State Spyware Legislation
Benjamin Edelman - Spyware Research, Legislation, and Suits

This page indexes and summarizes proposed state anti-spyware legislation. See also federal anti-spyware legislation.

 
 

Related Projects

180solutions & Affiliate Commissions

Advertisers Using WhenU

WhenU Violates Own Privacy Policy

Documentation of Gator Advertisements and Targeting

"Spyware": Research, Testing, Legislation, Suits

Other Research by Ben Edelman

The summaries below are based on my initial reading of the respective bills. The bills are lengthy and complex, and my summaries are necessarily brief. Readers should perform their own analysis in assessing the bills' effects. Please feel free to submit suggestions for addition, clarification, or other improvement.

State, bill name, number, sponsors, status

Summary

Enforcement

Alaska - Spyware and Unsolicited Internet Advertising - S.B.140

Sen. Therriault
Status: Passed, October 2005.

Prohibits certain pop-up ads displayed by spyware, including popups displayed in response to a specific web address or trademark, unless with consent of the site or mark owner. No liability for any anti-spyware product that removes such software.

Private right of action under existing unfair business practices statute.

Arizona - Computer Spyware - H.B.2414

Reps. Patton, Huffman, Bee, and Martin

Status: Passed, April 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Enforcement by attorney general for actual damages, liquidated damages, and fees.

Arkansas - Improper Use of Computer Spyware - H.B.2904

Rep. Evans

Status: Passed, April 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Adds additional prohibitions on interference with uninstallation, such as falsely reprsenting that software has been disabled, requiring completion of a survey, or requiring downloading a separate removal program.

See also H.B.2261 and 2344 (appropriations to Attorney General and Department of Information Systems for monitoring)

Enforcement under Deceptive Trade Practices Act. Fines to fund enforcement costs as well as a Spyware Monitoring Fund.

California - Computer Spyware - S.B.1436

Sen. Kevin Murray (w/ Assembly Members Correa and Leslie)

Status: Passed, September 2004.

According to the California Office of Privacy Protection, "This bill would prohibit a person from knowingly installing a providing spyware, as defined, on or to another user's computer located in California. It would authorize the recipient of such spyware to bring an action for actual damages and for liquidated damages of $1000 per transmission, subject to reduction by a court for specified reasons, plus attorney's fees and costs to a prevailing plaintiff." (reference)

Prohibits numerous specific stated practices, such as removing or disabling security or antivirus software, when such practices are intentionally deceptive and when they are conducted willfully or with actual knowledge.

My analysis and critique.

No reference to any enforcement provisions.

Georgia - Computer Security Act - S.B.127

Sen. Staton

Status: Passed, April 2005

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Private right of action for harmed consumers, seeking actual damages or liquidated damages, plus attorneys fees.

Indiana - Computer Issues - S.B.49

Status: Passed, May 2005.

Prohibits intentionally deceptive modifications of certain computer settings (home page, search engine, proxy, bookmarks), intentionally deceptive collection of personally identifying information, intentionally deceptive means of blocking installation of software. Prohibits certain intentionally deceptive inducements to install software.

Adversely affected parties (including targeted web sites) may bring civil actions seeking the greater of actual damages or $100,000 per violation.

Iowa - Deceptive or Unauthorized Computer Software - H.F.614

Status: Passed, April 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

See also S.F.465, withdrawn, March 30, 2005.

Criminal penalties.

Initial draft had provided for actual damages, liquidated damages, and attorney's fees.

New Hampshire - Regulating the Use of Computer Spyware - H.B.47

Rep. Maxfield

Status: Passed, July 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Enforcement by private parties under business protection statute.

Texas - Consumer Protection Against Computer Spyware Act - S.B.327

Sen. Zaffirini

Status: Passed, June 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Adds additional prohibitions against randomized or intentioally deceptive filenames or folders.

Enforcement by attorney general, with civil penalties.

Utah - Spyware Control Act, 2005 Revisions - H.B.104

Rep. Urquhart
Status: Passed, March 2005.

Prohibits certain pop-up ads displayed by spyware, including popups displayed in response to a specific web address or trademark, unless with consent of the site or mark owner, or unless a fair or permissible use. No liability under any Utah law for any anti-spyware product that identifies, removes, or blocks installation of such software.

Private right of action to companies targeted by the pop-up ads at issue.

Utah - Spyware Control Act - H.B.323

Rep. Urquhart

Status: Passed, March 2004. Enjoined, June 22, 2004.

Spyware Control Act - reformatted, indented

A Close Reading of Utah's Spyware Control Act - FAQ-style analysis of the bill, a prominent letter of opposition, and related media coverage.

