By Laura Dunlop1

© 2006 Laura Dunlop

Abstract

In July of 2004, Michigan and Utah enacted child protection registry laws that prohibit businesses from sending e-mail advertisements for certain types of goods and services to “contact points” (e.g. individual or school e-mail domains) listed on registries maintained by each state. The prohibited goods and services include alcohol, tobacco, pornography, and illegal drugs. This Article summarizes these statutes and provides guidance to businesses concerning statutory compliance. The Article also highlights certain concerns about the scope and ambiguities in the statutory language. Despite ongoing debate surrounding these statutes, companies that choose to market via the Internet must understand their statutory obligations. Other states may enact similar legislation. Organizations that sell, advertise, or handle promotions for products and services on a nationwide basis may face compliance issues in multiple jurisdictions.

Table of Contents

Introduction
Overview of the Michigan and Utah Child Registry Laws
Liability under the Michigan and Utah Child Registry Laws
Statutory Compliance
Challenges Surrounding Statutory Compliance
Conclusion: Methods for Compliance
Practice Pointers

Introduction

<1> Michigan and Utah recently enacted child protection registry laws aimed at preventing adult-oriented content from reaching children’s computers.2 Under the new laws, the states must establish and operate an e-mail address registry site3 similar to the Federal Trade Commission’s (“FTC’s”) current “do not call” registry.4 Each law creates a registry on which individual electronic "contact points,"5 as well as entire e-mail domains belonging to organizations primarily serving minors, may be listed. These statutes require businesses that market electronically to police their own e-mail traffic. Once an e-mail address has been registered for longer than 30 days, commercial marketers are prohibited from sending any message containing, or linking to, advertising that minors cannot access legally.6 Both states construe their statutes to bar advertisements for alcohol, tobacco, pornography, gambling, or any product or service that is illegal for minors.7

<2> Although backed by sound policy considerations, commentators maintain that the laws introduce fundamental statutory compliance problems: the language is broad and open to competing interpretations, the projected costs of compliance appear overly burdensome, and the monetary penalties likely will be difficult to enforce. In addition, the FTC has voiced concerns over the security and privacy of child registry sites. It is furthermore unclear whether the national CAN-SPAM Act preempts these state laws.8 Both the Michigan and Utah Child Registries are currently active.9 At this time companies need to understand how to comply with both statutes.

Overview of the Michigan and Utah Child Registry Laws

<3> Both the Utah and Michigan statutes impose strict liability and provide for criminal and civil penalties. The Michigan Children’s Protection Registry Act makes it a misdemeanor for the first violation and a felony for any subsequent violations10 when a company markets via the Internet by sending e-mail to a registered address when the e-mail advertises products or services that a minor11 is legally prohibited from purchasing. The same statute also prohibits persons and businesses from including a link in their message to a site that advertises products or services that minors cannot legally purchase.

<4> Under the Michigan law, individuals may register any electronic “contact point” or Internet domain with which a commercial business could potentially communicate. The prohibited categories of messages include, but are not limited to, advertising relating to alcohol, tobacco, pornography or obscene material, gambling, lotteries, illegal drugs, and firearms.12 An entity will be liable based upon whether the “primary purpose” of its communication is to advertise the above-mentioned products or services.13

<5> Similar to the Michigan Act, the Utah Child Protection Registry Act creates a registry of contact points14 for minors and bars advertisement to those contact points that promote the sale of goods or services that a minor cannot legally purchase.15 Although alike in registration protocol and compliance requirements, the Utah law is written to prohibit any communication that advertises material “harmful to minors.” While “harmful to minors” as defined in § 76-10-1201 mostly covers “nudity, sexual excitement, or sadomasochistic abuse,” the Utah Division of Consumer Protection (the “Division”) issued a policy statement, which expanded the scope of coverage.16

<6> According to the Division’s statement, prohibited content includes, but is not limited to the advertising of alcohol, tobacco, pornographic materials, and any product or service that is illegal in Utah, whether purchased by a minor or an adult, such as illegal drugs, prostitution, and gambling. 17 The law, however, does not prohibit advertisement of a product or service a minor may purchase only “under certain circumstances,” provided that certain conditions are met. For example, the law does not prohibit an advertisement for a prescription drug where the minor has a valid prescription for the marketed drug or an advertisement for a body piercing given that the child has obtained parental consent as required by Utah law.18

