Utah Legislature SB0230

1     CHILD PROTECTION REGISTRY AMENDMENTS
2     2019 GENERAL SESSION
3     STATE OF UTAH
4     Chief Sponsor: Todd Weiler
5     House Sponsor: Susan Pulsipher
6

7     LONG TITLE
8     General Description:
9          This bill modifies provisions relating to the Child Protection Registry.
10     Highlighted Provisions:
11          This bill:
12          ▸     defines terms;
13          ▸     requires the Internet Crimes Against Children (ICAC) unit within the Office of the
14     Attorney General to establish and operate the Child Protection Registry; and
15          ▸     makes technical changes.
16     Money Appropriated in this Bill:
17          None
18     Other Special Clauses:
19          None
20     Utah Code Sections Affected:
21     AMENDS:
22          13-39-102, as last amended by Laws of Utah 2006, Chapter 336
23          13-39-201, as last amended by Laws of Utah 2009, Chapter 183
24          13-39-202, as last amended by Laws of Utah 2006, Chapter 336
25          13-39-203, as last amended by Laws of Utah 2008, Chapter 382
26          13-39-301, as enacted by Laws of Utah 2004, Chapter 338
27          13-39-303, as enacted by Laws of Utah 2004, Chapter 338

28 13-39-304, as enacted by Laws of Utah 2004, Chapter 338
29

30     Be it enacted by the Legislature of the state of Utah:
31          Section 1. Section 13-39-102 is amended to read:
32          13-39-102. Definitions.
33          As used in this chapter:
34          (1) "Attorney general" means the same as that term is defined in Section 77-42-102.
35          [~~(1)~~] (2) "Contact point" means an electronic identification to which a communication
36     may be sent, including:
37          (a) an email address; [or]
38          [~~(b) subject to Subsection 13-39-201(2):~~]
39          [~~(i)~~] (b) an instant message identity, subject to rules made by the [~~division~~] unit under
40     Subsection 13-39-203(1);
41          [~~(ii)~~] (c) a mobile or other telephone number;
42          [~~(iii)~~] (d) a facsimile number; or
43          [~~(iv)~~] (e) an electronic address:
44          [~~(A)~~] (i) similar to a contact point listed in this Subsection [~~(1)~~] (2); and
45          [~~(B)~~] (ii) defined as a contact point by rule made by the [~~division~~] unit under
46     Subsection 13-39-203(1).
47          [~~(2) "Division" means the Division of Consumer Protection in the Department of~~
48     ~~Commerce.~~]
49          (3) "Registry" means the child protection registry established in Section 13-39-201.
50          (4) "Unit" means the Internet Crimes Against Children unit within the Office of the
51     Attorney General created in Section 67-5-21.
52          Section 2. Section 13-39-201 is amended to read:
53          13-39-201. Establishment of child protection registry.
54          (1) The [~~division~~] unit shall:
55          (a) establish and operate a child protection registry to compile and secure a list of
56     contact points the [~~division~~] unit has received pursuant to this section; or
57          (b) contract with a third party to establish and secure the registry described in
58     Subsection (1)(a).

59          [~~(2) (a) The division shall implement the registry described in this section with respect~~
60     ~~to email addresses beginning on July 1, 2005.~~]
61          [~~(b) The division shall implement the registry described in this section with respect to~~
62     ~~instant message identities.~~]
63          [~~(c) The division shall implement the registry described in this section with respect to~~
64     ~~mobile or other telephone numbers.~~]
65          [~~(3)~~] (2) (a) A person may register a contact point with the [~~division~~] unit pursuant to
66     rules established by the [~~division~~] unit under Subsection 13-39-203(1) if:
67          (i) the contact point belongs to a minor;
68          (ii) a minor has access to the contact point; or
69          (iii) the contact point is used in a household in which a minor is present.
70          (b) A school or other institution that primarily serves minors may register its domain
71     name with the [~~division~~] unit pursuant to rules made by the [~~division~~] unit under Subsection
72     13-39-203(1).
73          (c) The [~~division~~] unit shall provide a disclosure in a confirmation message sent to a
74     person who registers a contact point under this section that reads: "No solution is completely
75     secure. The most effective way to protect children on the Internet is to supervise use and
76     review all email messages and other correspondence. Under law, theft of a contact point from
77     the Child Protection Registry is a second degree felony. While every attempt will be made to
78     secure the Child Protection Registry, registrants and their guardians should be aware that their
79     contact points may be at a greater risk of being misappropriated by marketers who choose to
80     disobey the law."
81          [~~(4)~~] (3) A person desiring to send a communication described in Subsection
82     13-39-202(1) to a contact point or domain shall:
83          (a) use a mechanism established by rule made by the [~~division~~] unit under Subsection
84     13-39-203(2); and
85          (b) pay a fee for use of the mechanism described in Subsection [~~(4)~~] (3)(a) determined
86     by the [~~division~~] unit in accordance with Section 63J-1-504.
87          [~~(5)~~] (4) The [~~division~~] unit may implement a program to offer discounted compliance
88     fees to senders who meet enhanced security conditions established and verified by the division,
89     the third party registry provider, or a designee.

