The 1974 federal law that governs employer-sponsored benefits. Sets fiduciary standards, disclosure requirements (the SPD comes from here), claims procedures, and enforcement. Self-funded plans are exempt from state insurance regulation under ERISA preemption.
Authority: DOL ERISA overview ↗
The annual return employers (and unions) must file for ERISA-covered benefit plans with 100+ participants. Filed with DOL/IRS. Public-record dataset including plan sponsor, participants, assets, broker of record, carrier, and plan-year financials.
For brokers: Form 5500 is the public dataset Velora's Signal Engine pulls from. Recent broker-of-record changes, late filings, and below-median benefits cost are all real outreach signals.
Authority: DOL Form 5500 search ↗
1991 federal law restricting telemarketing calls, autodialer use, prerecorded messages, and SMS marketing. Enforced via private right of action with statutory damages — $500 per violation, $1,500 if willful. State laws (FL Mini-TCPA, WA Mini-TCPA, OK Mini-TCPA, MD Mini-TCPA) extend liability.
For brokers: Velora enforces TCPA at the dispatch layer with a 51-state matrix. Quiet hours, day-of-week rules, AI-voice disclosure preambles for TX SB 140 and CA AB 2905 — the platform refuses to send when a state rule isn't met.
Authority: 47 USC § 227 ↗
The wireless carrier industry trade association. Publishes the SMS messaging principles every U.S. carrier enforces — STOP/HELP keywords, opt-in confirmation, unsolicited messaging definitions. CTIA non-compliance = carrier-level filtering before messages reach the recipient.
Authority: CTIA Messaging Principles ↗
10-digit long code A2P registration — the carrier program that sanctions sending app-to-person SMS from a regular phone number. Brand registration + campaign registration required; non-registered traffic gets aggressively filtered.
For brokers: Every broker using SMS through Velora gets walked through 10DLC during onboarding. The Twilio bridge handles brand and campaign registration as part of the standard setup.
2003 federal law requiring commercial emails to identify the sender, disclose advertising intent, include a working unsubscribe link, and honor opt-outs within 10 business days. Penalties up to $50,120 per email.
Authority: FTC CAN-SPAM compliance guide ↗
A request from an individual to a company to access, delete, port, correct, or stop processing their personal data. Required by GDPR (30-day timeline), CCPA/CPRA (45-day timeline), and most U.S. state privacy laws (CO, VA, CT, UT, etc.).
For brokers: Velora maintains DSAR workflow at /admin/dsar with deadline tracking. Submit a DSAR to Velora at /privacy.
1996 federal law that, among other things, sets a federal floor for protecting individually identifiable health information (PHI). Covered entities = health plans, healthcare providers, healthcare clearinghouses. Business associates = vendors that touch PHI on their behalf.
For brokers: Velora Marketing does not currently process PHI by default — ingestion is scoped to non-PHI fields. A HIPAA-aware mode for agencies that handle PHI is on the roadmap; we will require a signed BAA before enabling it.
Authority: HHS HIPAA for professionals ↗
A contract required under HIPAA whenever a covered entity uses a vendor to handle PHI on their behalf. Specifies what PHI the vendor receives, how they protect it, breach notification obligations, and termination clauses.
2010 federal law restructuring the individual and group health insurance markets. Created the marketplaces, the employer mandate (50+ FTE = must offer coverage), individual mandate (now $0 federally), and key plan-design floors (preventive care 100%, OOP max caps, no annual/lifetime limits, dependent coverage to age 26).
Federal law allowing former employees (and qualifying dependents) to continue group health coverage for 18–36 months at their own expense. Employers with 20+ employees must offer it.