of buyer agreement
Permitted product categories
Compliance attestations (TCPA program, training, audit cadence)

The roster is public and is versioned (snapshot URL captured on each form submission per §7.1).

9.2 Named-Buyer Requirement (Variant E)

Per FCC 2024 One-to-One Rule, where Iberlux desires to enable buyer contact under a single consent ceremony, the buyer must be named individually in the consent text adjacent to a separately checked checkbox. Maximum 3 named buyers per form (operational limit).

When a consumer consents to a named buyer (secondary consent in Variant E), Iberlux captures a per-buyer consent record in tcpa_consents_buyer_link linking:

consent_id (parent)
buyer_id (FK to lead_buyers)
buyer_named_in_disclosure_at_time (boolean, audit copy)
buyer_license_displayed_at_time (text)

9.4 Buyer Compliance Attestation

Every Lead Buyer agreement (_docs/legal/affiliate-agreement.md) requires the buyer to:

Maintain its own TCPA compliance program.
Honor revocations propagated by Iberlux within 24 hours.
Send revocations captured by buyer back to Iberlux within 24 hours.
Indemnify Iberlux for buyer-caused TCPA claims (subject to insurance).
Carry TCPA-specific E&O coverage with minimum $5M limits.

10. State-by-State Additional Requirements

The following matrix supplements (does not replace) federal TCPA compliance. Iberlux operates in eleven (11) states primarily: TX, FL, CA, NY, AZ, IL, NJ, CO, NM, NV, UT — plus operates suppression / scrub for all 50.

10.1 California

Cal. Civ. Code § 1798.100 et seq. (CCPA/CPRA): see Privacy Policy §5.
Cal. Bus. & Prof. Code § 17529.5 (Cal-CAN-SPAM): falsified header / misleading subject line per-message statutory damages up to $1,000 per email + injunctive relief.
Cal. Bus. & Prof. Code § 17941 (SB 1001): bot disclosure for marketing — see §13.
California two-party consent recording: Cal. Penal Code § 632 (see recording-disclosure.md).
CTPS (CA Telephonic Solicitation): California honors federal DNC; no separate state list.
Quiet hours: federal 8 a.m.–9 p.m.

10.2 Florida

FTSA (Fla. Stat. § 501.059): Updated 2023 amendments narrowed but did not eliminate private right of action. Requires PEWC for any “telephonic sales call” using “automated system for the selection or dialing of telephone numbers or the playing of a recorded message.” Damages $500 statutory + $1,500 willful per violation, plus attorneys’ fees.
Florida-specific consent text: Best practice to recite “I knowingly and voluntarily authorize” language. See Variant D state-specific rendering.
Quiet hours: 8 a.m. – 8 p.m. (stricter than federal).
Florida DNC list: maintained separately by Department of Agriculture and Consumer Services. Daily scrub required.
Reporting: Iberlux registers as a “telephone solicitor” with the Florida DACS (annual fee, surety bond) where call volume meets threshold.

10.3 New York

GBL § 399-pp (Telemarketing and Consumer Fraud and Abuse Prevention Act): Requires identification, opt-out mechanism, prohibition on calls to NY residents on the federal DNC.
GBL § 399-z (Caller ID truncation prohibitions): caller ID must not be falsified.
Quiet hours: 8 a.m. – 9 p.m.; no calls on Sundays for non-charitable solicitations (verify per category).
Two-party consent: NY is a one-party state for recording, but business-best-practice two-party.

10.4 Texas

Tex. Bus. & Comm. Code § 305.001 et seq.: registration as telephone solicitor required (TXSecOfState).
Quiet hours: 9 a.m. – 9 p.m. weekdays; 12 p.m. – 9 p.m. Sundays; 9 a.m. – 9 p.m. Saturdays (more restrictive than federal mornings).
Texas state DNC list: “Texas No Call” — daily scrub required.
Insurance Agent License (Texas Department of Insurance): must be cited on calls.