Letter of Opposition (PDF) from AOL, Amazon, the Association for Competitive Technology, AT&T, the American Electronics Association, the Business Software Alliance, c|net, the Computer & Communication Industry association, eBay, Google, the Information Technology Association of America, the Internet Commerce Coalition, Intraware, MCI, Microsoft, NetCoalition, Novell, Orbitz, the Software & Information Industry Association, Verizon, and Yahoo!

WhenU.com, Inc., v. The State of Utah - Case Documents - Suit filed by a company subject to the Act, seeking that the act be declared void and invalid.

Challenged by WhenU in WhenU v. The State of Utah. Preliminary injunction granted, enjoining enforcement of the bill, June 22, 2004.

Private right of action by targeted web sites.

Consumer complaints to Division of Consumer Protection in the Department of Commerce.

Virginia - Computer Crimes Act - H.B.2215

Del. Albo

Status: Passed, April 2005.

Prohibits disabling computer programs or networks, causing computer malfunctions, or altering or erasing data, when performed with malicious intent.

Criminal penalties.

Washington - H.B.1012

Status: Passed, May 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Enforcement under existing consumer protection and unfair competition statutes.

Washington - H.B.2879

Status: Passed, March 2008.

Closes loopholes in H.B. 1012. Creates liability for web hosting services that ignore violators' use of their products. Add violations for new forms of spyware. Clarifies the standards for proof of violations (e.g. replacing "intentionally deceptive" requirements with "deceptive"), and clarifies the circumstances under which actions may be brought.

 
2005-2006 legislation not passed

Alabama - Consumer Protection Against Spyware Act - S.B.122

Senator Ross

Status: Introduced February 1, 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Criminal penalties

California - Internet Security - S.B.355

Sen. Kevin Murray

Status: Reintroduced as S.B.1740, February 24, 2006.

States Legislature's intent to enact legislation to improve security of the Internet.

n/a

California - Computer Spyware - A.B.1958

Assembly Member Leslie

Status: Introduced, February 6, 2006.

Revises the provisions previously enacted as S.B.1436, making "nonsubstantive, technical, and conforming changes."

No reference to any enforcement provisions.

California - Computer Spyware - S.B.92

Sen. Kevin Murray

Status: Passed Senate, May 23, 2005.

Establishes enforcement provisions for the 2004 S.B.1436.

Authorizes recipients of spyware (as defined in the 2004 S.B.1436) to recover liquidated damages of $1,000 per violation, plus reasonable attorneys fees.

Private right of action for harmed consumers.

Delaware - Spyware Protection Act- S.B.124

Sen. McBride

Status: Introduced, May 12, 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Enforcement by attorney general.

Florida - Computer Fraud - S.B.2162

Sen. Posey

Status: Introduced, 2005.

Prohibits certain phishing practices. Via language based on H.R.29, prohibits certain software practices; requires certain on-screen notice (including specific language specified in the bill, or other language "substantially similar") before installation of certain software. See my critique of H.R.29.

Civil remedies via existing deceptive and unfair trade practice statutes. Civil remedies for harmed users and web sites, including statutory damages and recovery of attorney's fees.

Hawaii - Unauthorized Control of a Computer - S.B.2256

Status: Passed House, March 7, 2006

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Private right of action for harmed consumers, seeking actual damages or liquidated damages. Further jurisdiction to state attorney general.

Hawaii - Unlawful Distribution of Spyware or Adware - S.B.2019

Status: Introduced, 2006.

Creates criminal offenses for certain intentionally deceptive information collection, configuraiton modification, and misrepresentations.

Fines and restitution. Up to ten year prison sentence.

Hawaii - Consumer Protection; Spyware - S.B.2869

Status: Introduced, 2006.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Private right of action for $5,000 or up to three times actual damages. Further jurisdiction to state attorney general and county prosecuting attorneys.

Illinois - Spyware Prevention Initiative Act - H.B.0380

Rep. Fritchey

Status: Passed House, February 8, 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Criminal penalties.

Illinois - Consumer Protection Against Computer Spyware Act - S.B.3036

Sen. Syverson

Status: Passed Senate, February 28, 2006.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Private right of action to ISPs and web site operators. Damages up to three times actual damages, or statutory damages up to $100,000 per violation. Further jurisdiction to state attorney general.

Indiana - Computer Spyware - H.B.1714

Rep. Moses

Status: Introduced, January 19, 2005.

Prohibits installation of spyware except where satisfying certain requirements for notice (plain language, example advertisements, display frequency), consent, and uninstallation.

Adversely affected parties (including targeted web sites) may bring civil actions seeking the greater of actual damages or $10,000 per violation.

Attorney general to establish complaint procedure.

