Cradicle Explorer
333Method
/ docs / 05-outreach / legal-basis.md
legal-basis.md
  1  ---
  2  title: 'Legal Basis for Cold Outreach'
  3  category: 'outreach'
  4  last_verified: '2026-03-22'
  5  related_files:
  6    - 'src/utils/compliance.js'
  7    - 'src/outreach/sms.js'
  8    - 'src/outreach/email.js'
  9    - 'docs/09-business/auditandfix-business-plan.md'
 10  tags: ['legal', 'compliance', 'spam act', 'tcpa', 'gdpr', 'pecr', 'consent']
 11  status: 'current'
 12  ---
 13  
 14  # Legal Basis for Cold Outreach
 15  
 16  This document records the legal foundation for Audit&Fix sending unsolicited commercial
 17  messages to businesses. The core principle across all markets: **a business that publicly
 18  lists its contact details in a commercial context is implicitly inviting contact about its
 19  business activities.** The degree of legal protection this affords varies by jurisdiction
 20  and channel.
 21  
 22  ---
 23  
 24  ## Australia — Spam Act 2003 (Cth)
 25  
 26  ### Legal Basis: Inferred Consent (s.7(1)(b))
 27  
 28  The Spam Act 2003 prohibits sending unsolicited commercial electronic messages, but carves
 29  out **inferred consent**:
 30  
 31  > A person is taken to have consented to receiving a message if the electronic address to
 32  > which the message is sent was **conspicuously published** in a business context (e.g. on
 33  > a website, in a directory, on signage), and the message is **relevant to the person's
 34  > business, role, or functions**, and the address was published **without a statement that
 35  > the person does not want to receive unsolicited commercial electronic messages**.
 36  
 37  **Plain English:** A plumber who lists their phone number or email on their website has
 38  implicitly invited contact about their plumbing business. We are contacting them about
 39  their website — which is directly relevant to their business. Unless their site contains
 40  an opt-out statement (e.g. "no unsolicited commercial messages"), inferred consent applies.
 41  
 42  **Citation:** [Spam Act 2003 (Cth) s.7(1)(b) and Schedule 2](https://www.legislation.gov.au/Details/C2022C00129)
 43  
 44  ### Channel Coverage
 45  
 46  | Channel | Covered | Notes |
 47  |---------|---------|-------|
 48  | Email   | Yes     | "Electronic address" includes email |
 49  | SMS     | Yes     | "Electronic address" includes mobile numbers under the Act |
 50  | Form    | Yes     | Submitting via their own contact form is clearly in scope |
 51  
 52  ### Conditions We Must Meet
 53  
 54  1. **Relevance** — Message must relate to their business activities (website CRO = ✅)
 55  2. **Conspicuous publication** — Contact detail must be publicly listed (we source from website/SERP = ✅)
 56  3. **No opt-out statement** — Site must not say "no unsolicited messages" (checked implicitly — if they had one we would not contact)
 57  4. **Sender identification** — Must clearly identify Audit&Fix and provide contact details (enforced in all templates)
 58  5. **Opt-out mechanism** — Must include an unsubscribe mechanism (STOP for SMS, unsubscribe link for email)
 59  
 60  ### Regulator
 61  
 62  Australian Communications and Media Authority (ACMA).
 63  [ACMA guidance on inferred consent](https://www.acma.gov.au/spam-rules-businesses)
 64  
 65  ---
 66  
 67  ## United Kingdom — PECR + UK GDPR
 68  
 69  ### Legal Basis: Corporate Subscriber Exemption (PECR) + Legitimate Interest (UK GDPR)
 70  
 71  Two overlapping frameworks apply.
 72  
 73  #### PECR reg. 22 — Corporate Subscribers
 74  
 75  The Privacy and Electronic Communications Regulations 2003 require **consent** before
 76  sending unsolicited direct marketing to **individuals**. However, **corporate subscribers**
 77  (registered companies, LLPs, partnerships) are exempt from the consent requirement for
 78  email marketing.
 79  
 80  > Reg. 22 applies to "individual subscribers." A corporate entity is not an individual
 81  > subscriber, so the consent rule does not apply. The sender must still identify itself
 82  > and provide an opt-out mechanism.
 83  
 84  **Critical caveat:** Sole traders and partnerships are treated as **individuals** under
 85  PECR and require consent. Our pipeline skips sole traders where identifiable, but this
 86  is difficult to determine at scale — treat all UK outreach conservatively.