90          [~~(6)~~] (5) The contents of the registry, and any complaint filed about a sender who
91     violates this chapter, are not subject to public disclosure under Title 63G, Chapter 2,
92     Government Records Access and Management Act.
93          [~~(7)~~] (6) The state shall promote the registry on the state's official Internet website.
94          Section 3. Section 13-39-202 is amended to read:
95          13-39-202. Prohibition of sending certain materials to a registered contact point
96     -- Exception for consent.
97          (1) A person may not send, cause to be sent, or conspire with a third party to send a
98     communication to a contact point or domain that has been registered for more than 30 calendar
99     days with the [~~division~~] unit under Section 13-39-201 if the communication:
100          (a) has the primary purpose of advertising or promoting a product or service that a
101     minor is prohibited by law from purchasing; or
102          (b) contains or has the primary purpose of advertising or promoting material that is
103     harmful to minors, as defined in Section 76-10-1201.
104          (2) Except as provided in Subsection (4), consent of a minor is not a defense to a
105     violation of this section.
106          (3) An Internet service provider does not violate this section for solely transmitting a
107     message across the network of the Internet service provider.
108          (4) (a) Notwithstanding Subsection (1), a person may send a communication to a
109     contact point if, before sending the communication, the person sending the communication
110     receives consent from an adult who controls the contact point.
111          (b) Any person who proposes to send a communication under Subsection (4)(a) shall:
112          (i) verify the age of the adult who controls the contact point by inspecting the adult's
113     government-issued identification card in a face-to-face transaction;
114          (ii) obtain a written record indicating the adult's consent that is signed by the adult;
115          (iii) include in each communication:
116          (A) a notice that the adult may rescind the consent; and
117          (B) information that allows the adult to opt out of receiving future communications;
118     and
119          (iv) notify the [~~division~~] unit that the person intends to send communications under this
120     Subsection (4).

121          (c) The [~~division~~] unit shall implement rules to verify that a person providing
122     notification under Subsection (4)(b)(iv) complies with this Subsection (4).
123          Section 4. Section 13-39-203 is amended to read:
124          13-39-203. Rulemaking authority.
125          In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the
126     [~~division~~] unit shall make rules to establish procedures under which:
127          (1) (a) a person may register a contact point with the [~~division~~] unit under Section
128     13-39-201, including:
129          (i) the information necessary to register an instant message identity; and
130          (ii) for purposes of Subsection 13-39-102[~~(1)~~](2)(b)(iv), an electronic address that is
131     similar to a contact point listed in Subsection 13-39-102[~~(1)~~](2); and
132          (b) a school or other institution that primarily serves minors may register its domain
133     name with the [~~division~~] unit under Section 13-39-201;
134          (2) the [~~division~~] unit shall:
135          (a) provide a mechanism under which a person described in Subsection
136     13-39-201[~~(4)~~](3) may verify compliance with the registry to remove registered contact points
137     from the person's communications; and
138          (b) establish the mechanism described in Subsection (2)(a) in a manner that protects
139     the privacy and security of a contact point registered with the [~~division~~] unit under Section
140     13-39-201; and
141          (3) the [~~division~~] unit may:
142          (a) implement a program offering discounted fees to a sender who meets enhanced
143     security conditions established and verified by the [~~division~~] unit, the third party registry
144     provider, or a designee; and
145          (b) allow the third party registry provider to assist in any public or industry awareness
146     campaign promoting the registry.
147          Section 5. Section 13-39-301 is amended to read:
148          13-39-301. Criminal penalty.
149          (1) A person who violates Section 13-39-202 commits a computer crime and is guilty
150     of a:
151          (a) [~~is guilty of a~~] class B misdemeanor for a first offense with respect to a contact

152     point registered with the [~~division~~] unit under Subsection 13-39-201[~~(3)~~](2)(a); and
153          (b) [~~is guilty of a~~] class A misdemeanor:
154          (i) for each subsequent violation with respect to a contact point registered with the
155     [~~division~~] unit under Subsection 13-39-201[~~(3)~~](2)(a); or
156          (ii) for each violation with respect to a domain name registered with the [~~division~~] unit
157     under Subsection 13-39-201[~~(3)~~](2)(b).
158          (2) A person commits a computer crime and is guilty of a second degree felony if the
159     person:
160          (a) uses information obtained from the [~~division~~] unit under this chapter to violate
161     Section 13-39-202;
162          (b) improperly:
163          (i) obtains contact points from the registry; or
164          (ii) attempts to obtain contact points from the registry; or
165          (c) uses, or transfers to a third party to use, information from the registry to send a
166     solicitation.
167          (3) A criminal conviction or penalty under this section does not relieve a person from
168     civil liability in an action under Section 13-39-302.
169          (4) Each communication sent in violation of Section 13-39-202 is a separate offense
170     under this section.
171          Section 6. Section 13-39-303 is amended to read:
172          13-39-303. Administrative enforcement.
173          (1) The [~~division shall~~] attorney general:
174          (a) shall investigate violations of this chapter; and
175          [~~(b) assess cease and desist orders and administrative fines under this section for~~
176     ~~violations of this chapter.~~]
177          (b) may bring an action against a person who violates this chapter.
178          (2) A person who violates this chapter is subject to:
179          (a) a cease and desist order or other injunctive relief; and
180          (b) [~~an administrative~~] a fine of not more than $2,500 for each separate communication
181     sent in violation of Section 13-39-202.
182          (3) (a) A person who intentionally violates this chapter is subject to [~~an administrative~~]

183     a fine of not more than $5,000 for each communication intentionally sent in violation of
184     Section 13-39-202.
185          (b) For purposes of this section, a person intentionally violates this chapter if the
186     violation occurs after the [~~division,~~] attorney general[,] or a district or county attorney notifies
187     the person by certified mail that the person is in violation of this chapter.
188          [~~(4) All administrative fines collected under this section shall be deposited in the~~
189     ~~Consumer Protection Education and Training Fund created in Section 13-2-8.~~]
190          Section 7. Section 13-39-304 is amended to read:
191          13-39-304. Defenses.
192          It is a defense to an action brought under this chapter that a person:
193          (1) reasonably relied on the mechanism established by the [~~division~~] unit under
194     Subsection 13-39-203(2); and
195          (2) took reasonable measures to comply with this chapter.