Utah's Newest Anti-Spam Law: The Child Protection Registry
by Gregory M. Saylin & Leanne N. Webster
The Utah legislature is again attempting to curb certain email advertising. Effective August 15, 2005, email marketers, arguably those throughout the country and around the world,1 must comply with the Child Protection Registry law, U.C.A. ¤ 13-39-101, et seq. (ÒCPRÓ). Unlike UtahÕs previous legislative effort to battle spam (the Unsolicited Commercial Email Act), the CPR is aimed only at emails to minors, solicited or not, that promote the sale of goods or services that minors cannot legally purchase. While many presume the scope of the act addresses only pornography, it actually is much broader, including solicitations for alcohol, tobacco, and gambling. Emails advertising such products and services must not be sent to the email addresses contained in the registry. Violators may face both civil and criminal penalties. If the new law can pass constitutional muster (a significant hurdle), the CPR is worthy of notice by email marketers everywhere.
THE CHILD PROTECTION REGISTRY
The CPR creates a state registry wherein institutions, parents and guardians can register minors' emails addresses and other "contact points" (electronic identification belonging to a minor or to which a minor has access, such as email addresses, instant message identifiers, telephone numbers, and fax numbers). U.C.A. ¤ 13-39-102(1). A contact point may also be the entire domain of a school or other institution serving minors. Id.; U.C.A. ¤ 13-39-201(3). Registration is a quick process available over the internet at https://www.utahkidsregistry.com/. The Registry is maintained by the Division of Consumer Protection. Thirty days after the contact point is registered, marketers are prohibited from sending certain types of information to these contact points. U.C.A. ¤ 13-39-202(1). Accordingly, marketers must scan their email address databases every 30 days to be compliant. To access the Registry, one must subscribe through the Division of Consumer Protection at https://www.registry compliance.com/apply.html. The cost is $0.005 per contact point checked against the Registry.
The scope of the CPR is much broader than emails that advertise pornography. While "harmful to minors" as defined in ¤ 76-10-1201 mostly covers "nudity, sexual conduct, sexual excitement, or sadomasochistic abuse," the Division of Consumer Protection has issued a policy statement stating the law also prohibits the advertisement to minors of: "an alcoholic beverage or product, any form of tobacco, pornographic materials, and any product or service that is illegal in Utah . . . such as illegal drugs, prostitution, and gambling." See Francine A. Giani, Utah Division of Consumer Protection, Policy Statement Concerning Utah Code Ann. ¤ 13-39-202(1) (July 8, 2005).2
There is strict liability for sending prohibited emails to those on the list. Unlike other unsolicited email legislation around the country, the CPR expressly omits the defense of consent. U.C.A. ¤ 13-39-202(2). In other words, even where a minor may give his or her email address for the purpose of obtaining the emails in question, the marketer still is arguably prohibited from sending the emails. While untested, this provision provides would-be plaintiffs with a possible way to select and entrap marketing companies (and their clients whose business is the subject of the advertisements) that are not aware of the law or have failed to comply. Challenges to the provision are likely.
Unlike the more well-known federal CAN-SPAM Act, the CPR allows for suits by private litigants. Users of registered email addresses, their parents or guardians, or an institution with a registered domain may bring suit under ¤ 13-39-302 for the greater of actual damages or $1,000 per violation (basically, per email or communication). Id. Attorneys' fees are also available to the prevailing party. Id. The CPR also has criminal teeth and government enforcement mechanisms. Violators are generally subject to misdemeanor liability for offenses, and possible felony prosecution for misusing the registry for obtaining email addresses for marketing. U.C.A. ¤ 13-39-301.
IS THE CPR CONSTITUTIONAL?
The CAN-SPAM ACT
The CPR likely faces significant challenges as plaintiffs and the government seek to enforce it. The first question is likely whether the CPR is preempted by the federal CAN-SPAM Act. The CAN-SPAM Act, enacted by Congress in 2003, took effect on January 1, 2004. PL 108-187 (S.877); 117 Stat. 2699 (2003). The Act regulates the transmission of unsolicited commercial and pornographic emails in attempts to protect consumers from misleading or fraudulent advertisements and to allow consumers to choose not to receive such emails. 117 Stat. 2699, ¤ 2(b). The Act prohibits the initiation of false or misleading content or sender information, and requires that commercial emails contain conspicuous identification that the messages are advertisements, and that the recipient may decline receiving any further emails. Id.