 87  
 88  **Citation:** [PECR reg. 22](https://www.legislation.gov.uk/uksi/2003/2426/regulation/22)
 89  [ICO guidance — direct marketing and PECR](https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/direct-marketing-guidance/)
 90  
 91  #### UK GDPR Art. 6(1)(f) — Legitimate Interest
 92  
 93  For data processing (storing and using business contact details), the lawful basis is
 94  Legitimate Interest:
 95  
 96  > Processing is lawful if "necessary for the purposes of the legitimate interests pursued
 97  > by the controller or by a third party, except where such interests are overridden by the
 98  > interests or fundamental rights and freedoms of the data subject."
 99  
100  Recital 47 of the UK GDPR explicitly names **direct marketing** as a legitimate interest.
101  B2B outreach using publicly available data is a strong candidate because:
102  
103  - The data subject (business owner) has voluntarily published their contact details
104  - The message is relevant to their commercial activity
105  - The intrusion is low (one message, easy opt-out)
106  - We identify ourselves and provide an opt-out in every message
107  
108  **Requirement:** A formal Legitimate Interest Assessment (LIA) must be documented before
109  UK outreach resumes. See business plan risk register for LIA templates.
110  
111  **Citations:**
112  - [UK GDPR Art. 6(1)(f)](https://uk-gdpr.org/chapter-2-article-6/)
113  - [UK GDPR Recital 47](https://uk-gdpr.org/recitals/#47)
114  - [ICO LIA guidance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/legitimate-interests/)
115  
116  #### SMS in the UK
117  
118  PECR applies to **electronic mail** (email, SMS, automated calls). SMS to individuals
119  requires consent — same rules as email. The corporate subscriber exemption technically
120  applies to SMS directed at a business number, but the ICO treats mobile numbers as
121  personal in practice — making cold SMS to UK mobiles untenable without explicit consent.
122  
123  **Current status:** UK SMS is permanently blocked (DR-121, 2026-03-30). Do not reactivate
124  without external legal counsel sign-off. The corporate subscriber exemption is not a
125  reliable defence for cold SMS to mobile numbers.
126  
127  ---
128  
129  ## United States — TCPA / CAN-SPAM
130  
131  ### Email: CAN-SPAM Act
132  
133  CAN-SPAM does **not** require prior consent for commercial email. It requires:
134  
135  1. Accurate "From" and "Reply-To" headers
136  2. Non-deceptive subject line
137  3. Physical mailing address in every email
138  4. Clear opt-out mechanism
139  5. Honor opt-outs within 10 business days
140  
141  Cold B2B email to the US is legal under CAN-SPAM provided these requirements are met.
142  
143  **Citation:** [15 U.S.C. § 7701 et seq.](https://www.law.cornell.edu/uscode/text/15/7701)
144  
145  ### SMS: TCPA — No Clean Legal Basis
146  
147  The Telephone Consumer Protection Act (TCPA) requires **express written consent** before
148  sending marketing SMS. There is **no B2B exemption** for wireless (mobile) SMS.
149  
150  **Key case law:**
151  
152  - **Facebook v. Duguid** (2021) — Supreme Court narrowed the definition of an Automatic
153    Telephone Dialing System (ATDS). Our system dials specific numbers from a database, not
154    randomly or sequentially generated numbers, which may mean it does not qualify as an ATDS.
155    This is a structural defense, not a consent substitute.
156    [Supreme Court opinion](https://www.supremecourt.gov/opinions/20pdf/19-511_p86b.pdf)
157  
158  - **Bradford v. Sovereign Pest Control** (5th Cir., Feb 2026) — Further limited the FCC's
159    telemarketing framework post-McLaughlin. Ongoing legal evolution in this area.
160    [Nixon Peabody analysis](https://www.nixonpeabody.com/insights/alerts/2026/02/27/fifth-circuit-holds-the-tcpa-does-not-require-prior-express-written-consent)
161  
162  **Current status:** US SMS is permanently blocked (`OUTREACH_BLOCKED_SMS_COUNTRIES`).
163  Do not unblock without external legal counsel sign-off. The Duguid defence is a structural
164  argument against ATDS liability only — it does not substitute for the express written consent
165  requirement under the FCC's 2012 and 2023 orders.
166  
167  **A2P 10DLC:** 10DLC campaign registration is fundamentally incompatible with cold outreach.