<7> Additionally, the Division has clarified that the Utah law does not bar an advertiser from entering into a contract found to be voidable due to minor status (e.g., a hotel or credit card), or an advertisement that might enable illegal activity by a minor (e.g., an automobile rental). Further, any analysis of advertisement communications should focus on whether the “primary purpose of the communication” is to “directly or indirectly … advertise or otherwise link to the material.”19 As a result, an e-mail from a hotel establishment advertising reservations, but mentioning hotels with casinos or cars, would be viewed merely as a reservation e-mail and would not be found in violation of the statute.20

Liability under the Michigan and Utah Child Registry Laws

<8> Both the Michigan and Utah statutes impose strict liability on the sender; therefore, consent or request from the recipient is not a defense.21 Senders of messages to a registered contact point violate the law regardless of whether there has been a request to receive the advertisement. While the laws and registries are currently established only in Michigan and Utah, experts assert that they apply to any sender inside the United States or any sender that maintains a physical presence in the United States.22 Anyone who sends prohibited e-mails to those who live in either state may be found liable.

<9> Both statutes include an exemption from liability for intermediaries who merely transmit messages over their networks.23 The Utah law further provides a defense in those instances where the advertiser: “(1) reasonably relied on the Utah consumer protection division registry mechanism and (2) took reasonable measures to comply with the statutes.”24 The Michigan statute, in contrast, allows a defense to claims of misdemeanor and felony violations where the communication was transmitted accidentally.25

<10> Marketers in violation of these laws face potential criminal prosecution as well as civil lawsuits.26 Utah imposes up to three years in jail and up to $30,000 in fines, as well as potential civil penalties of $1,000 per message.27 Violators of Michigan’s law face similar fines and jail time, and may be liable for civil penalties of $5,000 per message up to a maximum of $250,000 per day.28 Consequently, a single message could create significant liability if sent to multiple registered contact points.

Statutory Compliance

<11> It is unclear what businesses are subject to the Michigan and Utah laws. Commentators note that the list of prohibited products and services under both statutes may be overly broad and poorly defined.29 The statutes plainly apply to any sender directly advertising alcohol, tobacco, or products or services of more mature sexual content. However, it is uncertain whether the types of marketers affected include, for example, financial services, matchmaking services, or state-run lotteries.30 Michigan, in particular, has offered no clarification on the breadth of inclusion.31 A Michigan judge would have to decide whether borderline advertisements for R-rated movies or firework sparklers, which are illegal for minors to purchase in Michigan, fall within the definition of prohibited advertising and, therefore, compel criminal penalties.32

<12> The Michigan statutory provisions also ban the sending of any message that contains a hypertext or other link to any site that may advertise products or services minors, may not “purchase” or “possess.”33 Consequently, a marketing message or business e-mail newsletter cannot even link to a webpage that contains prohibited content. If a business’ e-mail provides a link to USAToday.com where there is information about tobacco on that page, or for example, links to Amazon.com where there are advertisements for R-rated videos, the company could theoretically be in violation of the law.34

<13> Companies have two options to ensure compliance with the registry laws: They must either (1) scrub their mailing lists35 against the state registry to remove all registered addresses on a monthly basis or (2) review the contents of every e-mail prior to sending and delete any message or link which a recipient could follow and find any prohibited product or service.36 Senders opting to scrub their lists are required to match their mailing lists against the registries every 30 days, for which they must pay both Michigan and Utah a fee per-address.37

<14> Both state registry compliance websites provide the necessary tools to facilitate commercial marketers’ statutory compliance.38 Alternatively, several e-mail service providers (ESPs) provide subscribers with automatic compliance directly through their list management processes.39 These services do not share registry data with marketers, but rather confirm or deny whether addresses are on the list.40

Challenges Surrounding Statutory Compliance

<15> While these child registry statutes promote a desired outcome to improve online safety for children, experts have asserted that the statutes are poorly drafted and will likely prove ineffective. First, as noted above, the list of prohibited products and services under both statutes appear overly broad and ill defined, and thereby create uncertainty as to who falls within the scope of the law.41

<16> Second, the statutory penalties and projected costs of compliance present additional problems. Senders contend that these costs make Internet marketing uneconomical.42 Currently, a marketer’s e-mail list does not include state location or physical addresses. Companies are forced to run their entire national list through the state registry sites every month at considerable cost. 43 If and when identified, these individuals will likely lack sufficient funds to pay the substantial per message fines.

