amr/hermes-brain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0a8e77e9492bbe281d7f11ee39690dfa2d41bb02
hermes-brain/projects/passepartout/strategy/outbound-sales-compliance.org
Hermes 0a8e77e949 Reorganize brain: projects/ top level, rename filenames, update homepage 
- Moved everything from ideas/passepartout/ to projects/passepartout/
- Moved legal structures to projects/flags/
- Created missing _index.org files for all subdirectories
- Stripped redundant passepartout- prefix from filenames
- Rewrote root _index.org as generalized brain index (projects + concepts)
- Updated Hugo nav to Projects/Concepts
- Updated build script section descriptions
- Deleted stale ideas/passepartout-economics.md orphan
2026-05-24 18:54:14 +00:00

9.3 KiB
Raw Blame History

Outbound Sales — Legal Framework & Compliance Architecture

The outbound sales pipeline touches leads across multiple jurisdictions. This page maps the applicable laws, the compliance requirements at each stage of the pipeline, and how Passepartout's gate stack can enforce them mechanically.

This plan defers to Passepartout maturity — it scopes what needs to be built and what can be done now without automation.

Applicable Laws by Jurisdiction

US — CAN-SPAM Act (2003)

Applies to: Any commercial email sent to or from US addresses.

Requirements:

  1. No false or misleading header information (From, To, routing)
  2. No deceptive subject lines
  3. Identify the message as an advertisement (unless prior consent)
  4. Valid physical postal address of the sender
  5. Working opt-out mechanism — must honor within 10 business days
  6. No email address harvesting via automated means (criminal offense if combined with sending)

Penalties: $46,517 per violation. Criminal penalties for harvesting + sending.

Passepartout gate stack:

  • Gate: subject-line-truth — LLM generates subject, gate verifies it matches content
  • Gate: sender-identity — From header must match the sending domain's SPF/DKIM
  • Gate: physical-address — every outbound message must include the registered address
  • Gate: unsubscribe-link — every message must carry a working opt-out
  • Gate: no-harvesting — if contact was sourced via automated scraping, flag for review

EU/EEA — GDPR (2018)

Applies to: Processing personal data of data subjects in the EU, regardless of where the controller is established. GDPR has extraterritorial reach (Article 3).

Relevant requirements:

  1. Lawful basis required for processing. Cold email to a corporate address may use "legitimate interest" (Article 6(1)(f)) or "consent" (Article 6(1)(a)). For B2B cold email to professional addresses, legitimate interest is the standard basis — but must balance against the recipient's rights.
  2. Right to object to direct marketing (Article 21). Absolute right. No balancing test. If a recipient objects, processing for marketing must stop immediately.
  3. Data minimization. Only collect and process the minimum data needed. If you have an email address and company name, do not also scrape their browsing history.
  4. Right to erasure (Article 17). If a lead requests deletion, must comply.
  5. Notice requirement (Articles 13-14). Must inform the data subject about who you are, what data you process, the lawful basis, and their rights. This must be in the first communication.
  6. Cross-border transfer (Articles 44-49). If you process EU data from Egypt, you need an appropriate safeguard (Standard Contractual Clauses) or an adequacy decision. Egypt does not have an EU adequacy decision.

Penalties: Up to 20 million EUR or 4% of global annual turnover, whichever is higher.

Passepartout gate stack:

  • Gate: lawful-basis — annotate every lead with the basis (legitimate interest / consent)
  • Gate: right-to-object — every message must include "You can object to further processing at any time" language
  • Gate: privacy-notice — every message must link to a privacy policy meeting Articles 13-14
  • Gate: cross-border — if sending from Egypt to EU, require SCC documentation
  • Gate: erasure-compliance — maintain an erasure queue with 30-day SLA
  • Gate: data-minimization — reject leads with unnecessary enrichment data

UK — UK GDPR + PECR

Applies to: Data subjects in the UK.

Privacy and Electronic Communications Regulations (PECR) adds specific rules for electronic marketing:

  • B2B emails to corporate subscribers: can rely on legitimate interest. Must identify sender, provide valid contact, and offer opt-out.
  • B2C emails: require prior consent unless the "soft opt-in" applies (existing customer, same product).
  • The ICO takes a stricter view of legitimate interest for cold email than some EU regulators.

Penalties: Up to 17.5 million GBP or 4% of turnover.