10.5 Washington (CEMA / WSCPA)

CEMA (RCW 19.190): Commercial Electronic Mail Act. Per-message $500 statutory damages for false/misleading commercial email to WA residents.
WSCPA (RCW 19.158): Washington State Commercial Phone Act. Solicitor registration required.
2022 amendment: “spoofed” caller-ID liability, $1,000 per call statutory damages.
Quiet hours: 8 a.m. – 8 p.m. recipient local.

10.6 Other Iberlux-operating states

State	Quiet Hours	State DNC	Notable analogues
Arizona	8 a.m. – 9 p.m.	No (federal honored)	A.R.S. § 44-1278 (telephone solicitation); fictitious caller ID prohibited
Illinois	8 a.m. – 9 p.m.	No	815 ILCS 413/ Restricted Call Registry Act; BIPA risk for voice biometrics — see §13
New Jersey	8 a.m. – 9 p.m.; no Sundays	Yes (NJ DNC)	NJ Telemarketing Reform Act + TCFAPA (N.J.S.A. 56:8-119); broad no-Sunday rule
Colorado	8 a.m. – 9 p.m.	No	CO No-Call List + CPA + Colorado AI Act SB 24-205 (eff. Feb. 1, 2026, amended)
New Mexico	8 a.m. – 9 p.m.	No (federal)	NMSA 57-12 series (UPA)
Nevada	8 a.m. – 8 p.m.	Yes	NRS 228.500 et seq.; PUC registration
Utah	8 a.m. – 9 p.m.	No (federal)	UCA 13-25a (Telephone and Facsimile Solicitation Act)
Indiana	8 a.m. – 9 p.m.	Yes	Ind. Code § 24-4.7 — near-absolute ban on prerecorded marketing calls absent narrow exceptions; Iberlux disables prerecorded calls to IN numbers
Massachusetts	8 a.m. – 8 p.m.; no Sundays/holidays	Yes	M.G.L. c. 159C; two-party recording
Oklahoma	8 a.m. – 8 p.m.	Yes	Okla. Stat. tit. 15 § 775C.1 (TCPA-analog with private right of action and $500–$1,500 per call)
Pennsylvania	8 a.m. – 9 p.m.	Yes	73 P.S. § 2245 (PA Telemarketer Reg. Act); two-party recording
Connecticut	9 a.m. – 9 p.m.	Yes	Conn. Gen. Stat. § 42-288a; two-party recording
Mississippi	8 a.m. – 8 p.m.	Yes	Miss. Code § 77-3-451
Louisiana	8 a.m. – 9 p.m.	Yes	La. R.S. 45:844.11

The dialer’s quiet-hours module enforces the most restrictive applicable window per call.

11. Penalties Summary

11.1 Federal TCPA

Negligent violation: $500 per call/text.
Willful or knowing violation: up to $1,500 per call/text (3x).
Treble damages routinely sought in class actions.
Class-action exposure: typical settlements $5M–$75M; per-class-member recovery $50–$500.

11.2 State penalties (selected)

State	Per-violation	Class action
Florida (FTSA)	$500 / $1,500 willful	Yes, with attorneys’ fees
Washington (CEMA)	$500 per email/text	Yes
Oklahoma (TCPA-analog)	$500–$1,500	Yes
California (UCL § 17200)	restitution + injunction	Yes
New Jersey (TCFAPA)	$100–$500	Yes

11.3 FCC enforcement

Forfeiture orders against carriers and lead generators routinely run $5M–$300M for systemic violations (e.g., the Avid Telecom enforcement, Voice Networks USA, etc.).

11.4 State Attorney General enforcement

Each state AG retains independent enforcement under unfair-and-deceptive-practices statutes. Recent activity: California AG (Robocall Mitigation), Texas AG (FTSA-style claims under DTPA), New York AG (GBL § 399-pp).

