1 Bender on Privacy and Data Protection § 23.10 (2020)
It is unlawful willfully to copy onto a consumer’s computer software that: through intentional deception modifies the website that normally appears, the ISP, or bookmarks; deceptively collects personal information that meets certain criteria; deceptively prevents a user’s efforts to block or disable software by re-installing software that was disabled by the user; and other conduct of that general type. It is also unlawful willfully to copy software onto a consumer’s computer and thereby take control of that computer, modify certain security settings, or b;pcl an authorized user’s efforts to block installation of or disable software.
In September 2004 California enacted1 anti-spyware legislation (S.B. 1436), effective January 1, 2005.2 The statute, the Consumer Protection Against Computer Spyware Act, is a rather detailed and complex one. Although it uses the term “spyware” twice, it does not define it. The statute sets forth an aggregation of discrete prohibitions. Businesses professed to favor the law.3 Some consumer groups (including the Privacy Rights Clearinghouse and the World Privacy Forum) were unhappy with it.4 In particular, consumer groups favored legislation that would require notice and consent (as was required in the original bill that resulted in the law), so that each user would have the right to reject the software.
Section 22947.2 of the Business and Professions Code makes it unlawful for a person5 who is not an authorized user, and has actual knowledge of, consciously avoids knowledge of, or willfully causes software to be copied onto the computer of a consumer,6 and to use that software for any of five proscribed acts:
- Modification, through intentionally deceptive7 means, of any of the following three Internet-related settings of the authorized user: the page that normally appears when the computer accesses the Internet; the default Internet access provider; or the bookmarks;
- Collection, through intentionally deceptive means, of personally identifiable information8 that meets any of three criteria: where a keystroke-logging function is used and the information is transferred to another person; where the identities of the websites visited (other than those of the software provider) are collected, if the software was installed in such a manner as to conceal its installation from authorized users; or where the information is a financial account number, a password for a financial account, or a social security number;
- The unauthorized prevention through intentionally deceptive means, of a user’s reasonable efforts to block or disable software, by re-installing without authorization software that the authorized user has disabled;
- The intentional and knowing misrepresentation that software will be disabled by an authorized user’s action; or
- The disabling through intentionally deceptive means, of security, antispyware,9 or antivirus software.10
Further, under section 22947.3 it is unlawful for a person who is not an authorized user, with actual knowledge or conscious avoidance thereof, or willfully, to cause software to be copied onto the computer of a consumer, and to use that software to engage in any of the following three categories of conduct:
- To take control of a consumer’s computer by:
the unauthorized transmission or relay of commercial e-mail or a virus from the consumer’s computer; accessing the consumer’s modem or Internet service to cause damage11 to the consumer’s computer, or to cause an authorized user to incur charges for an unauthorized service; using the consumer’s computer as part of a group activity designed to damage another computer (including denial of service); or opening multiple, sequential, stand-alone unauthorized ads in the consumer’s browser with knowledge that a reasonable user could not close them without turning off the computer or closing the browser; - Modification of security settings that protect information about the authorized user in order to steal his or her personal information; or modification of the computer’s security settings, to damage one or more computers; or
- The unauthorized prevention of an authorized user’s reasonable efforts to block installation or disable software by either giving that user an option to block installation with knowledge that, if the user accepts, installation will nevertheless proceed, or falsely representing that the software is disabled.
Section 22947.3(d) of the statute carves out an exception for a vendor to monitor or interact with a person’s network service or a protected computer for purposes of security, diagnostics, tech support, updates, or prevention of fraud. And under section 22947.4(a) a person who is not an authorized user is prohibited from inducing a consumer to install software on his or her computer by intentionally misrepresenting that installation is necessary for privacy or security or to handle a particular type of content, or deceptively using software on the computer with intent to cause the user to violate the statute. Section 22947.4(b) carves out an exception similar to that found in section 22947.3(d). Section 22947.5 preempts city, county, municipality and local laws regarding spyware and “notices to consumers from computer software providers regarding information collection.”
Footnotes — § 23.10:
1 Utah was first state to enact anti-spyware legislation.
3 Even Claria Corp (formerly known as Gator), which has been sued several times for allegedly infiltrating spyware onto the computers of unsuspecting users, supported the bill.
4 However, other groups, such as the California Alliance for Consumer Protection. supported the final form of the bill on the theory that half a loaf is better than none.
5 A “person” is “any individual, partnership, corporation, limited liability company, or other organization, or any combination thereof.” Section 22947.1(j).
6 A “consumer” is an individual who resides in California and uses the computer primarily for personal, family, or household purposes. Section 22947.1(e).
7 Section 22947.1(h) defines “intentionally deceptive” in three alternative ways: by an intentionally and materially false statement; by a statement that intentionally omits or misrepresents material information to deceive; or by an intentional and material failure to provide notice to an authorized user regarding the installation of software so as to deceive the consumer.
8 This statute (section 22947.1(k)) defines personally identifiable information as any of the following: first name or first initial in combination with last name; credit or debit card, or other financial account number; a financial account password; a social security number, or any of the following “in a form that personally identifies an authorized user”: account balance, overdraft history, payment history, history of websites visited, home address, work address, or a record of a purchase or purchases.
9 Interestingly, this use of the term “antispyware,” and the use of the term “spyware” in the pre-emption section (section 22947.5), are the only uses of the term “spyware” in this statute. The term is not defined in the statute.
10 Section 22947.1(d) defines a “computer virus” as “a computer program or other set of instructions that is designed to degrade the performance of or disable a computer or computer network and is designed to have the ability to replicate itself on other computers or computer networks without the authorization of the owners of those computers or computer networks.”
11 Section 22947.1(f) defines “damage” as “any significant impairment of the integrity or availability of data, software, a system, or information.”