GAP School Module 12 — Adapting Across Verticals Lesson 12.3
Module 12 · Lesson 3 of 4

Compliance Layers Per Vertical

What you need to know before building the lead-capture layer.

I am not a lawyer. Nothing in this lesson is legal advice. What follows is an operator's working understanding of the compliance landscape in the verticals most likely to use this platform — the minimum you need to know to build the right plumbing and know when to stop and call a licensed professional.

The Platform-vs-Agent doctrine means the client bears the vertical regulatory burden, not the platform. But that only holds if the platform is built in a way that lets the client meet their obligations. You can't build a lead form for an insurance client without understanding TCPA. You can't build a real estate listing platform without understanding IDX terms and Fair Housing. Ignorance of the regulatory context doesn't shift liability — it just means you built the wrong thing.

The situation

Every vertical that sells through a multi-touch digital funnel has at least one regulatory layer governing how you can contact prospects, what data you can collect, how long you can hold it, and what disclosures you must make. The specific rules vary by vertical, state, and sometimes by the type of prospect.

The four verticals mapped in detail for this platform:

  1. Marine / powersports / exotics (the Anchor vertical) — lightest regulatory footprint of the group
  2. Insurance — TCPA, state licensing constraints on lead routing
  3. Real estate — RESPA, Fair Housing, IDX/MLS terms
  4. Healthcare-adjacent — PHI scope questions, HIPAA applicability, BAA requirements

What I did

Vertical 1: Marine / Powersports / Exotics

The lightest compliance footprint. The primary regulatory constraints:

  • CAN-SPAM and TCPA: Any commercial email requires an unsubscribe mechanism. Any SMS requires prior written consent (TCPA) and a clear opt-out path (STOP keyword, honored within 10 days per CTIA guidelines). Both are built into the platform's communication layer as defaults — the compliance isn't added later, it's structural.
  • FTC truth-in-advertising: Marketing claims need to be substantiable. "We guarantee leads" is a claim that could get you in front of an FTC complaint. The platform's copy makes no guarantees about lead volume — only about system capability.
  • State privacy laws (California CCPA, Colorado CPA, etc.): If you're collecting PII from California residents, you have CCPA obligations regardless of where your business is located. The platform's privacy policy template covers standard CCPA disclosures. The data export functionality enables data subject access requests.

No BAA required. No state licensing constraints on the builder. This is the vertical where you can move fastest.

Vertical 2: Insurance

More complex. Three distinct constraint areas:

TCPA (Telephone Consumer Protection Act): TCPA governs automated calls and texts to cell phones. In the insurance vertical, exposure can be massive (up to $1,500 per violation, class-action eligible). The critical compliance requirements:

  • Prior express written consent before any automated text or call. The lead form must contain explicit consent language that names the communication purpose. "By submitting this form, you consent to be contacted by [Business] via phone, text, and email regarding insurance products" is a minimum — your licensed attorney should review the exact language.
  • Consent must be per-purpose. Consent to be contacted about auto insurance doesn't automatically extend to life insurance.
  • The consent record must be timestamped and stored. The platform's lead record captures timestamp, IP, and form submission data — this is your consent audit trail. Do not delete it. Do not overwrite it.
  • Opt-out must be honored immediately. STOP keyword for SMS, unsubscribe for email. The platform handles both. What the client must do: not re-add opted-out numbers to a new list.

State licensing and lead routing: Licensed insurance agents are licensed in specific states. A lead from Arizona can only be worked by an agent licensed in Arizona. If your lead routing system sends an Arizona lead to a Texas-only agent, that agent cannot legally work it — and doing so can trigger regulatory complaints. The lead routing rules layer of the platform accommodates this: per-territory routing, license-tier rules, geographic filters. These need to be configured with the client's actual licensed-state map.

The FTC one-to-one consent rule (effective 2025): As of January 2025, the FTC requires that lead gen forms collect consent for each specific seller separately — a single checkbox consenting to contact from "our partners" no longer covers a multi-seller distribution model. If the client is aggregating leads for multiple agents or carriers, each must be named and consented to individually. Build accordingly.

Vertical 3: Real Estate

RESPA (Real Estate Settlement Procedures Act): RESPA governs referral fees in real estate transactions. The short version: you cannot charge or receive a referral fee for sending a buyer or seller lead to an agent unless you are a licensed real estate professional in that state. The platform is a technology platform, not a referral service. Leads generated by the platform go to the client; the client pays for the platform, not per lead. This is the processor/controller split in practice. If the client wants to build a lead distribution model (sending leads to multiple agents for fees), that model needs a real estate attorney to structure it.

