Two states -- Michigan and Utah -- now prohibit the sending of certain kinds of email messages to destinations listed on state-maintained registries.  The new laws are directly at variance with the policy of the federal government, which so far has declined to adopt a "Do‑Not‑Email" list;  but unless and until the Michigan and Utah registries are declared to be preempted by federal law, affected businesses should obtain and comply with those states’ registries.

Federal Regulation Of Spam: The Can-Spam Act

In 2003, Congress passed the "Controlling the Assault of Non-Solicited Pornography and Marketing Act," commonly known as the CAN-SPAM Act.  The CAN-SPAM Act established a federal regime for the regulation of spam email.  The Act does not prohibit all commercial email, but prohibits certain fraudulent and misleading practices.  The Act requires senders of commercial email to label these messages accordingly and give recipients a means to "opt out" of future mailings from those senders. 

Importantly, the CAN-SPAM Act also expressly preempts state regulation of spam email.  Specifically, the CAN-SPAM Act "supersedes any statute, regulation or rule of a state or political subdivision of a state that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto."[1]  By preempting anti-spam restrictions not directly related to fraud or deception at the state level, the CAN-SPAM Act aims to prevent more restrictive state legislation and simplify compliance with anti-spam requirements. 

The CAN-SPAM Act also required the Federal Trade Commission ("FTC") to make a recommendation on the feasibility of establishing a National Do Not Email Registry, similar to the existing Do Not Call Registry.[2]  In June 2004, the FTC submitted a report to Congress which concluded that without a system in place to authenticate the origin of email messages, a Do Not Spam Registry would fail to decrease the burden of spam email and might even increase the amount of spam received by consumers.[3]  The report cited concerns with enforcement, privacy and security.[4]  In particular, the Commission highlighted the risk that any registry of children’s email accounts that is available to the public for the purpose of compliance could perversely be abused by the Internet’s most dangerous users to target children.[5]   The Commission thus recommended that, under present conditions, establishing a Do Not Email Registry was not advisable.[6]

The Michigan And Utah Child Registry Statutes

Despite the FTC’s recommendation, two states, Michigan and Utah, have established child protection registries that aim to prohibit spam email directed at email accounts that can be accessed by minors.  Public registration for the Michigan Registry began July 1, 2005, and sender compliance will begin August 1, 2005.  The Utah law took effect on July 15, 2005, and compliance with that law is required by August 15, 2005.

The statutes under which the two registries were created are quite similar.  Both states permit parents, guardians, schools and other institutions to register "contact points" at which minors can be reached.[7]  Contact points are not limited to email addresses, but can include instant message identities, wireless telephone numbers and facsimile numbers.[8]  Registrations in Michigan are effective for a maximum of three years, or (if the contact point is established for a specific minor) until the child turns 18.[9]  The Utah Act does not specify a time limit for registrations. 

Any individual or business that sends commercial emails pertaining to the covered content areas may potentially be liable.  Out-of-state businesses that send email messages to registered accounts in Michigan or Utah can be subject to liability in the relevant state.  Presumably, even senders who are unaware that emails are being sent to Michigan or Utah addresses can be liable.   

Both Acts prohibit sending certain kinds of messages to contact points that have appeared on the registry for more than 30 calendar days.  Specifically, the Michigan statute provides:

A person shall not send, cause to be sent, or conspire with a third party to send a message to a contact point that has been registered for more than 30 calendar days with the department if the primary purpose of the message is to, directly or indirectly, advertise or otherwise link to a message that advertises a product or service that a minor is prohibited by law from purchasing, viewing, possessing, participating in, or otherwise receiving.[10]

Similarly, the Utah Act states:

A person may not send, cause to be sent, or conspire with a third party to send a communication to a contact point or domain that has been registered for more than 30 days … if the communication: (a) advertises a product or service that a minor is prohibited by law from purchasing; or (b) contains or advertises material that is harmful to minors, as defined in section 76-10-1201 [of the Utah Code].[11]

Under the Michigan statute, covered categories of messages include, but are not necessarily limited to: alcohol, tobacco, pornography or obscene material, gambling, lotteries, illegal drugs, fireworks and firearms.[12] 

Both statutes provide that a minor’s consent to receipt of a message is not a defense to a violation.  Both statutes also include an exemption from liability for intermediaries that merely transmit messages over their networks.[13]

In both states, sending a prohibited message to a registered contact point is a computer crime subject to criminal penalties and civil suits by aggrieved parties, including registrants of contact points and (in Michigan) service providers used to transmit the messages.[14]  Michigan plaintiffs can be awarded statutory damages the lesser of $5,000 per message or $250,000 per day, plus costs and attorneys’ fees.[15]  They may also face criminal penalties of up to three years in jail and/or a $30,000 fine.[16]  In Utah, successful plaintiffs are entitled to statutory damages of $1,000 per message, plus costs and attorneys’ fees.

In order to ensure compliance with the registry statutes, senders wishing to transmit messages that fall within the prohibited categories must pay a fee and obtain access to the registries.[17]  The access mechanisms and fees are to be set by the state agencies responsible for administering the registries.  To be in compliance in Michigan, senders must run their list against the registry every 30 days for a cost of $0.007 USD per address.  Compliance tools for the Michigan statute will be available August 1, 2005, on the registry website http://www.protectmichild.com.  Compliance information for Utah can be found at https://www.UtahKidsRegistry.com/compliance.html.

Does Can-Spam Preempt State Registries?

The Michigan and Utah statutes very likely would be preempted by the CAN-SPAM Act if challenged on those grounds.  The CAN-SPAM Act "supersedes any statute, regulation or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any part of a commercial electronic message or information attached thereto."[18]  The CAN-SPAM Act also permits states to enforce laws that are not specific to email, including those regulating tort, contract and computer fraud.  The two states’ registry laws are not aimed at falsity or deception and implement an anti-spam mechanism (the "do‑not‑email list") that the FTC expressly rejected as a means of federal enforcement.  Accordingly, a strong preemption argument could be made.

At the same time, Michigan and Utah appear to have crafted these statutes with preemption claims in mind.  Notably, by classifying violations of their statutes as "computer fraud," the states attempt to invoke a specific exception to the CAN-SPAM Act’s preemption provisions.  Also, by including fax and wireless telephone numbers, as well as email addresses, within the "contact points" categories, the states permit themselves to argue that the statutes should stand because they are not specific to email.  These are not strong arguments, but in the light of the reluctance of some courts to preempt state law, it should not be assumed that such claims will fail.[19]

What You Need To Know

The Michigan registry begins enforcing sender compliance on August 1, 2005, and the Utah registry will be enforced beginning August 15, 2005.  Given the uncertainty of the relationship between the CAN SPAM Act and the Michigan and Utah registries, it is advisable to comply with state requirements until the preemption issue is determined. 

Morrison & Foerster gratefully acknowledges the assistance of Meera Malhotra, a summer associate in the firm's New York office and a member of the Columbia University Law School Class of 2006, for her assistance in the preparation of this bulletin.