Although adware and spyware are clearly two different animals, some pending legislation could affect the use of both.
At least 11 states have enacted or amended adware or spyware laws in 2005 including Alaska, Arizona, Arkansas, Georgia, Indiana, Iowa, New Hampshire, Texas, Utah, Virginia and Washington. Most of these laws are modeled on California’s spyware law, which was enacted in 2004. The California law prohibits installing software through intentionally deceptive means on a California user’s computer that modifies certain settings, collects information through deceptive means, prevents efforts to disable such software, takes control of a computer, or disables security or anti-spyware software.
California’s statute and the other state statutes that mirror its language would probably not apply to marketers who use or advertise through adware if clear and conspicuous notice is provided that an adware program will be installed on a user’s computer and explains what the program does. However, two state laws are significantly different from California’s law and may pose real problems for marketers who use adware.
The Utah Spyware Control Act prohibits the use of “spyware” to trigger the display of pop-up ads that interfere with the user’s ability to see the ad or other content the user originally attempted to access. “Spyware” is defined as software that, without the consent of the site owner, collects information about the site the user is visiting in order to enable the display of pop-up ads, presumably targeted to the user based on what site the user is visiting.
Similarly, Alaska’s spyware law prohibits causing the display of a pop-up ad, without the computer user’s consent or request, that is displayed in response to a user accessing a specific mark (a registered trademark or service mark or registered domain name) or website address and that is purchased by a person other than the mark owner or licensee of the mark. (There is no requirement of proving trademark infringement.) A person who purchases advertising on a pop-up ad described above is also liable if such person receives notice from a mark owner of the violation and fails to stop it.
Although the Utah and Alaska laws apply only to the display of pop-up ads to residents of their states, they could pose significant problems for marketers. If these laws survive legal challenges, most companies that provide adware, and possibly the advertisers that advertise in the pop-up ads, would probably have to develop a reliable mechanism for determining the location of a computer user, either through some automated means or by asking a computer user where he or she resides, to make sure pop-up ads are not displayed to residents of Utah or Alaska.
Such restrictive state laws often lead to a federal law that pre-empts state laws. Several bills are pending in Congress that would regulate adware and spyware to varying degrees. The Senate Commerce Committee approved S. 687, the SPY BLOCK Act, in November, which would pre-empt state spyware laws. The bill would prohibit, with certain exceptions, installing software on a computer user’s computer in a manner that conceals such installation or does not provide the user with the opportunity to opt-out of such installation, and would prohibit installing software that cannot be uninstalled or disabled. The bill would also prohibit the installation of software that surreptitiously collects information about a user, as well as prohibiting the installation of software that displays ads without a label or other means of identifying which software caused the display of the ad.
H.R. 29, the SPY ACT of 2005, would pre-empt state laws regulating spyware, would prohibit certain acts, and would require notice and consent before transmitting and executing an “information collection program.” An information collection program is defined as computer software that performs either of the following functions: (a) collects personally identifiable information and sends such information to a person other than the owner or authorized user of the computer or uses such information to deliver or display advertising on a computer; or (b) collects information regarding web pages that are accessed and uses such information to deliver or display advertising (but not including a website’s own tracking program that does not relay such information to any other party). H.R. 29, like S. 687, also prohibits other practices that thwart a user’s control of his or her computer, such as altering the computer’s settings. H.R. 29 was passed by the House in May and sent to the Senate.
These and other federal spyware bills are being considered despite the Federal Trade Commission’s position that new spyware legislation is not needed. In a March 2005 report, the FTC stated that Section 5 of the FTC Act, which prohibits deceptive and unfair trade practices, and the federal Computer Fraud and Abuse Act, which addresses hacking, were adequate for prosecuting spyware distributors. The FTC has used these statutes in several enforcement actions, and in an October 2005 speech, the chairman of the FTC stated that the FTC will continue to make spyware investigations and prosecutions an enforcement priority.
Although adware does offer targeted advertising at a relatively low cost, marketers should consider the potential legal pitfalls and craft marketing campaigns that utilize adware with care.
Terri Seligman is a partner in the Advertising and Promotions Law Group at Loeb & Loeb LLP. Read full bio. Jill Westmoreland, an attorney at the firm, contributed to this article.