<17> Aside from problems surrounding the statutory language, there are growing concerns over the security and privacy of the registered e-mail addresses. Although both states have made it a felony to obtain or attempt to obtain addresses from the registry list for solicitation purposes, the risk remains that some individuals may obtain and use or share registry data for improper or illegal purposes.

<18> The FTC has also given due consideration to the issue. The Commission recently released a letter to an Illinois legislator in response to a proposed bill to implement an Illinois child protection registry site. The FTC maintains that a registry raises serious security and privacy difficulties, especially for children’s e-mail accounts.44 First, existing computer security techniques are inadequate to prevent exploitation of child protection registries and, consequently, the list would be a prime target for direct hacking by technologically sophisticated individuals. The registry may therefore “provide pedophiles and other dangerous persons with a means of contacting th[e] children.”45 There remains a possibility for misuse by both the registry personnel as well as those marketing firm employees receiving verified lists of data.46

<19> Furthermore, the FTC maintains that due to the lack of security “the database may carry the unintended consequence of providing spammers with a mechanism for verifying the validity of e-mail addresses” and thus in affect increase the inflow of prohibited messages to “protected” accounts. Senders of unsolicited commercial e-mail (“spammers) could essentially reconstruct a substantial portion of the registry by posing as a legitimate marketing entity and repeatedly submit purchased lists of e-mail addresses. Spammers have incentives to send messages to confirmed minors’ contact points knowing that many of the addresses are either family accounts or those which are closely monitored by concerned parents.47

<20> Finally, it is currently unclear whether the federal CAN-SPAM Act48 (the “Act”) preempts the Michigan and Utah registry laws.49 The Act requires senders of commercial e-mail to label messages accordingly and allows recipients to refuse any future mailing from those senders.50 The Act invalidates state regulation of spam e-mail, by preempting anti-spam restriction not directly related to fraud or deception at the state level.51 While neither the Michigan nor the Utah law directly relates to or is aimed at fraud or deception, the statutes were carefully written to classify violations as “computer fraud,” which falls under an exception to the Act‘s preemption provisions.52 Moreover, by including a list of different “contact points” other than e-mail, the states are positioned to argue that their statutes fall outside of the Act because they are not specific to e-mail.53

Conclusion: Methods for Compliance

<21> As noted above, states such as Michigan’s neighbor Illinois are opting to follow Michigan’s and Utah’s leads and introduce a registry bill in their own state assemblies. Consequently, businesses need to pay attention to these laws and develop best practices for compliance. First, it is important that electronic marketers put e-mail recipients on notice that they are complying with the new protection registry laws. Companies should use a double opt-in procedure, requiring a recipient to affirmatively request to receive e-mail and after the individual signs up, require him to confirm the subscription via e-mail. The confirmation message should allow the recipient to opt out if desired. This additional step will protect senders from any potential claims by recipients that a third party, unauthorized individual opted them in.

<22> Second, in order to reduce future costs from the monthly scrubbing compliance requirements, ESPs recommend asking for state of residence and date of birth in all opt-in registration forms. This will ensure that companies are better positioned to focus their compliance efforts and pay the subsequent fees for only those addresses that fall under the scope of the Michigan and Utah laws. Finally, it is essential that companies maintain proper documentation to prove a preexisting business relationship with clients.54

<23> Internet marketers must be proactive with respect to their compliance efforts and implement best practices to better ensure compliance. Other states may also adopt legislation that replicates the Utah and Michigan laws, which would require companies to be vigilant about e-mail marketing to minors to an even larger extent.