168  The TCR vetting process requires a verifiable opt-in mechanism (URL, short code, keyword).
169  Campaign rejected with error 30909 (CTA verification failure) on 2026-03-30. Do not resubmit.
170  10DLC applies only to US long codes — it does not affect AU/NZ Twilio numbers. See DR-121.
171  
172  **Statutory damages:** $500–$1,500 per message.
173  
174  ---
175  
176  ## Canada — CASL
177  
178  Canada's Anti-Spam Legislation (CASL) requires **express or implied consent** before
179  sending commercial electronic messages (CEMs). Implied consent exists where:
180  
181  - The recipient has **conspicuously published** their electronic address in a business
182    context without indicating they don't want CEMs, **and** the message is relevant to
183    their business role — same logic as Australia's Spam Act.
184  - The sender has an **existing business relationship** with the recipient.
185  
186  **Citation:** [CASL s.6(2)(b)](https://laws-lois.justice.gc.ca/eng/acts/E-1.6/page-1.html)
187  
188  **Note:** CASL's implied consent from publication is narrower than Australia's — some
189  legal opinion holds it requires a stronger nexus between the published address and the
190  message topic. Treat CA conservatively.
191  
192  **Current status:** CA SMS is permanently blocked. Add CA to `OUTREACH_BLOCKED_SMS_COUNTRIES`
193  if not already present (it was missing from the live `.env` as of 2026-03-30 — see DR-121).
194  Email to CA is active under implied consent with opt-out compliance.
195  
196  ---
197  
198  ## Summary Table
199  
200  | Country | Channel | Legal Basis | Status |
201  |---------|---------|-------------|--------|
202  | AU | Email | Spam Act 2003 s.7(1)(b) — inferred consent | Active |
203  | AU | SMS | Spam Act 2003 s.7(1)(b) — inferred consent | Active |
204  | AU | Form | Spam Act 2003 s.7(1)(b) — inferred consent | Active |
205  | NZ | Email | Unsolicited Electronic Messages Act 2007 | Active |
206  | NZ | SMS | Unsolicited Electronic Messages Act 2007 | Active |
207  | UK | Email | PECR reg.22 corporate exemption + UK GDPR LI | Blocked (LIA required) |
208  | UK | SMS | PECR — consent required for mobiles | Permanently blocked |
209  | US | Email | CAN-SPAM — no prior consent required | Active |
210  | US | SMS | TCPA — no B2B exemption; 10DLC incompatible (DR-121) | Permanently blocked |
211  | CA | Email | CASL s.6(2)(b) — implied consent from publication | Active |
212  | CA | SMS | CASL — $10M CAD penalty; no express consent | Permanently blocked |
213  | IE | SMS | ePrivacy Regulations — consent required | Permanently blocked |
214  | ZA | SMS | POPIA — unclear, not worth risk | Permanently blocked |
215  
216  ---
217  
218  ## A2P 10DLC Registration — Not Applicable (DR-121)
219  
220  **10DLC is a US-only program.** It applies to US long code (10-digit) phone numbers.
221  Australian and New Zealand Twilio numbers are not subject to 10DLC registration.
222  
223  **10DLC is incompatible with cold outreach.** The TCR (The Campaign Registry) vetting
224  process requires a verifiable opt-in mechanism — a URL, short code, or keyword where
225  recipients actively consent to receive messages. Cold outreach recipients have not opted
226  in. Our campaign was rejected with error 30909 (CTA verification failure) on 2026-03-30.
227  
228  Do not resubmit the 10DLC campaign. Repeated rejections can trigger Twilio account-level
229  review. If US SMS is ever needed, implement an email-first consent funnel (see DR-121).
230  
231  ## The Core Argument (for AU/NZ carrier compliance)
232  
233  When asked to explain the consent basis for Australian/NZ SMS:
234  
235  > Recipients are business owners who have conspicuously published their contact details
236  > in a commercial context (website, directories, SERP listings). Under Australian law
237  > (Spam Act 2003 s.7(1)(b)), this constitutes inferred consent to receive messages
238  > relevant to their business activities. Our messages concern their website — directly
239  > relevant to their commercial operations. All messages identify the sender (Audit&Fix,
240  > auditandfix.com), include an opt-out instruction, and are sent only during business
241  > hours. Opt-outs are honored immediately and permanently.
242  
243  ---
244  
245  ## Updates
246  
247  This document should be reviewed:
248  - When entering a new country market
249  - Following any TCPA/CASL/ACMA regulatory changes
250  - Before reactivating any currently-blocked channel
251  - If legal counsel provides updated advice