The CAN-SPAM Act expressly supersedes any state statute regulating commercial emails. Id. at ¤ 8(b).3 The CPR arguably regulates commercial emails and is, thus, superceded by the Act, which does not allow for a private right of action for its violation, but instead allows only a state attorney general or internet service provider to bring a civil action for such violation. 117 Stat. 2699 at ¤ 7(f)(1).
The Commerce Clause
Another likely challenge is whether the CPR violates the Commerce Clause, which provides that "Congress shall have power . . . [t]o regulate commerce . . . among the several states . . . ." U.S. Const., art. I, ¤ 8, cl. 3. However, "this affirmative grant of authority to Congress also encompasses an implicit or 'dormant' limitation on the authority of the States to enact legislation affecting interstate commerce." Healy v. The Beer Institute, 491 U.S. 324, 326 (1989). As such, the "dormant commerce clause" prohibits some state regulation "even absent congressional action." CTS Corp. v. Dynamics Corp. of America, 481 U.S. 69, 87 (1987).
The Supreme Court has presented two lines of analysis for determining dormant commerce clause violations. "[F]irst, whether the ordinance discriminates against interstate commerce . . . ; and second, whether the ordinance imposes a burden on interstate commerce that is 'clearly excessive in relation to the putative local benefits,' . . . ." C & A Carbone, Inc. v. Town of Clarkstown, 511 U.S. 383, 390 (1994) (citations omitted). Success under either prong will result in a finding that the statute is unconstitutional.
The First Amendment
Although commercial speech is not entitled to the full protection of the First Amendment, the Supreme Court continues to recognize that "the free flow of commercial information is indispensable" to our society. Thompson v. Western States Medical Center, 535 U.S. 357, 122 S. Ct. 1497, 1504 (2002). As such, restrictions on commercial speech are subject to the challenging Central Hudson test. Central Hudson Gas & Elec. Corp. v. Public Serv. Comm'n of N.Y., 447 U.S. 557 (1980). To receive constitutional protection under the Central Hudson test, the regulated conduct must be "neither misleading nor related to unlawful activity." Id. at 566. If the commercial speech is protected, the governmental interest in regulation must be substantial, and the regulation must directly advance the governmental interest and not be more extensive than is necessary to serve that interest. Id. Failure to satisfy any one prong of the test invalidates the statute. Central Hudson, 447 U.S. at 564. The battle as to whether the First Amendment is applicable will likely turn on whether the CPR is regulating conduct "related to unlawful activity," since the statute itself does not specifically address misleading advertising.
COMPARISONS TO THE UNSOLICTED EMAIL ACT
It is natural to compare the CPR to Utah's ill-fated Unsolicited Commercial Email Act, U.C.A. ¤ 13-36-101 et. seq. (repealed, 2004)("Email Act"). From its effective date in 2002, the Act created a virtual playground for plaintiffs' counsel who brought hundreds and hundreds of class action lawsuits against companies based all over the country and throughout the world. In almost every case, these actions were based on the receipt of one email that was alleged to have been unsolicited. Eventually, plaintiffs dropped the class allegations and sought only the $10 statutory penalty and attorneysÕ fees. While the majority of these matters have settled, a significant number continue to be litigated. The CAN-SPAM Act has been found to have superceded the Email Act. Amyx v. Verizon Wireless, LLC, No. 040400090, Slip Op. (Utah Third Dist Ct, Sandy Dept, Mar. 31, 2004). Accordingly, new lawsuits cannot be filed thereunder.
It awaits to be seen whether the CPR will generate considerable litigation as did the Email Act. With the penalty set at $1,000 per violation, in addition to attorneys' fees, it may prove to be an attractive vehicle for plaintiffs - particularly since "consent" is not available as a defense.
1. Whether responsibility for an email sent to a Utah addressee is sufficient "minimum contacts" to allow for the exercise of personal jurisdiction by Utah courts is a question presently before the Utah Supreme Court. Fenn v. Mleads, 109 P.3d 804 (Utah Mar 17, 2005); 512 Utah Adv. Rep. 37, 2004 UT App 412 (Utah App. Nov 12, 2004)
2. The Policy Statement can be found at http://dcp.utah.gov/PolicyStatement.pdf
3. Section 8(b) of the Can Spam Act reads in relevant part: "This Act supersedes any statute, regulation, or rule of a State . . . that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception . . . ."