States Act on Data Security, Spamming Children

Most states have considered some type of data-security or identity-theft legislation this year. As most state legislatures adjourned for the year this summer, 17 states have passed security-breach notification bills. Most of them will not affect Kids in the Know members, but a few contain provisions that have a minor impact. Michigan and Utah have enacted new laws creating e-mail registries to stop children from receiving adult-oriented messages.

New Children's Opt-out Email Registries in Utah and Michigan

Although advertised as anti-porn spam measures geared toward protecting children from adult-oriented messages, new laws in Utah and Michigan will have a broader impact, raising costs and threatening heavy fines on some marketers. Both states this summer created e-mail registries in which parents could register their child’s email addresses and birthdays, along with instant message addresses, cell phone and pager numbers, to shield their kids from spam of products or services that minors are prohibited from purchasing or seeing.

Essentially, these are “do-not-spam” lists of children. While the covered adult-oriented email topics vary slightly between the two states, they are primarily focused on prohibitions against drinking, smoking, pornography, and gambling. Marketers of those products would be required to scrub their lists monthly of those addresses on the registry, and they face heavy fines if a message gets to a child.

Only marketers who are sending “prohibited” email would need to use the registry, but all children’s marketers need to be careful. If, for example, an email message contains a link to a Web site that has prohibited material – such as a beer or tobacco ad – the mailer would be guilty of a felony, facing a fine of up to $5,000 per message, if the e-mail went to a child on the state registry. The mailer would still be liable even if the child or parent requested information.

Many observers note that these laws will most likely do little to reduce inappropriate spam with the most objectionable adult content, but could raise costs for legitimate marketers. They could also inadvertently and indirectly cause legal problems for children’s marketers.

The Michigan and Utah laws went into effect on July 1.

New Security-Breach Notification Laws

With the year-long focus on database security and identity theft, numerous states have now passed security breach notification laws. Those that are similar to California’s 2003 law, applying only to sensitive personal information, include Arkansas, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana, Louisiana, Maine, Minnesota, Montana, Rhode Island, Tennessee, Texas, and Washington.

In some cases, additional provisions were added.

• Nevada now prohibits companies from requiring a person to include their social security number on any document that will be recorded, filed or submitted to a government agency, which includes public colleges and universities.

• A new North Dakota law, as we reported earlier this summer, applies notification and security requirements to nearly all information.

Other State Updates

Among other state actions (or inactions) of note:

• The New York legislature did not act on a proposal to create a “do-not-mail/e-mail” registry, but the measure is expected to be resurrected next year.

• Washington, as previously reported, passed legislation requiring institutions of higher education to develop official credit card marketing policies. Among other things, the policies must include limitations on the times and locations of credit card marketing and a requirement for credit card marketers to inform students about good credit management practices through programs developed in concert with the college or university.

• New Jersey considered, but did not pass, similar legislation.