This chapter shall be known as and may be cited as the Consumer Protection Against Computer Spyware Act.
Chapter 32Consumer Protection Against Computer Spyware Act
Section § 22947
This law is called the Consumer Protection Against Computer Spyware Act, aimed at shielding consumers from harmful spyware on their computers.
Consumer Protection Computer Spyware Protecting Consumers Spyware Act cybersecurity malicious software spyware prevention digital privacy computer safety consumer rights
Section § 22947.1
This section defines key terms used in the chapter related to computer and internet activities. It specifies what counts as an advertisement, who is considered an authorized user of a computer, and describes computer software and viruses. It explains 'consumer' as someone using a computer mainly for personal purposes. The law also defines damage, execution of software, and what it means to be intentionally deceptive. The internet is described in technical terms, and 'person' includes individuals and various organizations. It outlines what constitutes personally identifiable information, including names, financial details, and web history.
For purposes of this chapter, the following terms have the following meanings:
(a)CA Business and Professions Code § 22947.1(a) “Advertisement” means a communication, the primary purpose of which is the commercial promotion of a commercial product or service, including content on an Internet Web site operated for a commercial purpose.
(b)CA Business and Professions Code § 22947.1(b) “Authorized user,” with respect to a computer, means a person who owns or is authorized by the owner or lessee to use the computer. An “authorized user” does not include a person or entity that has obtained authorization to use the computer solely through the use of an end user license agreement.
(c)CA Business and Professions Code § 22947.1(c) “Computer software” means a sequence of instructions written in any programming language that is executed on a computer.
(d)CA Business and Professions Code § 22947.1(d) “Computer virus” means a computer program or other set of instructions that is designed to degrade the performance of or disable a computer or computer network and is designed to have the ability to replicate itself on other computers or computer networks without the authorization of the owners of those computers or computer networks.
(e)CA Business and Professions Code § 22947.1(e) “Consumer” means an individual who resides in this state and who uses the computer in question primarily for personal, family, or household purposes.
(f)CA Business and Professions Code § 22947.1(f) “Damage” means any significant impairment to the integrity or availability of data, software, a system, or information.
(g)CA Business and Professions Code § 22947.1(g) “Execute,” when used with respect to computer software, means the performance of the functions or the carrying out of the instructions of the computer software.
(h)CA Business and Professions Code § 22947.1(h) “Intentionally deceptive” means any of the following:
(1)CA Business and Professions Code § 22947.1(h)(1) By means of an intentionally and materially false or fraudulent statement.
(2)CA Business and Professions Code § 22947.1(h)(2) By means of a statement or description that intentionally omits or misrepresents material information in order to deceive the consumer.
(3)CA Business and Professions Code § 22947.1(h)(3) By means of an intentional and material failure to provide any notice to an authorized user regarding the download or installation of software in order to deceive the consumer.
(i)CA Business and Professions Code § 22947.1(i) “Internet” means the global information system that is logically linked together by a globally unique address space based on the Internet Protocol (IP), or its subsequent extensions, and that is able to support communications using the Transmission Control Protocol/Internet Protocol (TCP/IP) suite, or its subsequent extensions, or other IP-compatible protocols, and that provides, uses, or makes accessible, either publicly or privately, high level services layered on the communications and related infrastructure described in this subdivision.
(j)CA Business and Professions Code § 22947.1(j) “Person” means any individual, partnership, corporation, limited liability company, or other organization, or any combination thereof.
(k)CA Business and Professions Code § 22947.1(k) “Personally identifiable information” means any of the following:
(1)CA Business and Professions Code § 22947.1(k)(1) First name or first initial in combination with last name.
(2)CA Business and Professions Code § 22947.1(k)(2) Credit or debit card numbers or other financial account numbers.
(3)CA Business and Professions Code § 22947.1(k)(3) A password or personal identification number required to access an identified financial account.
(4)CA Business and Professions Code § 22947.1(k)(4) Social Security number.
(5)CA Business and Professions Code § 22947.1(k)(5) Any of the following information in a form that personally identifies an authorized user:
(A)CA Business and Professions Code § 22947.1(k)(5)(A) Account balances.
(B)CA Business and Professions Code § 22947.1(k)(5)(B) Overdraft history.
(C)CA Business and Professions Code § 22947.1(k)(5)(C) Payment history.
(D)CA Business and Professions Code § 22947.1(k)(5)(D) A history of Web sites visited.
