Spyware/Adware Bills Targets DMersState and federal legislation presumably aimed at restricting the use of secret software spying mechanisms unknowingly downloaded onto a user's computer goes well beyond that seemingly legitimate task.
Instead, the legislation threatens to create a mishmash of inconsistent laws and create standards that unfairly hamper legitimate forms of marketing. Direct marketers who rely on tracking mechanisms for their advertising or promote advertising through adware devices must pay close attention to this emerging issue.
Spyware and adware: important differences. Computer users increasingly have been troubled by a range of software that gets installed into their computers, often without their knowledge or consent, that tracks their Internet surfing. The increased prevalence of such software has generated confusion in the public and legislatures in the rush to combat such actions.
Important differences exist between the types of software at issue: adware and spyware. Essentially, adware lets marketers engage in legitimate advertising by displaying ad banners, while spyware lets a programmer track a user's computer viewing habits without the user's knowing consent.
The Utah legislation. Largely in response to the inquiries of a disgruntled advertiser (1-800 Contacts) who was challenging the actions of an adware user, Utah's governor signed into law the Spyware Control Act on March 23.
Though Utah's law restricts the use of spyware technology and enacts provisions to protect the interests of businesses and consumers, the legislation no doubt will affect legitimate forms of direct marketing.
Under the law, a company cannot install onto another's computer spyware - software that "monitors the computer's usage" and "sends information about the computer's usage to a remote computer or server" that is used for surreptitious tracking purposes. Yet the Utah law goes beyond prohibiting surreptitious tracking-type software.
Essentially, it prohibits software from displaying advertisements via a context-based triggering mechanism if the ads partially or wholly cover content of the Internet Web site. The law also prohibits spyware from displaying ads on a computer unless it complies with certain disclosure requirements.
In addition, the law prohibits using spyware to cause ads to appear on a user's computer through the use of a "context-based triggering mechanism," which is defined as a software-based program that displays an ad based on the current Web site accessed by a user. Taking control away from the consumer, the law even provides that "it is not a defense to a violation that a user may remove or hide an advertisement."
Moreover, an ad delivered by spyware must be accompanied by a method through which a user may "quickly and easily" disable. Thus, though the law purports to be aimed at spyware, it contains provisions that restrict "adware." Moreover, the legislation seems to challenge the knowing installation of software that may otherwise generate what is now considered prohibited advertising. The future of this law may be in doubt, however, as challenges to its constitutionality are likely.
Is federal legislation coming? Just as the short-lived California legislation requiring opt in for unsolicited commercial e-mail had the potential to set a national standard, Utah's legislation threatens the same given the Internet's borderless nature. Marketers would hope that Congress would recognize this potential and respond accordingly.
Federal bills are pending. In July 2003, the Safeguard Against Privacy Invasions Act was introduced, requiring companies that use spyware technology to inform users and obtain permission before loading it onto a computer. In February, legislation was introduced in the Senate to prohibit spyware and other forms of tracking software from being secretly installed on computers.
The SPYBLOCK (Software Principles Yielding Better Levels of Consumer Knowledge) Act, S.B. 2145, would prohibit installing software on a person's computer without notice and consent and require uninstall procedures for downloadable software. The act also would prohibit installing software on a person's computer if the software is intended or "reasonably expected" to mislead the user concerning the identity of the person responsible for the software.
The notice provisions in the act are onerous. The notice must include a clear notification, displayed on the screen until the user grants or denies consent to installation, of the name and general nature of the software.
Separate disclosures are required with respect to each information collection, advertising, distributed computing and settings modification feature contained in the software, which must remain on the screen until the user either grants or denies consent to that feature. In the case of an advertising feature, the bill would require descriptions regarding the frequency of ads.
SPYBLOCK authorizes the Federal Trade Commission to enforce the act as if a violation were an unfair or deceptive practice. Any entity that violates any provision is subject to the penalties provided in the FTC act and further permits state attorneys general to commence proceedings on behalf of residents of their states.
However, unlike the CAN-SPAM Act of 2003, which pre-empted most state laws relating to non-content issues, the proposed federal legislation currently has no pre-emption provision. Instead, it would create even more confusion in the marketplace.
Utah's law opens the question of whether similar states will follow suit, and whether the bills pending at the federal level will be enacted and if they will set a national standard. Lobbying from interested parties on both sides makes clear that legislators must balance the needs of computer users with those of companies who use the Internet and software technology to generate business.