Practice Pointers

<< Top

Footnotes

  1. Laura Dunlop, University of Washington School of Law, Class of 2007. Thank you to: Professor Anita Ramasastry, Lawrence Rozsnyai, and Paula Sellis, Senior Counsel, High Tech Unit at the Washington State Attorney General's Office.
  2. Michigan Children’s Protection Registry Act, M.C.L.A. §§ 752.1061-752.1068 (2004); Utah Child Protection Registry Act, U.C.A. 1953 §§ 13-39-101-401 (2004), amended by 2006 Utah Laws Ch. 336 (H.B. 417).
  3. M.C.L.A. 752.1063 Sec.3.(1); U.C.A. § 13-39-201(1). Authority granted to the Michigan Department of Labor and Economic Growth and the Utah Division of Consumer Protection in the Department of Commerce. Id.
  4. Federal Trade Commission National Do Not Call Registry, http://www.ftc.gov/bcp/conline/edcams/donotcall/index.html (last visited July 31, 2006).
  5. M.C.L.A. § 752.1062 Sec.2.(a). Contact point is defined as “an electronic identification to which a communication may be sent.” The definition encompasses an instant message identity, a wireless telephone, PDA page number, a fax number, and an electronic mail address. Id.
  6. M.C.L.A. § 752.1065 Sec.5.(1). The law prohibits sending “a message to a contact point that has been registered for more than 30 calendar days … if the primary purpose of the message is to, directly or indirectly, advertise or otherwise link to a message that advertises a product or service that a minor is prohibited by law from purchasing, viewing, possessing, participating in, or otherwise receiving.” Id.; U.C.A. § 13-39-202(1)(a)-(b). Under the Utah Act, “a person may not send, cause to be sent, or conspire with a third party to send a communication to a contact point or domain that has been registered for more than 30 calendar days ... if the communication ... advertises a product or service that a minor is prohibited by law from purchasing; or ... contains or advertises material that is harmful to minors.” Id.
  7. Michigan Children’s Protection Registry, http://www.protectmichild.com/compliance.html (last visited August 6, 2006); Utah Child Protection Registry: Sender Compliance Information, http://www.utahkidsregistry.com/compliance.html?vid=e8a2vu341ds0qha7qid2a5o415 (last visited August 6, 2006).
  8. Charles H. Kennedy: Utah and Michigan “Do-Not-E-mail" Programs Take Effect, http://www.mofo.com/news/updates/files/update02045.html (last visited August 6, 2006).
  9. See Michigan Children’s Protection Registry, supra n. 7; Utah Child Protection Registry, supra n. 7. The Utah registry took effect in July and Michigan's registry in November of 2005. Michigan Governor Jennifer Granholm signed a bill in November that effectively sped up the implementation. See Ken Magill: Battlefield Utah, http://www.directmag.com/mag/marketing_battlefield_utah (last visited August 6, 2006).
  10. M.C.L.A § 752.796(a) Sec. 6a.(1)(a)-(b).
  11. M.C.L.A. § 752.1062 Sec.2.(a)(v)(d) (2004). A “minor” is defined as anyone under the age of 18 years. Id.
  12. See Michigan Children’s Protection Registry, supra n. 7.
  13. M.C.L.A. § 752.1065 Sec.5.(1); U.C.A. § 13-39-202(1)(a).
  14. U.C.A. § 13-39-102(1). The definition of contact point is the same in the Utah Act as in the Michigan Act. Id.
  15. U.C.A. § 13-39-202(1)-(2). The Utah Administrate Rules R152-39 clarifies the process by which an individual may register a contact point and by which a sender may verify registry compliance.
  16. Gregory M. Saylin and Leanne N. Webster, Utah Law Developments: Utah’s Newest Anti-Spam Law: The Child Protection Registry, Utah B.J. 33, November/December (2005).
  17. See Francine A. Giani, Utah Division of Consumer Protection, Policy Statement Concerning Utah Code Ann. § 13-39-202(1) (July 8, 2005).
  18. U.C.A. § 13-39-202(1)-(2).
  19. Id. at 2.
  20. Ira Teinowitz, Ad Groups Decry E-mail Version of Do-Not-Call Critics: State registries impose economic penalties on marketers. Volume 76; Issue 39 (September 26, 2005), Crain Communications Inc., 2005 WLNR 15308557.
  21. M.C.L.A. § 752.1065 Sec.5.(3); U.C.A. § 1339202(2).
