(1) Except as otherwise provided under this section, a person shall not send, cause to be sent, or conspire with a third party to send a message to a contact point that has been registered for more than 30 calendar days with the department if the primary purpose of the message is to, directly or indirectly, advertise or otherwise link to a message that advertises a product or service that a minor is prohibited by law from purchasing, viewing, possessing, participating in, or otherwise receiving.

  (2) A person desiring to send a message described in subsection (1) shall use the mechanism created under section 3(6) to ensure compliance with this act.

  (3) The consent of a minor or third party to receive the message is not a defense to a violation of this section.

  (4) A person does not violate this act because the person is an intermediary between the sender and recipient in the transmission of an electronic message that violates this act or unknowingly provides transmission of electronic messages over the person’s computer network or facilities that violate this act.

  (5) The sending of a message described in subsection (1) is prohibited only if it is otherwise a crime for the minor to purchase, view, possess, participate in, or otherwise receive the product or service.

  (6) The sending of a message described in subsection (1) is not prohibited if prior to sending the message the sender has obtained from an age-verified adult an affirmative statement of consent to receive the message at an adult designated contact point. To comply with this subsection, the sender shall do all of the following:

  (a) Verify that the person making the affirmative statement is of legal age by inspecting in a face-to-face transaction a valid government-issued photo identification with proof of age.

  (b) Obtain a written record stating that the recipient has consented to receive the type of messages described in subsection (1). The consent form required under this subdivision shall be signed by the recipient. The sender shall retain the consent form required under this subdivision and make it available for verification as may be required under subdivision (d).

  (c) All messages allowed under this subsection shall include notice to the recipient that he or she may rescind their consent and provide an opportunity for the recipient to opt out of receiving any future messages.

  (d) Notify the department that the sender intends to send messages as allowed under this subsection. The department may implement procedures to verify that the sender is in compliance with this subsection.

  (7) Within 90 days of the effective date of the amendatory act that added this subsection, the department, or the vendor providing registry services for the department, shall conduct a third-party audit to certify the security of the registry. Follow-up third-party security audits on the registry systems shall be conducted at least annually. If the third-party security audit determines that the registry does not meet or exceed the industry standard for high security systems, then the registry shall be suspended until the security systems are determined to meet this standard.