Spyware - California Legislation

California Legislation
Overview Critiques

Overview

On September 28, 2004, California Governor Arnold Schwarzenegger signed Senate Bill No. 1436, the "Consumer Protection Against Computer Spyware Act" ("CPACSA"). It is the first regulation of spyware in California and one of the first such anti-spyware laws in the country.
It had been amended nine times by the Senate and the Assembly before passing. The act went into effect on January 1, 2005. It does not prohibit spyware, but just requires notification to the consumer before spyware is installed.
This bill prohibits an unauthorized person from knowingly installing or providing software that performs certain function on or to another user's computer located in California. The prohibited software functions are:
- Taking control of the computer
- Modifying certain settings on the computer
- Collecting personally identifiable information
- Preventing a user's reasonable efforts to block its installation or disable it
- Misrepresenting that it will be uninstalled or disabled by a user's action
- Removing or rendering inoperative security, anti-spyware or anti-virus software on the computer.
It also requires companies and websites to disclose whether their systems will install spyware. Consumers are able to seek up to $1,000 in damages if they think they have fallen victim to the intrusive software.

Critics of the law argue that it does not go far enough and it does not prohibit spyware, but just requires notification to the consumer before spyware is installed.
The Act does not address deceptive installation tactics used by spyware. It could have clarified the standards for notice and consent. It could have addressed confusing lengthy licenses, and licenses shown only after supposed consent.
The first draft of the Act did attempt to establish disclosure requirements, even including minimum font sizes. However, after being revised by the online advertising lobby they bill no longer covers deceptive installation tactics. Therefore, there is still a question as to whether certain methods used by the spyware are in violation of the Act.
The bill also says that in order to trigger penalties, there must be an intent to deceive on the part of the companies installing the spyware. However, terms such as "intent to deceive," "intentionally deceptive," and "intentionally misleading" are too difficult to prove.
Some critics of the act fear that such righteous activities as protecting children from pornography, violent and racist content, digital rights management, fraud prevention and authenticating users could be seen as violations.