  22. ISPP Michigan and Utah Child Protection E-mail Address Registries and Laws, http://www.isipp.com/child-protection-email-address-registries.php (last visited January 16, 2006). According to the Institute for Spam and Internet Public Policy, the registry laws apply to almost all people in the United States and even those outside the United States who have a physical presence in the United States. Id.
  23. M.C.L.A. § 752.1065 Sec.5.(4); U.C.A. § 1339202(3). An intermediary or “Internet service provider” (“ISP”) is defined as “a company that provides individuals and other companies access to the Internet and other related services .... An ISP has the equipment and the telecommunication line access required to have a point-of-presence on the Internet for the geographic area served. The larger ISPs have their own high-speed leased lines so that they are less dependent on the telecommunication providers and can provide better service to their customers.” Available at http://www.bitpipe.com/tlist/Internet-Service-Providers.html (last visited Nov. 13, 2005).
  24. U.C.A. § 13-39-304(1).
  25. M.C.L.A. § 752.796a Sec.6a.(3). The sender carries the burden of proving that the communication was transmitted accidentally. Id.
  26. U.C.A. § 1339201(3)(a). Under Utah law, the recipient of the prohibited message, a parent or guardian, or the owner of a registered Internet domain may bring a civil suit. Id. M.C.L.A § 752.1063 Sec.3.(2). Similarly, under Michigan law, a civil suit may be brought by the guardian of a minor who receives a prohibited message, a person through whose facilities the message was transmitted, or the Attorney General. Id.
  27. U.C.A. § 13-39-302(2)(a)(ii). Civil suits may be filed by the Utah attorney general, the Utah Division of Consumer Protection, Internet service providers, or parents on behalf of their children. Id.
  28. M.C.L.A. § 752.1068 Sec.8. (5)(b)(i)-(ii). Civil suits may be filed by the Michigan attorney general, Internet service providers, or parents on behalf of their children. See M.C.L.A § 752.1068 Sec.8.(1)-(3).
  29. Brian Livingston: Michigan and Utah Impose Dreaded E-Mail Tax, http://itmanagement.earthweb.com/columns/executive_tech/article.php/3522911 (last visited August 8, 2006); Derek Harding: Child Protection Laws and E-mail Marketing, http://www.clickz.com/experts/em_mkt/opt/article.php/3519536 (last visited August 6, 2006).
  30. These services fall within an ambiguous category which may be considered “harmful to minors” under the Utah Act or which minors are “prohibited from … participating in” under the Michigan Act. U.C.A. § 13-39-202(1)(b) (2004). M.C.L.A. § 752.1065 Sec.5.(1).
  31. Brian Livingston: Michigan and Utah Impose Dreaded E-Mail Tax, http://itmanagement.earthweb.com/columns/executive_tech/article.php/3522911 (last visited August 6, 2006).
  32. Id.
  33. M.C.L.A. § 752.1065 Sec.5.(1).
  34. Brian Livingston: Michigan and Utah Impose Dreaded E-Mail Tax, http://itmanagement.earthweb.com/columns/executive_tech/article.php/3522911 (last visited August 6, 2006).
  35. Data scrubbing is defined as “the act of detecting and removing and/or correcting a database’s dirty data (i.e., data that is incorrect, out-of-date, redundant, incomplete, or formatted incorrectly”). ISP Glossary, http://isp.webopedia.com (last visited Nov. 13, 2005). Consequently, a goal of data scrubbing is to clean up the data in a database. Here, companies that “scrub” their lists are removing all e-mail addresses that have been entered into the Utah and Michigan state registry sites.
  36. Charles H. Kennedy: Utah and Michigan “Do-Not-E-mail" Programs Take Effect, http://www.mofo.com/news/updates/files/update02045.html (last visited August 6, 2006).
  37. M.C.L.A. § 752.1062 Sec.5.(2); U.C.A. § 1339201(4). There is a $.007 fee in Michigan and $.005 fee in Utah per contact point checked against the registry. M.C.L.A. § 752.1062 Sec.5.(2); U.C.A. § 1339201(4).
  38. See Michigan Children’s Protection Registry, supra n. 7; Utah Child Protection Registry, supra n. 7.