(E)CA Business and Professions Code § 22947.1(k)(5)(E) Home address.
(F)CA Business and Professions Code § 22947.1(k)(5)(F) Work address.
(G)CA Business and Professions Code § 22947.1(k)(5)(G) A record of a purchase or purchases.
advertisement authorized user computer software computer virus consumer damage intentionally deceptive internet person personally identifiable information credit card numbers home address web history financial account numbers software installation
Section § 22947.2
This law prohibits anyone who is not an authorized user from knowingly or deceitfully installing software on a consumer's computer in California and using it to change internet settings, collect sensitive personal data without consent, or block efforts to remove or disable the software. It also bans falsely claiming that software is removable and interfering with security software.
A person or entity that is not an authorized user, as defined in Section 22947.1, shall not, with actual knowledge, with conscious avoidance of actual knowledge, or willfully, cause computer software to be copied onto the computer of a consumer in this state and use the software to do any of the following:
(a)CA Business and Professions Code § 22947.2(a) Modify, through intentionally deceptive means, any of the following settings related to the computer’s access to, or use of, the Internet:
(1)CA Business and Professions Code § 22947.2(a)(1) The page that appears when an authorized user launches an Internet browser or similar software program used to access and navigate the Internet.
(2)CA Business and Professions Code § 22947.2(a)(2) The default provider or Web proxy the authorized user uses to access or search the Internet.
(3)CA Business and Professions Code § 22947.2(a)(3) The authorized user’s list of bookmarks used to access Web pages.
(b)CA Business and Professions Code § 22947.2(b) Collect, through intentionally deceptive means, personally identifiable information that meets any of the following criteria:
(1)CA Business and Professions Code § 22947.2(b)(1) It is collected through the use of a keystroke-logging function that records all keystrokes made by an authorized user who uses the computer and transfers that information from the computer to another person.
(2)CA Business and Professions Code § 22947.2(b)(2) It includes all or substantially all of the Web sites visited by an authorized user, other than Web sites of the provider of the software, if the computer software was installed in a manner designed to conceal from all authorized users of the computer the fact that the software is being installed.
(3)CA Business and Professions Code § 22947.2(b)(3) It is a data element described in paragraph (2), (3), or (4) of subdivision (k) of Section 22947.1, or in subparagraph (A) or (B) of paragraph (5) of subdivision (k) of Section 22947.1, that is extracted from the consumer’s computer hard drive for a purpose wholly unrelated to any of the purposes of the software or service described to an authorized user.
(c)CA Business and Professions Code § 22947.2(c) Prevent, without the authorization of an authorized user, through intentionally deceptive means, an authorized user’s reasonable efforts to block the installation of, or to disable, software, by causing software that the authorized user has properly removed or disabled to automatically reinstall or reactivate on the computer without the authorization of an authorized user.
(d)CA Business and Professions Code § 22947.2(d) Intentionally misrepresent that software will be uninstalled or disabled by an authorized user’s action, with knowledge that the software will not be so uninstalled or disabled.
(e)CA Business and Professions Code § 22947.2(e) Through intentionally deceptive means, remove, disable, or render inoperative security, antispyware, or antivirus software installed on the computer.
unauthorized software consumer protection internet settings deceptive practices keystroke logging privacy invasion data collection software reinstallation security software interference spyware removal computer access modification bookmark alteration concealed software installation software misrepresentation antivirus software
Section § 22947.3
This section makes it illegal for unauthorized people to install software on someone else's computer and use it for harmful activities, like sending spam or viruses, using the person's internet without consent, or launching cyber attacks. It also bans altering internet settings to steal personal information or harm computers, and prevents users from stopping unwanted software installations. Some exceptions include activities by providers for security and technical reasons.
A person or entity that is not an authorized user, as defined in Section 22947.1, shall not, with actual knowledge, with conscious avoidance of actual knowledge, or willfully, cause computer software to be copied onto the computer of a consumer in this state and use the software to do any of the following:
(a)CA Business and Professions Code § 22947.3(a) Take control of the consumer’s computer by doing any of the following:
(1)CA Business and Professions Code § 22947.3(a)(1) Transmitting or relaying commercial electronic mail or a computer virus from the consumer’s computer, where the transmission or relaying is initiated by a person other than the authorized user and without the authorization of an authorized user.
(2)CA Business and Professions Code § 22947.3(a)(2) Accessing or using the consumer’s modem or Internet service for the purpose of causing damage to the consumer’s computer or of causing an authorized user to incur financial charges for a service that is not authorized by an authorized user.
