← Ataski · Trust & security · DPA · Subprocessors

AI Disclosure Statement — Cross-Cutting Policy

Last updated: 2026-05-12 Status: Draft for legal review; load-bearing for all AI-drafted customer outbound.

Scope

Applies to every Ataski role that generates AI-drafted communications sent to third parties on behalf of a customer. Currently affects: SDR (devon-v2), Niche SDR (anya-v0), Renewal Hunter (tom-v1), Inbound Lead Concierge (kate-v0), Account Health Watcher (nina-v0), plus any future role with outbound communication surface.

Regulatory anchors

1. California SB 1001 (Bot Disclosure) — California Business & Professions Code §17941. Requires disclosure when a "bot" attempts to incentivize a sale or influence a vote, used online with a person in California. Email outreach falls in scope.

2. CCPA / CPRA Notice-at-Collection — Cal. Civ. Code §1798.100(a)-(b). Requires notice at or before collection of personal information. B2B exemption expired Jan 1, 2023; business contact info from CA residents is in scope.

3. CAN-SPAM Act (federal) — already enforced in existing SDR pipeline (verified sender, opt-out, physical address); not duplicated here.

Disclosure requirements

A. AI bot disclosure (SB 1001)

Every AI-drafted email sent to a recipient inferred as a CA resident MUST include:

• Footer line (English): "This email was drafted with AI assistance and reviewed by [customer entity name] before sending."
• Recipient-state inference logic:
• US business address mapped to state via firmographic record → CA = inferred CA resident
• LinkedIn-snippet location heuristic (if Bay Area / LA / SD / Sacramento mentioned) → inferred CA resident
• Conservative default for any US recipient with no firm location signal: apply CA disclosure (over-discloses, no harm)

B. CCPA notice-at-collection (CA recipients)

First email touch to an inferred CA recipient MUST include in footer:

• "Privacy: We collected your business email through public sources to send this one-time outreach. [Manage your data]" (link to /privacy/optout?email=<urlencoded>)
• Link routes to /privacy/optout endpoint with pre-filled recipient context

C. Opt-out / unsubscribe (universal, CAN-SPAM + CCPA + CASL)

• Every email has one-click unsubscribe (Postmark List-Unsubscribe header + footer link)
• Suppress propagates to all roles for the tenant within 24h
• Customer cannot re-add a suppressed contact

Implementation

Template hooks

templates/email/_disclosure_footer.html — new partial, conditional render: - {% if recipient.ca_resident %} → render SB 1001 + CCPA notice block - {% else %} → standard footer (CAN-SPAM + unsubscribe only)

Recipient state inference

src/ataski/compliance/recipient_state.py — new module: - infer_us_state(contact: Contact) -> str | None - Sources (priority order): explicit address > LinkedIn snippet location > firmographic HQ state > None - Returns ISO 3166-2:US code or None - is_ca_resident(contact) -> bool returns True on state==CA or None (conservative default)

Audit logging

Every outbound email row (outreach_sends table) carries: - recipient_inferred_state — for audit & compliance reporting - disclosure_variant — ca_full, standard, etc.

D. Live-meeting recording disclosure (Meeting Coordinator, wiretap-state two-party-consent)

Current status (2026-05-24). Live meeting recording (Recall.ai bot-join) is paused while we finalize per-participant consent capture per docs/adrs/0068-live-recording-dispatch-gate.md. Manual transcript upload remains supported. When live recording is re-enabled, the consent-capture flow described below ships first; customers will receive 48-hour notice before re-enable. The disclosure text in this section describes the eventual flow per the ADR — it is the contract every live-recording dispatch MUST honor once the RECALL_BOT_DISPATCH_ENABLED flag flips back on.

Scope. Applies to every role that joins a live meeting on a customer's behalf — initially Meeting Coordinator (Recall.ai bot), also Board Pack Drafter's meeting pipeline when it dispatches its own bot.

Per-meeting consent capture (target state, gated behind ADR-0068). When live recording is re-enabled and ANY participant is located in a two-party-consent US state OR the participant's jurisdiction is unknown (conservative default), the operator will be required to trigger pre-meeting consent capture before the bot is dispatched:

• The 18-state two-party-consent allowlist lives in src/ataski/compliance/wiretap_state_gate.py: CA, CT, DE, FL, IL, KS, MD, MA, MI, MT, NV, NH, NJ, NY, OR, PA, VT, WA.
• Per-meeting flow (see src/ataski/meeting_consent_flow.py): evaluate participants → send per-participant consent-request emails → record per-participant meeting_consents rows → only then dispatch the recording bot. The customer-facing /meetings/consent route, the consent-token module, the Postmark email template, and the operator UI ship before the RECALL_BOT_DISPATCH_ENABLED flag flips back on.
• The gate is total: empty / unknown participant list → consent required; one missing required consent → bot does NOT join.

Bot-join announcement (target state, gated behind ADR-0068). Whether or not per-meeting consent is required, the recording bot's join surface will signal AI presence:

• Display name: <Tenant entity> Recap Bot - AI note-taker (bot_display_name).
• Verbal announcement at join, where the host platform supports TTS: "<Entity> Recap Bot is joining to draft a meeting recap with AI assistance. If you do not consent to being recorded, please object now or leave the meeting." (bot_join_announcement_text).

Customer-as-controller. Per ToS §8, the legal obligation to obtain consent under the destination-state wiretap statute runs with the customer. Ataski will provide the capture mechanism when live recording is re-enabled per ADR-0068; the audit log and the export endpoint are live today. The customer's legal counsel owns the posture determination.

Tracking

• tests/test_compliance_disclosure.py — asserts CA recipient outbound has both SB 1001 and CCPA footer text present
• Regression eval in CI: 5 cases with synthetic CA recipients, 5 with non-CA — assert correct variant

Triggers to update this document

• New state with bot-disclosure or notice-at-collection law (Texas BSC §305 analogue, Washington WMPA, etc.) → add inference + footer variant.
• Federal AI disclosure law passes → consolidate.
• A role adds outbound surface beyond email (SMS, voice, in-app message) → extend disclosure to that channel.