Skip to content

Update on Child Protection Registries, Privacy, and CAN-SPAM

Utah and Michigan Enact Laws Creating Child Protection Registries

Utah enacted House Bill 165 which creates a “Child Protection Registry.” The law allows a person to register email and instant message addresses and telephone and fax numbers (called “contact points”) that are accessible by minors. The law prohibits someone from sending a message to a contact point that advertises a product or service that minors are prohibited by law from purchasing, participating in, or viewing, such as pornography, tobacco, liquor and gambling. The law also prohibits sending a message to a contact point that contains or advertises material that is “harmful to minors” which is sexual material that has no artistic, literary, political or scientific value for minors. The registry is free for consumers, but would require advertisers to pay a fee to obtain copies of the registry. The law also prohibits using contact points from the registry to send solicitations. The law provides criminal penalties and civil fines of up to $1,000 per message, and individuals may file suit to enforce the law. The law will take effect July 1, 2005, if the Utah Division of Consumer Protection can assure the security of such a registry.

Michigan enacted a similar bill (SB 1025) which also takes effect July 1, 2005. Under both laws, minors cannot consent to receive prohibited material. Marketers may need to significantly restructure their marketing campaigns for products or services that can not be purchased by minors in those states.

FTC Settles with Company that Changed its Privacy Policy

The FTC announced that it has settled charges with Gateway Learning Corp. for sharing consumers’ personal information in violation of its privacy policy. Gateway’s original privacy policy stated that it would not share consumers’ personal information with third parties unless consumers provided explicit consent. The policy also stated that if Gateway changed its policy, it would give consumers a chance to opt-out of having their information shared.

The FTC alleged that in April, 2003, Gateway began renting consumers’ personal information to third parties. In June, 2003, Gateway revised its privacy policy to state that “from time to time” it did share consumers’ personal information with third parties, but Gateway failed to notify earlier consumers of the change and failed to allow them to opt-out of the information sharing. Gateway agreed to pay $4,600 to the FTC, the amount it earned from renting the consumers’ personal information, and agreed to refrain from sharing consumers’ personal information collected under the original privacy policy unless consumers expressly opted-in to such use.

This is the first FTC case against a company over material changes to its privacy policy. The FTC’s position is that the privacy policy in effect at the time personal information is collected continues to apply to that information, even if the privacy policy is later changed, and that consumers must be given notice of the change and must be given an opportunity to choose not to have their personal information shared. Companies, therefore, should keep records of the privacy policy in effect at the time when personal information is collected, should provide notice of a change in a privacy policy, and should allow consumers to choose whether or not to have a modified privacy policy apply to their earlier-collected personal information.

Massachusetts Files First State Suit under CAN-SPAM

Massachusetts Attorney General Tom Reilly announced he has filed suit against a company accused of sending thousands of unsolicited emails offering pre-approved mortgage rates to consumers in Massachusetts, in violation of state and federal law. Specifically, the AG alleges that the email messages provided an address in Massachusetts but the company did not have a physical presence there; failed to include a functioning opt-out feature; failed to clearly identify the messages as advertisements; and used a non-functioning sender address so that consumers could not reply directly to the sender. The AG is seeking civil penalties and fines and an injunction to stop future emails.

California Court Rules that State Law Can Provide Greater Financial Privacy Protection than Federal Law

On June 30, a California court ruled that the federal Fair Credit Reporting Act (“FCRA”) does not pre-empt California’s new financial privacy law that provides greater consumer protection than the federal Gramm-Leach-Bliley Act. The case had been brought by three financial trade associations who argued that the pre-emption provision in the FCRA - a federal statute that regulates credit reporting agencies and the collection and use of credit reports - applies to state privacy laws that regulate financial information in general. The court disagreed, finding that the pre-emption provision in the FCRA applies only to credit reporting information. This means that financial institutions doing business in California must comply with the notice, consent and opt-out requirements of the California Financial Information Privacy Act (also known as SB 1), which are more restrictive than those in the Gramm-Leach-Bliley Act. The California law defines financial institution very broadly and may include some retailers.


This report is a publication of Loeb & Loeb and is intended to provide information on recent legal developments. This report does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations.

Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.