  39. A list of independent e-mail and compliance service providers can be found on the Utah Registry Compliance website at https://www.registrycompliance.com/esps.htm.
  40. See Michigan Children’s Protection Registry, supra n. 7; Utah Child Protection Registry, supra n. 7.
  41. Brian Livingston: Michigan and Utah Impose Dreaded E-Mail Tax, http://itmanagement.earthweb.com/columns/executive_tech/article.php/3522911 (last visited August 8, 2006).
  42. Ira Teinowitz, Ad groups decry e-mail version of do-not-call Critics: State registries impose economic penalties on marketers. Volume 76; Issue 39, September 26, 2005, Crain Communications Inc., 2005 WLNR 15308557.
  43. FTC Letter to Illinois State Representative Angelo Saviano, 13-15, October 25, 2005, available at http://www.ftc.gov/os/2005/11/051101cmtbill0572.pdf. Marketers must generally comply with state anti-spam laws that requires verification of recipients’ state of residence. Thus, this cost of registry compliance may be one that companies already absorb in order to comply with other laws.
  44. Id. at 5.
  45. Id. at 6-7.
  46. Id. at 7-10. Neither Michigan nor Utah has yet implemented increased auditing of employee background checks and there is no third party security audit of the system. Janine Popick: Michigan and Utah - The Child Protection Registry – What does it mean?, http://verticalresponse.blogs.com/verticalresponse_blog/2005/08/michigan_and_ut.html (last visited August 8, 2006).
  47. FTC Letter to Illinois State Representative Angelo Saviano, supra at 7-10.
  48. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, Pub. L. No. 108-187, 117 Stat. 2699-2719 (2003).
  49. The Free Speech Coalition, an organization representing the adult entertainment industry, filed suit against the state of Utah on November 17, 2005. The group claims that the CAN-SPAM Act preempts the state registry law and that it unconstitutionally interferes with interstate commerce. Several groups said they plan to join in filing a legal brief in the suit opposing the Utah law, including the E-mail Sender and Provider Coalition, a marketing trade group; Beverage Solutions Inc., a beer-and-wine seller; and the Electronic Frontier Foundation, a digital-rights advocacy group. The groups are exploring possible challenges on a number of grounds, including violation of the Constitution’s Commerce Clause and intrusion on First Amendment commercial speech protections, in addition to preemption by the CAN-SPAM Act. Ken Magill, Battlefield Utah, DIRECT, December 1, 2005, http://www.directmag. com/mag/marketing_battlefield_utah/. See also Free Speech Coalition, Coalition Complaint, available at http://www.freespeechcoalition.com/documents/UTCPRcomplaint-FINAL_000.pdf (last visited July 31, 2006).
  50. A full analysis of federal preemption issues is beyond the scope of this article.
  51. The state law preemption provision in the Act provides that in general, the Act “supercedes any [State] statue … that expressly regulates the use of electronic mail to send commercial messages …” CAN-SPAM Act, 15 U.S.C. § 7707(b)(1) (2006). Charles H. Kennedy: Utah and Michigan “Do-Not-E-mail" Programs Take Effect, http://www.mofo.com/news/updates/files/update02045.html (last visited August 6, 2006).
  52. 15 U.S.C. § 7707. As required by the CAN-SPAM Act, The Federal Trade Commission issued a recommendation on practicability of establishing a National Do Not E-mail Registry. Within this report, the FTC specifically raised concerns over any registry of children’s e-mail accounts that would be available to the public for the purpose of compliance, due to the risk of abuse by Internet users out to target children. The final FTC recommendation was in opposition of the National Do Not E-mail Registry. Id.
  53. Charles H. Kennedy: Utah and Michigan “Do-Not-E-mail" Programs Take Effect, http://www.mofo.com/news/updates/files/update02045.html (last visited August 6, 2006).
  54. e-Dialog Michigan & Utah Children’s Protection Registries, http://www.e-dialog.com/pdf/2005_06_MI_UT_ Child_Protection_RegistriesPOV.pdf (last visited January 16, 2006).
<< Top