Fair Housing Act: The Fair Housing Act prohibits discrimination based on race, color, national origin, religion, sex, familial status, or disability in the sale, rental, or financing of housing. For an AI-powered platform generating listing descriptions and targeting copy, this has two concrete implications:

  • AI-generated listing descriptions cannot use language that implies preference for or against any protected class. The AI voice guide for any real estate client must explicitly exclude this category of language.
  • Ad targeting based on location (if geographic targeting proxies for race or national origin in a historically redlined area) has been challenged under Fair Housing. If the client runs paid ads through the platform's AI-generated copy, the targeting parameters should be reviewed by someone who knows the local geography and the local history.

IDX / MLS terms: MLS data has its own terms of service. If the platform displays MLS-sourced listing data, the client's IDX agreement governs what can be displayed, how attribution must appear, and how long listings can be cached. This is between the client and their MLS — the platform needs to respect whatever the IDX feed requires.

Vertical 4: Healthcare-adjacent

"Healthcare-adjacent" covers a wide range: insurance agents who sell health insurance, wellness service providers, telehealth referral platforms. The regulatory question is always the same: does this platform handle PHI?

PHI vs PII: Protected Health Information (PHI) under HIPAA is individually identifiable health information maintained or transmitted in connection with the provision of healthcare services. A health insurance lead form that asks "do you have any pre-existing conditions?" collects health information. Whether that makes it PHI depends on whether it's being used to connect the lead with a healthcare provider. If yes — potentially HIPAA-applicable. If no (it's a quote qualification question) — likely not PHI, but your attorney should confirm.

BAA (Business Associate Agreement): If the client is a covered entity under HIPAA and the platform processes data on their behalf that includes PHI, the platform needs to sign a Business Associate Agreement with the client before handling any of their data. A BAA is a contractual commitment to handle PHI according to HIPAA's security and privacy requirements. GAP Industries will sign a BAA for clients who require one — the BAA terms need review by a licensed healthcare attorney before signing.

What this means for the build: Any platform that may touch PHI needs encryption at rest and in transit, access control logging (who accessed what data and when), and a breach notification plan. The security baseline from Module 1 covers the technical foundation; the legal layer on top requires the BAA and a properly drafted DPA.

Why it matters

Building the wrong compliance architecture means your client is exposed, and depending on your contract, you may share that exposure. The MSA and DPA that GAP Industries uses with clients are designed to put the compliance burden where it belongs — on the client as data controller. But that only holds if the right plumbing was built: consent capture, opt-out handling, audit trails, data export, sub-processor documentation.

The compliance layer is not an add-on. It's designed into the platform from the start — the consent fields in the lead forms, the timestamped opt-out records, the data export capability, the named sub-processors in the DPA. By the time a client needs to demonstrate compliance, the evidence should already exist in the system.

Do this, not that

  • Build consent capture into the lead form architecture from day one. Timestamp, IP, form version, exact consent language shown at submission time. You cannot reconstruct this later.
  • Honor opt-outs immediately and permanently. SMS STOP and email unsubscribe are legal requirements, not preferences. The platform handles the mechanics; make sure the client understands that adding opted-out contacts back to lists is a TCPA violation.
  • Know your vertical before you scope the build. The compliance requirements are not discovered during the build — they're established before the first line of code. The scoping conversation in Lesson 12.4 includes compliance scope as a mandatory question.
  • When the compliance question is novel or high-stakes, stop and consult a licensed attorney. The operator knowledge in this lesson gets you through the common cases. It does not replace legal counsel for complex situations — HIPAA BAA negotiations, multi-state insurance licensing questions, Fair Housing in a historically sensitive market.
← Previous Lesson 12.2 — Three-Firewall Doctrine
When you’re ready to build

The lessons are yours. When you want it built, we’re here.

Every lesson stays free — no account, no paywall, no email gate, ever. But if you’d rather have this system standing on your business than wire all 48 lessons yourself, leave your email. We’ll send you a direct line to a build — and you’ll be first to hear when we add new tools to the curriculum.

None of this gates a single lesson. The curriculum was free before you got here and it stays that way.

We’ll use your email to send you a fast-track to a GAP build and occasional notes on how GAP builds digital sales departments. Lessons stay 100% free — no email required to read any of them. We never share or sell your information. Unsubscribe any time. Privacy policy at gapindustriesllc.com/privacy.html.

Done learning how it’s built? We’ll build it.

You came here to understand the system, and now you do. If you’d rather have it standing on your business than spend the next three months wiring it yourself, GAP Concierge is the same architecture from these lessons — a white-label AI agent that knows your catalog and captures your leads — set up for you, from $97/mo.

See GAP Concierge →