R105-4. Child Protection Registry

  Pursuant to Utah Code Section 13-39-203, these rules (R105-4) are intended to establish the procedures under which:

  (1) A person may register a contact point with the registry; and

  (2) A marketer may verify compliance with the registry.

  As used in these rules (105-4):

  (1) "Attorney General is as defined in Utah Code Section 77-42-102.

  (2) "Contact point" is as defined in Utah Code Section 13-39-102.

  (3) "Marketer" means a person described in Utah Code Section 13-39-201(4).

  (4) "Provider" means the third party with whom the Unit has contracted, pursuant to Utah Code Section 13-39-201(1)(b), to establish and secure the registry.

  (5) "Registry" is as defined in Utah Code Section 13-39-102.

  (6) "Unit" is as defined in Utah Code Section 13-39-102.

  (1) A person desiring to register a contact point with the registry shall provide the following information to the provider:

  (a) The contact point the person desires to register;

  (b) An affirmation that:

  (i) the contact point belongs to a minor;

  (ii) a minor has access to the contact point; or

  (iii) the contact point is used in a household in which a minor is present;

  (c) an affirmation that the minor referenced in R105-4-3(1)(b) is a Utah resident; and

  (d) an affirmation that the person registering the contact point is:

  (i) the minor referenced in R105-4-3(1)(b); or

  (ii) a parent or guardian of the minor referenced in R105-4-3(1)(b).

  (2) A contact point may not become a part of the registry until the provider sends a message to the contact point informing the user of the contact point:

  (a) the contact point has been registered; and

  (b) the process for removing the contact point from the registry.

  (3) A school or institution desiring to register a domain name shall provide verification to the provider that:

  (a) the school or institution primarily serves minors; and

  (b) the school or institution owns the domain name being registered.

  A marketer desiring to verify compliance with the registry shall provide the following information to the provider before the provider compares the marketer's contact point list against the registry:

  (1) the name, address, and telephone number of the marketer;

  (2) the specific legal nature and corporate status of the marketer;

  (3) the name, address, and telephone number of a natural person who consents to service of process for the marketer; and

  (4) an affirmation that the person described in R105-4-4(3) understands that improper use of information obtained from the registry is a second degree felony.

  (1) After a marketer has complied with R105-4-4 and paid the fee established by the Unit under Section 13-39-201(4)(b), the marketer may check the marketer's contact point list with the provider according to the privacy and security measures implemented by the provider.

  (2) After a marketer has complied with R105-4-5(1) and paid the fee established by the Unit under Section 13-39-201(4)(b), the provider shall, according to the privacy and security measures implemented by the provider, remove from the marketer's list of contact points any contact points that are contained on the registry.

  (3)(a) A marketer who desires to utilize the provisions of Subsection 13-39-202(4) shall:

  (i) provide the Unit with a detailed description of the methods the marketer intends to use to verify compliance with Subsection 13-39-202(4); and

  (ii) agree to provide to the Unit, at any time upon request by the Unit, copies of all documentation relating to the marketer's compliance with Subsection 13-39-202(4).

  (b) Within thirty calendar days after a marketer complies with R105-4-5(3)(a), the Unit shall inform the marketer in writing whether the Unit considers the marketer's methods sufficient to verify compliance with Subsection 13-39-202(4).

  (c)(i) Approval of a verification method for compliance with Subsection 13-39-202(4) does not prevent the Unit from investigating further whether the approved verification method actually guarantees compliance with Subsection 13-39-202(4).

  (ii) The Unit may revoke an approval granted pursuant to R105-4-5(3) upon a finding that the verification method does not adequately guarantee compliance with Subsection 13-39-202(4).

  (1) In order for senders to qualify for the discounted fee schedule established pursuant to Subsection 13-39-203(3)(a), a sender must agree to be subject to enhanced security criteria for each subsequent list that they may submit to the state's compliance mechanism. To meet these criteria, senders must affirmatively agree that their scrubbing tasks may be stopped if a particular task deviates from a statistically normal baseline.

  (2) The statistical baseline used for comparison will be based on the senders' past histories as well as the totality of the histories of senders that have used the compliance mechanism to scrub their lists.

  (3) To restart a task and retrieve the results, senders whose tasks have been stopped must confirm that they in fact initiated the task and that the list submitted is not an attempt to abuse the registry mechanism. Depending on the amount of the deviation from the baseline, this confirmation may come from a telephone call to a pre-established phone number, completing information online, or sending an e-mail to a customer support representative.

  (4) The Unit, or its appointed representative, shall have discretion in allowing the retrieval of tasks if the confirmation does not resolve the security concerns.