Egypt — PDPL (Law No. 151 of 2020)

Applies to: Processing of personal data within Egypt, or processing by entities established in Egypt. The law entered into force in 2020 but implementing regulations were still being finalized.

Key provisions (broadly modeled on GDPR):

  1. Consent required unless another lawful basis applies. The law recognizes legitimate interest but Egyptian regulators have not provided detailed guidance on its scope for direct marketing.
  2. Data subject rights: Access, correction, deletion, objection to processing.
  3. Cross-border transfer: Restricted. Personal data may only be transferred to countries with adequate protection (not yet defined) or with specific safeguards.
  4. Registration requirement: Data controllers must register with the Data Protection Center (DPC).
  5. Penalties: Criminal penalties (imprisonment) for certain violations, plus fines.

Practical note: The PDPL's implementing regulations are still maturing. Enforcement has been uneven. For Egyptian-organized communities (HOAs, clubs), the primary risk is not enforcement but upsetting the lead. The legal risk is lower than GDPR for domestic leads.

Canada — CASL (2014)

Applies to: Commercial electronic messages (CEMs) sent to or from Canada.

Requirements:

  1. Consent. Express consent required unless an exception applies (existing business relationship, published business contact info with no "do not subscribe" flag).
  2. Identification. Sender identity, contact info, and unsubscribe mechanism must be in every message.
  3. Unsubscribe. Must be processed within 10 business days, valid for 60 months.
  4. Strict liability. No proof of harm required for enforcement.

Penalties: Up to 10 million CAD per violation for organizations — the strictest spam law globally.

Pipeline Compliance Map

Stage Data collected Lawful basis Risk Gate required
Lead sourcing (scraping) Name, email, organization Legitimate interest (public directories) High: harvesting laws, ToS violations no-harvesting — flag automated collection. tos-review — check target website's ToS
Lead enrichment Title, social links, context Legitimate interest Medium: data minimization data-minimization — reject enrichment that isn't needed for personalization
Draft Personalized message Legitimate interest Low subject-line-truth — subject matches content. sender-identity — correct headers
Gate check Message passes compliance gates N/A Low (automated) ALL gates must pass before send
Send Email sent via SMTP Legitimate interest Medium: jurisdiction-dependent jurisdiction-check — apply per-recipient rules
Reply detection Reply content Legitimate interest Low objection-detection — flag opt-out requests
Follow-up Second email Legitimate interest (if no objection) Medium: must respect opt-out opt-out-check — verify recipient hasn't unsubscribed
Conversion Contract details Contract performance Low right-to-erasure — delete data if requested

Practical Implementation for Phase 0

All of the above requires significant infrastructure: email delivery, bounce handling, opt-out databases, privacy policies, cross-border transfer documentation. For Phase 0 (when this plan is active, post-Passepartout maturity):

  1. Start with Egyptian organized communities only. Single jurisdiction simplifies compliance. PDPL is less defined than GDPR — lower risk surface.
  2. Do not scrape. Source leads manually or from public directories with clear consent models. A directory of HOAs that lists board president emails openly is fair use. A directory that requires login and forbids scraping is not.
  3. Every outbound message needs: sender identity, physical address, unsubscribe link, privacy policy link, and a clear "you can object" statement.
  4. Log every opt-out. Reputation slashing applies to the sender too — if leads flag you as spam, your deliverability drops across all future sends.
  5. Passepartout gate stack is ideal for this. Every gate is a pure Lisp function — subject-line-truth checks the LLM's output, sender-identity validates headers, unsubscribe-link confirms the link is present and working. The gate stack makes the compliance argument rather than relying on human review.

What Can Be Done Now (Without Passepartout Automation)

  1. Document the compliance framework (this file)
  2. Set up the Airtable CRM schema with lead stages
  3. Research email delivery options (SendGrid vs Resend vs self-hosted)
  4. Draft the privacy policy that will be linked from every outbound message
  5. Identify Egyptian HOA/community directories for manual sourcing

The automation waits on Passepartout — but the legal foundation and the infrastructure can be scoped now.

References

  • CAN-SPAM Act (15 U.S.C. 7701-7713)
  • GDPR (Regulation (EU) 2016/679)
  • UK GDPR + PECR (SI 2003/2426)
  • Egypt PDPL (Law No. 151 of 2020)
  • CASL (S.C. 2010, c. 23)
Reference in New Issue View Git Blame Copy Permalink