Kansas - Computer Protection Against Spyware Act - H.B.2343

Rep. Holland

Status: Introduced, February 8, 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Criminal penalties.

Maryland - Maryland Computer User Protection Act - H.B.594

Rep. Moe

Status: Introduced, February 2, 2006.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Violations are unfair or deceptive trade practices. Harmed users also have standing to file suit.

Liquidated damages & attorneys fees.

Maryland - Unauthorized Consumer Software Act - S.B.492, S.B.801, H.B.945, H.B.780, S.B.180

Status: S.B.180 - Introduced January 2006.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Injured computer users may bring actions to recover actual or statutory damages, as well as attorney's fees.

Massachusetts - Prohibiting Spyware - S.273

Status: Introduced, 2005.

Prohibits installation of software that monitors usage, sends information about usage to a remote computer or displays ads based on usage (with certain exemptions), and does not obtain consent to a license meeting certain requirements (plain language, notice of informatio to be transmitted, example advertisements, frequency, distinguishing characteristics).

Enforcement by harmed web site operators. Remedies include injunction, actual damages, statutory damages, and attorney's fees.

Massachusetts - Spyware Control Act - S.286

Status: Introduced, 2005.

Prohibits installing spyware (defined as software monitoring usage and sending such usage or showing ads in response), except with explicit consent and uninstall directions. Prohibits using a context-based triggering mechanism to display an advertisement that covers or obscures a web site, except with explicit consent and uninstall directions.

Fines for violation.

Massachusetts - Consumer Protection Against Spyware Act - H.B.1444

Status: Introduced, 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Fines for violation.

Michigan - Spyware Control Act - S.B.151

Sen. Brown

Status: Passed Senate, March 9, 2005.

Prohibits installation of software that sends protected information or displays advertisements, except after an installation meeting specified notice and consent requirements. Requirements include a license presented in full and written in plain language, notice of specific information to be transmitted, full-size example advertisements, and disclosures of ad frequency.

Private right of action by harmed users, web sites, and advertisers. Statutory damages.

Michigan - S.B.54

Sen. Brown

Status: Passed Senate, March 9, 2005.

Establishes installation requirements including provision of name, telephone number, or web address of software provider; statement of intent to install; statement of effect; statement of specific information to be collected; opportunity to decline and to decline further contacts attempting installation. Installations may not exceed authorization granted.

Criminal penalties.

Michigan - S.B.53

Sen. Brown

Status:Passed Senate, March 9, 2005.

Establishes criminal penalties for unlawful accesses to computer systems.

Criminal penalties.

Missouri - Consumer Protetion Against Spyware Act - H.B.902

Status:Passed Senate, March 9, 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

 

Nebraska - Consumer Protection Against Computer Spyware Act - L.B.316

Sen. Howard

Introduced, January 11, 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Criminal penalties.

New York - Unlawful Use of Spyware and Malware - A.00549

Assemblymember Towns

Status: Introduced, January 13, 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Criminal penalties.

New York - Unlawful Dissemination of Spyware - S.00186 - also A.02682

Sen. Balboni

Status: Introduced, January 10, 2005.

Prohibits installation of programs that gather and transmit personal information or data over users' Internet connections without users' knowledge or specific authorization.

 

Oregon - Spyware - H.B.2302

Status: Introduced, 2005.

Prohibits installation of spyware except with informed consent after disclosure of information to be collected and transmitted, representative advertisements, and advertisement frequency. Prohibits passing off goods or services as those of another, or causing likelihood of confusion or misunderstanding as to source or approval of goods or services.

Enforcement by attorney general.

Pennsylvania - Misuse of Adware or Spyware - H.B.574
Rep. Lescovitz

Status: Introduced, February 16, 2005.

Prohibits certain email practices.

Requires statement of type of adware or spyware being downloaded; description of specific types of information tracked and to whom transmitted; description of types of advertisements to be generated. Requires inclusion of uninstallation instructions. Prohibits advertising in adware distributed in violation of this statute.

Criminal penalties.

Rhode Island - Software Fraud- H.B.6211
Rep. Kennedy, Lewis, Kilmartin, Costantino, and Fox

Status: Introduced, March 10, 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Civil action by injured persons for statutory damages or actual damages..

Tennessee - Internet Spyware Control Act - H.B.1742 and S.B.2069

Status: Introduced, 2005.

Prohibits spyware programs, defined as programs that 1) monitor computer usage (as defined), 2) send such information to a remote computer or display advertisements in response to such usage (if ads do not identify full legal name of provider; or if ads use a trademark or web site as a trigger), and 3) are installed without certain notice, consent, and removal provisions.

Language largely based on Utah's H.B.323.