(3)CA Business and Professions Code § 22947.3(a)(3) Using the consumer’s computer as part of an activity performed by a group of computers for the purpose of causing damage to another computer, including, but not limited to, launching a denial of service attack.
(4)CA Business and Professions Code § 22947.3(a)(4) Opening multiple, sequential, stand-alone advertisements in the consumer’s Internet browser without the authorization of an authorized user and with knowledge that a reasonable computer user cannot close the advertisements without turning off the computer or closing the consumer’s Internet browser.
(b)CA Business and Professions Code § 22947.3(b) Modify any of the following settings related to the computer’s access to, or use of, the Internet:
(1)CA Business and Professions Code § 22947.3(b)(1) An authorized user’s security or other settings that protect information about the authorized user for the purpose of stealing personal information of an authorized user.
(2)CA Business and Professions Code § 22947.3(b)(2) The security settings of the computer for the purpose of causing damage to one or more computers.
(c)CA Business and Professions Code § 22947.3(c) Prevent, without the authorization of an authorized user, an authorized user’s reasonable efforts to block the installation of, or to disable, software, by doing any of the following:
(1)CA Business and Professions Code § 22947.3(c)(1) Presenting the authorized user with an option to decline installation of software with knowledge that, when the option is selected by the authorized user, the installation nevertheless proceeds.
(2)CA Business and Professions Code § 22947.3(c)(2) Falsely representing that software has been disabled.
(d)CA Business and Professions Code § 22947.3(d) Nothing in this section shall apply to any monitoring of, or interaction with, a subscriber’s Internet or other network connection or service, or a protected computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for network or computer security purposes, diagnostics, technical support, repair, authorized updates of software or system firmware, authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing software proscribed under this chapter.
unauthorized software computer control spam transmission internet setting modification denial of service attack sequential advertisements security settings stealing personal information blocking software installation false software disabling telecommunications carrier cable operator technical support network security fraud prevention
Section § 22947.4
This law makes it illegal for someone who is not authorized to trick a computer user into downloading software they don't need, such as claiming it's necessary for security reasons or to view certain types of content. It also prohibits deceiving users into running software that makes them break the law. However, companies that provide internet services or software are allowed to interact with your computer for tasks like security monitoring, diagnostics, or updates, as long as it's for legitimate purposes.
(a)CA Business and Professions Code § 22947.4(a) A person or entity, who is not an authorized user, as defined in Section 22947.1, shall not do any of the following with regard to the computer of a consumer in this state:
(1)CA Business and Professions Code § 22947.4(a)(1) Induce an authorized user to install a software component onto the computer by intentionally misrepresenting that installing software is necessary for security or privacy reasons or in order to open, view, or play a particular type of content.
(2)CA Business and Professions Code § 22947.4(a)(2) Deceptively causing the copying and execution on the computer of a computer software component with the intent of causing an authorized user to use the component in a way that violates any other provision of this section.
(b)CA Business and Professions Code § 22947.4(b) Nothing in this section shall apply to any monitoring of, or interaction with, a subscriber’s Internet or other network connection or service, or a protected computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for network or computer security purposes, diagnostics, technical support, repair, authorized updates of software or system firmware, authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing software proscribed under this chapter.
unauthorized user software misrepresentation deceptive downloading security misrepresentation telecommunications carrier network security purposes software diagnostics legitimate updates system firmware unauthorized use detection
Section § 22947.5
This law declares that rules about spyware and how software providers notify consumers about data collection are to be governed by state law, not local laws. In other words, only the state of California can make rules in this area, and local governments cannot have their own different rules.
It is the intent of the Legislature that this chapter is a matter of statewide concern. This chapter supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding spyware and notices to consumers from computer software providers regarding information collection.
spyware regulation state preemption consumer notifications data collection statewide concern local government restrictions software providers information collection city ordinances county laws municipality regulations local agency rules computer software notices California state authority
Section § 22947.6
This section says that if any part of the chapter is found to be invalid or unenforceable, the rest of the chapter stays in effect as long as it can function without the invalid part.
The provisions of this chapter are severable. If any provision of this chapter or its application is held invalid, that invalidity shall not affect any other provision or application that can be given effect without the invalid provision or application.
severability invalid provision enforceable chapters unaffected provisions legal effectiveness chapter application invalidity impact California business policies legal severability provision invalidation chapter enforcement