12. Compliance Defense Strategy

Iberlux’s defensive posture in any TCPA claim rests on the following pillars, documented in real time:

12.1 Documented good-faith compliance

Quarterly counsel-reviewed compliance audits.
Annual TCPA training certifications for all sales agents.
Vendor compliance attestations for Twilio, Numeracle, Vapi.ai, ElevenLabs.
Written policies for every step of the lead lifecycle (_docs/legal/).

Every form submission preserved with Jornaya LeadID + TrustedForm cert.
Every call recorded (subject to recording-disclosure compliance) and stored 4+ years.
Every SMS thread persisted in Twilio with Iberlux-side encrypted backup.
Revocations time-stamped, channel-tagged, verbatim-captured.

12.3 Independent third-party verification

Jornaya LeadID is admissible in TCPA litigation as third-party witness to consent.
TrustedForm certificate is similarly admissible (frame-by-frame replay).
Iberlux preserves cert URLs indefinitely (not just 4 years) by writing to Cloudflare R2 with object-lock at submission.

12.4 Insurance E&O coverage

Iberlux maintains:

Insurance agency E&O with TCPA endorsement (limit ≥ $5M per occurrence / $10M aggregate).
Cyber / privacy liability with regulatory defense coverage (limit ≥ $3M).
Lead-buyer-side TCPA E&O attestation as condition of buyer agreement (see §9.4).

12.5 Litigator pre-screening

BlackList Alliance and DNC.com weekly scrub against known TCPA serial-litigator lists is a mandatory prophylactic that has demonstrably reduced exposure for industry peers. Counsel reviews scrub coverage annually.

12.6 Forum-selection and arbitration

Where enforceable, Iberlux Terms of Service (_docs/legal/terms-of-service.md) include:

Mandatory pre-suit notice and 30-day cure period.
AAA / JAMS individual arbitration with class waiver.
Federal forum selection (E.D. Pa. or D. Del., subject to counsel choice) for non-arbitrable matters.

These provisions have been validated for insurance-context enforceability under AT&T Mobility v. Concepcion, 563 U.S. 333 (2011) and progeny; counsel reviews annually given evolving California and NJ scrutiny.

13. Vapi.ai / AI Voice Specific Disclosures

13.1 “Soft” Disclosure (form-side)

The consent disclosure (Variants A–E) discloses that calls may be made by “automatic telephone dialing system” and “artificial or pre-recorded voice.” This soft disclosure is sufficient under federal TCPA. Iberlux additionally adds, where the campaign is AI-driven, the following plain-language note below the consent block (in non-bold but adjacent text):

ESPAÑOL

“Algunas de nuestras llamadas iniciales pueden ser realizadas por un asistente automatizado de inteligencia artificial. Si en cualquier momento desea hablar con un agente humano, simplemente diga ‘agente’.”

ENGLISH

“Some of our initial calls may be placed by an automated artificial-intelligence assistant. At any time, you may say ‘agent’ to be transferred to a live human representative.”

13.2 “Hard” Disclosure (in-call)

Within 5 seconds of call commencement: “Hi, I’m an automated assistant from Iberlux Insurance Agency…” / “Hola, soy una asistente automatizada de Iberlux…” (see §6.3).

If consumer asks “are you a robot,” “are you human,” “is this AI,” etc. (English or Spanish), AI MUST truthfully respond and offer transfer to human. No deception permitted.

13.3 State-specific AI disclosure laws

California — SB 1001 (Cal. Bus. & Prof. Code § 17941)

Online bots used to incentivize a sale of goods/services or to influence a vote in an election must disclose their bot status. While the statute targets “online” bots (web/chat), California Attorney General guidance and recent enforcement activity expand the practical reach to AI voice. Iberlux applies SB 1001 to all AI voice calls regardless of medium as a conservative posture.

Colorado — AI Act (SB 24-205)

Effective February 1, 2026 (subject to amendments by the time of this document). Imposes risk-management and consumer-disclosure requirements on “high-risk artificial intelligence systems” used to make “consequential decisions.” Insurance underwriting and pricing decisions are within scope. Iberlux’s Vapi.ai voice agents do not make underwriting decisions; they qualify and route. Counsel review is required to confirm the scope as of deployment date.

