The IT Law Wiki


Consumer Protection Against Spyware Act, Cal. Bus. & Prof. Code §§ 22947 et seq.


The Act prohibits software that secretly steals personal information, sends viruses, or takes control of a computer system as part of a denial-of-service attack. What is interesting about the law is that the term “spyware” is never defined. Instead, the law sets forth a list of prohibited acts, including:

(a) Modify, through intentionally deceptive means, any of the following settings related to the computer’s access to, or use of, the Internet:
(1) The page that appears when an authorized user launches an Internet browser or similar software program used to access and navigate the Internet.
(2) The default provider or Web proxy the authorized user uses to access or search the Internet.
(3) The authorized user’s list of bookmarks used to access Web pages.

(b) Collect, through intentionally deceptive means, personally identifiable information that meets any of the following criteria:

(1) It is collected through the use of a keystroke-logging function that records all keystrokes made by an authorized user who uses the computer and transfers that information from the computer to another person.
(2) It includes all or substantially all of the Web sites visited by an authorized user, other than Web sites of the provider of the software, if the computer software was installed in a manner designed to conceal from all authorized users of the computer the fact that the software is being installed.
(3) It is a data element described in paragraph (2), (3), or (4) of subdivision (k) of Section 22947.1, or in subparagraph (A) or (B) of paragraph (5) of subdivision (k) of Section 22947.1, that is extracted from the consumer’s computer hard drive for a purpose wholly unrelated to any of the purposes of the software or service described to an authorized user.

(c) Prevent, without the authorization of an authorized user, through intentionally deceptive means, an authorized user’s reasonable efforts to block the installation of, or to disable, software, by causing software that the authorized user has properly removed or disabled to automatically reinstall or reactivate on the computer without the authorization of an authorized user.

(d) Intentionally misrepresent that software will be uninstalled or disabled by an authorized user’s action, with knowledge that the software will not be so uninstalled or disabled.

(e) Through intentionally deceptive means, remove, disable, or render inoperative security, antispyware, or antivirus software installed on the computer.

While the enumerated acts include what would generally be classed as activities performed by spyware, the law is actually much broader than spyware and includes other conduct that would not generally be classed as spyware.

A debatable issue is whether this law actually brings anything new to the fight against spyware. As noted by one commentator:

These are surely bad actions. But they’re all prohibited under existing law – fraud, unfair trade practice, computer fraud and abuse act, etc. * * * In contrast, [the Act] fails to speak to the truly controversial activities – many of them arguably “borderline: -- that have actually been used by major players in the spyware space, whose installed user counts now reach into the tens of millions.[1]