Private right of action by harmed web site operators. Statutory damages.

Texas - Consumer Protection Against Computer Spyware Act - H.B.1351

Rep. Pena

Status: Introduced, February 21, 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Enforcement by attorney general, with civil penalties.

Texas - Consumer Protection Against Computer Spyware Act - H.B.1430 and S.B.958

Rep. McCall

Status: Introduced, February 22, 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Private right of action by harmed web sites, as well as enforcement by attorney general. Statutory damages as well as attorneys fees.

Virginia - Prohibited Software and Actions - H.B.1729

Del. Cosgrove

Status: Passed House, February 2005.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Criminal penalties.

Vermont - Computer Spyware - S.235

Sen. Campbell

Status: Introduced, January 2006.

Prohibits transmitting and using, through intentionally deceptive means, computer software that changes certain settings (home page, connection provider, proxy, bookmarks), collects personally identifiable information, prevents a user's efforts to block installation, falsely claims that software will be disabled by the user's actions, removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).

Prohibits inducing a user to install software by intentionally misrepresenting that installing software is necessary for security or privacy, or to open or play content.

Core prohibitions are substantially similar among bills from Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont Virginia, and Washington. In my analysis, the provisions in these eighteen bills are also all substantially similar to California's 2004 S.B.1436. See my analysis and critique of that bill.

Civil remedies including statutory damages. Computer owners, site owners, and ISPs would have standing to sue. Allows recovery of attorneys fees.

West Virginia - Spyware Disclosure - H.B.3246

Status: Introduced, March 25, 2005.

Prohibits causing spyware to be installed for purposes of defrauding, or obtaining money or services by fraud. Prohibits installing or causing spyware to be installed, if it directly or indirectly causes loss of value of property or computer services. Prohibits causing spyware to be installed which collects employment, salary, crdit, or other financial or personal information without authorization.

Criminal penalties.

2004 legislation not passed

California - Computer Adware and Spyware - A.B.2787

Assembly Member Tim Leslie

Status: Passed committee, 2004.

Prohibits "hijack[ing] ... a user's computer in this state." Other clauses and prohibitions (from earlier drafts of the bill) have been removed.

Consumers may sue to recover actual damages or liquidated damages of $1,000 per violation. The Department of Consumer Affairs may issue administrative fines against violators

Iowa - Senate File 2200 -

Sen. Kreiman

Status: Introduced, 2004.

According to Slashdot, this bill makes "the distribution of Spyware without notice an aggravated misdemeanor, punishable by confinement for no more than two years and a fine of at least $500 but not more than $5,000. The proposed bill also provides victims and county attorneys with the ability to file a civil cause of action for relief from conduct constituting the crime of unauthorized collection and disclosure of personal information by computer." (reference)

Suits may be brought by the county attorney or by other aggrieved persons.

Criminal penalties.

Private right of action for harmed consumers.

Michigan - S.B.1315

Sen. Brown

Status: Introduced, June 22, 2004.

Requires certain disclosures prior to installation of spyware. Defines spyware as software that monitors computer use or display advertisements in response to computer use, but excludes from spyware all programs "installed ... by the owner" of a computer. Criminal sanctions including fines and imprisonment.

Criminal sanctions including fines and imprisonment.

New York - S.07141

Status: Passed Senate, June 17, 2004..

According to the bill's summary, the bill creates a crime of unlawful dissemination of spyware, ordinarily a class A misdemeanor and a class E felony for repeat offenders. Unlawful dissemination of spyware takes place when a person "having no right to do so" installs software ("including but not limited to a keylogg[er]") to gather and transmit personal information or data without a user's knowledge or explicit authorization.

Slashdot Discussion

Criminal penalties.

Virginia - Invasive Technologies - H.B.1304

Del. Lingamfelter

Status: Introduced, 2004.

Beginning in 2006, would require public bodies to conduct a privacy impact analysis when authorizing or prohibiting the use of invasive technologies including spyware.  

The initial listings report bills either passed or actively under consideration, ordered by state in alphabetical order. Prior bills (from 2004) appear at the bottom of the list.

See also the National Conference of State Legislatures' 2004, 2005, and 2006 Legislation Relating to Internet Spyware or Adware.

 

Disclosures

My interest in spyware originally arose in part from a prior consulting engagement in which I served as an expert to parties adverse to Claria in litigation. See Washingtonpost.Newsweek Interactive Company, LLC, et al. v. the Gator Corporation. More recently, I have served as an expert or consultant to other parties adverse to spyware companies in litigation or contemplated litigation.

This page is my own work - created on my own, without approval by any client, without payment from any client.


Last Updated: June 15, 2008 - Sign up for notification of major updates and related work.