Here Come the Registries Again

If The Federal Trade Commission says a national do-not-e-mail registry is unworkable and poses a major security threat to consumers using it, it stands to reason that state e-mail registries would be unworkable security threats, too, right?

Not according to lawmakers in Michigan and Utah. Utah's so-called child-protection registry went live Aug. 15. Michigan's was held up because of pricing issues at press time, but may very well be up now. Both allow the registration of e-mail addresses and other “contact points” — like cell phone numbers — used by minors. And they require that marketers who sell products which are illegal for minors to buy, such as alcohol, tobacco and gambling services, scrub their lists of the names on the registries monthly.

Utah's registry costs companies $5 per 1,000 addresses checked. Michigan's was supposed to run $7 per 1,000, but the law says the state can't charge that much — it limits the price to 3 cents per contact or 30 cents per 1,000. Michigan officials were huddling at press time to figure a way around this problem and did not return multiple calls.

But Utah's law alone will cost $60,000 a year to keep a list of 1 million addresses clean. With the going rate to get e-mail delivered reportedly running well south of $5 per 1,000 addresses, it will more than double the cost of affected outbound blasts.

And while these registries shouldn't trouble most law-abiding firms, e-mailers are collectively holding their breath in fear that the two states may open the floodgates for a slew of crushing new local and state do-not-e-mail registries — floodgates they naively believed the Can Spam Act of 2003 and the FTC had forever nailed shut.

The Can Spam Act notes that it supersedes any state or local law which “expressly regulates” commercial e-mail. Moreover, the FTC last year issued a report to Congress claiming, among other things, that a national do-not-e-mail registry “would suffer from a significant security weakness that would enable spammers to treat the registry as a national do-spam registry, causing more spam.”

But Michigan and Utah's lawmakers clearly are convinced they can run do-not-e-mail registries of children's e-mail addresses securely without violating national law. Utah legislators acted because they believe that “the Can Spam Act does not speak specifically to the issue of minors,” said Francine Giani, Director of the Utah division of Consumer Protection, the agency enforcing the state's law.

Chip House, vice president for privacy and deliverability at Indianapolis e-mail software company ExactTarget, was incredulous. “It's shocking to me that states would enact such a law after such a thorough review by the FTC and after such a specific warning about the technology,” he said. “What if a pedophile gets hold of the list?”

However, Matthew Prince, chief executive of Unspam LLC, the Park City, UT company managing the registries, said that concerns about people hacking into his system and taking the lists are “illusionary.” He added: “We don't actually store the plain-text e-mail addresses.”

The two registries are the result of laws that went into effect in July. Violators face fines of $5,000 per message or up to $250,000 per day in Michigan, and $1,000 per message in Utah.

In an effort to allay some marketers' fears, the Utah Department of Commerce published a policy statement saying that while the law prohibits sending e-mails for products and services that always are illegal for minors to purchase — i.e., alcohol, tobacco, pornography, illicit drugs, prostitution and gambling — it does not cover ads containing information about products and services that are legal under certain circumstances, such as prescription drugs or body piercing.

However, this clarification offered little comfort to marketers since both laws allow individuals to sue. “Since parents in Utah and Michigan can bring suit against a company, who knows what they'll sue for?” said ExactTarget's House.

Meanwhile, though most legal professionals who have studied the issue believe the two registries could be successfully challenged, no one wants to make the first move.

“Who wants to step up and say ‘We're against a method or a means to protect children?’” said Al DiGuido, chief executive of e-mail service provider Bigfoot Interactive. “No one is against the protection of children from being assaulted with messages that are fraudulent, pornographic or inappropriate. It's whether this idea is one that's going to prevent that from happening. We don't think so.”