Illinois — BIPA (740 ILCS 14)

Illinois Biometric Information Privacy Act regulates collection of “biometric identifiers” including voiceprints. If Vapi.ai’s pipeline derives or stores voice biometrics for IL residents, BIPA requires written notice + written consent + retention schedule + private right of action. Iberlux does not collect or derive voice biometrics; calls are recorded as audio waveforms for compliance, not as biometric identifiers. Vendor attestations (Vapi.ai, ElevenLabs) confirm no voiceprint extraction. This posture must be confirmed in writing per vendor and re-attested annually.

Texas — CUBI (Tex. Bus. & Com. Code § 503.001)

Capture or Use of Biometric Identifiers. Similar to BIPA but no private right of action. Same posture as IL applies: no voiceprint extraction.

Other states

Tennessee ELVIS Act (2024), Utah Consumer AI Act (2024), New York automated-employment-decision-tool laws — generally not in scope for Iberlux’s lead-gen / qualification use case but counsel reviews annually.

13.4 Vapi.ai-Specific Operational Requirements

Identification within 5 seconds. The Vapi.ai system prompt enforces “Hi, I’m an automated assistant from Iberlux…” as the first turn.
Robust opt-out. Triggers: “no me llames” / “do not call” / “press 9” / “stop” / “remove me” — all wired to immediate disconnection and revocation logging.
Honesty about AI status. No instruction in any system prompt that would cause the agent to deny being AI. Vapi.ai system prompt repository version-controlled in _apps/vapi/system-prompts/ with counsel-signed-off versions.
No simulated emotions to mislead. AI may be warm and conversational but must not claim to “feel,” “remember you personally,” or otherwise impersonate human consciousness in a way that could constitute deceptive practice under FTC Act § 5.
No medical or insurance advice. AI is qualified to set appointments and confirm interest; substantive insurance recommendations require licensed human agent.

14. Audit Cadence

Cadence	Activity	Owner
Daily	DNC scrub refresh; suppression list propagation health check	Compliance Eng
Daily	Consent-form submission integrity check (Jornaya + TrustedForm presence)	Compliance Eng
Weekly	BlackList Alliance / DNC.com litigator scrub refresh	Compliance Eng
Weekly	Spot-check 25 random consent records for completeness	Compliance Lead
Monthly	Disclosure version verification on production forms	Compliance Lead + Counsel
Monthly	Quiet-hours violation report (target: zero)	Compliance Eng
Monthly	Revocation SLA report (target: 100% < 24h)	Compliance Eng
Quarterly	Full counsel review of Variants and form rendering	Outside Counsel
Quarterly	Vendor attestations refresh (Twilio, Numeracle, Jornaya, TF, Vapi.ai)	Compliance Lead
Quarterly	Lead Buyer compliance attestation refresh	Buyer Operations
Quarterly	State-by-state regulatory delta review	Outside Counsel
Annually	Full TCPA compliance program audit by external counsel + tabletop exercise	Outside Counsel
Annually	E&O renewal with TCPA endorsement verification	CFO + Counsel
Annually	Mock TCPA-discovery exercise (simulate plaintiff demand → produce evidence in 24h)	Counsel + Eng

15. Versioning Protocol

Any text change to any Variant → bump minor version (e.g., v4.0 → v4.1) plus new disclosure_version string per language and variant.
Old versions retained indefinitely in tcpa_consents_archive.
Change rationale captured in _docs/legal/tcpa-disclosure-changelog.md.
New version is not activated in production until counsel sign-off is logged in _docs/legal/counsel-approvals/[date]-tcpa-vX.Y.signoff.md.
A/B testing of consent text prohibited absent counsel approval. Layout/typography A/B testing permitted within compliance bounds.

16. Internal Compliance Checklist

End of Document · v4.0 · 2026-04-30