California Enacts Anti-Spyware Law

California Governor Arnold Schwarzenegger signed into law an anti-spyware bill yesterday, which aims to protect consumers from harmful software that is deceptively or surreptitiously installed on their computers.

The Consumer Protection Against Computer Spyware Act makes it illegal for anyone to install software on someone else’s computer and use it to deceptively modify settings, including a user’s home page, default search page, or bookmarks. It outlaws the collection, through intentionally deceptive means, of personally identifiable information (PII) through keystroke-logging, tracking Web site visits, or extraction of PII from a user’s hard drive.

It also bans software that cannot be uninstalled or disabled, or that makes it seem as if the software has been uninstalled or disabled when it has not, or software that blocks or disables security software, including anti-spyware and anti-virus programs. The law sets forth a private right of action whereby a consumer could seek damages of $1,000 per incident and applicable attorney’s fees.

“These programs track what web sites you visit, may steal your passwords, access your financial information, log your keystrokes, bombard you with pop-ups, track your purchases and remotely report your activity and personal information to a third party,” the bill’s author, Sen. Kevin Murray, said in a statement. “The scary part is that this is all done without the user’s knowledge or consent. You may never even know the software is there, let alone what it is doing.”

The law requires that notice be given to the consumer describing what the software does before it can be installed. For example, if a program has a feature designed to collect and transmit information about the user, the user would need to be provided with sufficient notice explaining the types of information that would be collected and the purposes for which the information would be used.

“This general notice and consent requirement could be satisfied by something as simple as an on-screen dialogue box telling the user that clicking ‘ok’ will trigger that program’s download,” Murray said.

The bill had been criticized by some privacy rights groups, who urged Governor Schwarzenegger to veto it, saying it was flawed and could spawn other laws that were equally bad. The California-based Privacy Rights Clearinghouse and World Privacy Forum Requiring said that language in the bill requiring the acts to be “intentionally deceptive” before triggering penalties sets a standard on litigation that would be too difficult to prove.

“Spyware is a devilishly difficult issue to legislate,” the groups wrote to Schwarzenegger. “Rather than enact a bill that does not adequately address the problems inherent in spyware, and rather than implement a law that is virtually unenforceable, we urge you to veto this bill.”

Spyware is often confused with adware, which is software that is available to download for free — in exchange for granting permission for the provider to deliver ads to the user. These ads are based, in part, on the user’s online Web surfing behavior.

Adware provider Claria supports the California legislation, according to D. Reed Freeman, chief privacy officer, because the confusion between spyware and adware has eroded consumer confidence and stifled the adware industry.

“I don’t think that the legislature would pass a bill they thought was difficult to enforce. We hope it has teeth, and we hope it is actively enforced,” Freeman said. “There are bad actors out there that give the adware industry a bad name and that are developing some traction in the marketplace and taking business away from companies like Claria that are setting the standard for behavior of this industry.”

Freeman said that a single national standard would be better for the industry than several state-specific laws, but noted that Claria will comply with all state laws until that happens. Of concern to Freeman is that any legislation, at the state or federal level, be neither too loose to be effective, nor too constricting to hold back the growth of the industry.

“We’re hoping to see a federal bill that strikes an appropriate balance between setting objective standards against which we can benchmark our practices, and becoming overly prescriptive in a way that would stifle innovation without providing additional benefits to consumers.”

Michael Zimbalist, president of the Online Publishers Association, believes that it’s important for any legislation to address the importance of consumer protection without having a negative impact on online advertising. While the OPA does not take a stand on the necessity of spyware legislation, it agrees that perpetrators of fraud and deception online should be held accountable.

“Nobody likes spyware. But we do worry about the effects some legislation can have on the fantastic growth this industry has been achieving over the last couple years,” Zimbalist said. “Everyone is against fraud and deception. Some of the issues that have been raised have been whether or not existing laws about fraud and deception are sufficient.”

Other industry watchers see the legislation as a necessary result of the Internet industry’s lack of action against spyware. “The industry has not done enough to differentiate good practices from bad. I think it’s unfortunate that legislators are acting more quickly and more decisively than the Internet community,” said Nick Nyhan, CEO of market research firm Dynamic Logic. “We have a duty to establish trust with consumers. Internet marketing is interactive, it’s all about dialogue with the consumer. That dialogue is poisoned when you lose the trust of the consumer.”

There are currently federal bills banning spyware working their way through both the U.S. House of Representatives and Senate. The House’s I-SPY Prevention Act was approved by the Judiciary Committee and the House Energy and Commerce Committee has already passed its own version of a spyware bill. The two bills will be reconciled between the committees before a final version is presented to the full House. The Senate bill was recently approved by the Senate Commerce Committee, and could be voted on by the full senate soon.

The state of Utah recently passed its own anti-spyware statute, which wassuccessfully challenged by adware company WhenU.

Related reading