BILL NUMBER: AB 2787 AMENDED
BILL TEXT
AMENDED IN SENATE JUNE 23, 2004
AMENDED IN ASSEMBLY MAY 11, 2004
AMENDED IN ASSEMBLY APRIL 22, 2004
AMENDED IN ASSEMBLY MARCH 25, 2004
INTRODUCED BY Assembly Member Leslie
(Coauthors: Assembly Members Bates and Samuelian)
(Coauthors: Senators Battin, Bowen, and Oller)
FEBRUARY 20, 2004
An act to add Chapter 22.2 (commencing with Section 22580) to
Division 8 of the Business and Professions Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
AB 2787, as amended, Leslie. Computer spyware: deceptive
practices: regulation.
Existing law provides for the regulation of various businesses by
the Department of Consumer Affairs.
This bill would prohibit a person or entity conducting business in
California from hijacking or causing to be hijacked a user's
computer. The bill would authorize a consumer to bring an action
against a person or entity that violates the prohibition to recover
actual damages, liquidated damages of $1,000 per violation, and
reasonable attorney's fees and costs. The bill would also make a
person or entity who violates the prohibition subject to an
administrative fine by the Department of Consumer Affairs of $1,000
per violation.
This bill would enact the Protection Against Computer Spyware Act.
The act would prohibit a person or entity conducting business in
this state from knowingly causing a computer program to be copied
onto the computer of a California consumer, as defined, and using the
program to perform certain acts relating to altering, taking control
of, or damaging, the computer or the consumer's Internet access or
use. The act would authorize the Attorney General to bring a civil
enforcement action or institute equity proceedings to obtain
injunctive relief and (1) actual damages, (2) the lesser of a civil
fine of $1,000 per violation or $500,000 for all claims relating to a
violation, or (3) a civil fine not exceeding $1,000,000 for all
claims relating to a knowing and willful pattern of practice. The
act would make exceptions to the civil fines for defendants that have
established and implemented practices and procedures to prevent
violations. The act would also provide that a provider of software
or provider of interactive computer service would not be liable for
an action to remove or disable programs used to violate the act if
the consumer is notified in advance.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Chapter 22.2 (commencing with Section 22580) is added
to Division 8 of the Business and Professions Code, to read:
CHAPTER 22.2. PROTECTION AGAINST COMPUTER SPYWARE ACT
22580. This chapter shall be known as and may be cited as the
Protection Against Computer Spyware Act.
22580.1. A person or entity conducting business in this state may
not hijack, or cause to be hijacked, a user's computer in this
state.
22580.2. (a) In addition to any other remedy available at law, a
consumer may bring an action against a person or entity that violates
this chapter to recover either or both of the following:
(1) Actual damages.
(2) Liquidated damages of one thousand dollars ($1,000) for each
violation. A prevailing plaintiff is entitled to recover reasonable
attorney's fees and costs.
(b) Violation of this chapter by a person or entity is subject to
an administrative fine by the Department of Consumer Affairs of one
thousand dollars ($1,000) for each violation.
22580.1. As used in this chapter, and without prejudice to the
application or interpretation of these terms under other laws or
regulations:
(a) "Advertisement" means a communication, the primary purpose of
which is the commercial promotion of a commercial product or service,
including content on an Internet Web site operated for a commercial
purpose.
(b) "Authorized user," with respect to a computer, means a
consumer who owns or is an authorized user of the computer.
(c) "Consumer" means any individual who resides in this state and
who uses a computer primarily for personal, family, or household
purposes.
(d) "Computer program" means a set of statements or instructions
to be used directly or indirectly in a computer in order to bring
about a certain result.
(e) "Computer virus" means a computer program or other set of
instructions that is designed to degrade the performance of, or to
disable, a computer or computer network and to have the ability to
replicate itself on other computers or computer networks without the
authority of the owners of the computers or computer networks.
(f) "Damage" means any significant impairment to the integrity or
availability of data, a program, a system, or information.
(g) "Intentionally deceptive" means either:
(1) By means of a intentionally false or fraudulent statement.
(2) By means of a statement or description that intentionally
omits or misrepresents material information in order to deceive the
consumer.
22581.2. A person or entity conducting business in this state,
who is not an authorized user, as defined in Section 22580.1, shall
not knowingly cause a computer program to be copied onto the computer
of a consumer and use the program to do any of the following:
(a) Take control, through intentionally deceptive means, of the
consumer's computer by doing any of the following:
(1) Transmitting or relaying commercial electronic mail or a
computer virus from the consumer's computer, where the transmission
or relaying is initiated by a person other than an authorized user
and without the authorization of an authorized user.
(2) Accessing or using the consumer's modem or Internet service
for the purpose of causing damage to the consumer's computer or
causing an authorized user to incur unauthorized financial charges.
(3) Using the consumer's computer as part of an activity performed
by a group of computers for the purpose of causing damage to another
computer, including, but not limited to, launching a denial of
service attack.
(4) Opening multiple, sequential, stand-alone advertisements in
the consumer's Internet browser with knowledge that a reasonable
computer user cannot close the advertisements without turning off the
computer or closing the consumer's Internet browser.
(b) Modify, through intentionally deceptive means, any of the
following settings related to the computer's access to, or use of,
the Internet:
(1) The page that appears when an authorized user launches an
Internet browser or similar program used to access and navigate the
Internet.
(2) The default provider the authorized user uses to access or
search the Internet.
(3) The authorized user's list of bookmarks used to access Web
pages.
(4) An authorized user's security or other settings that protect
information about the authorized user, for the purpose of stealing
personal information of, or causing harm to, an authorized user.
(5) The security settings of the computer for the purpose of
causing damage to one or more computers.
(c) Collect, through intentionally deceptive means, personally
identifiable information through the use of a keystroke logging
function that records all key strokes made by an authorized user who
uses the computer and transferring that information from the computer
to another person.
(d) Prevent, through intentionally deceptive means, an authorized
user's reasonable efforts to block the installation of, or to
disable, software, by doing any of the following:
(1) Presenting the authorized user with an option to decline
installation of software such that, when the option is selected by
the authorized user, the installation nevertheless proceeds.
(2) Falsely representing that software has been disabled.
(3) Causing software that the authorized user has properly removed
or disabled to automatically reinstall or reactivate on the computer
without the authorization of an authorized user.
(e) Intentionally misrepresent that software will be uninstalled
or disabled by an authorized user's action, with knowledge that the
software will not be so uninstalled or disabled.
(f) Induce, through deceptive means, an authorized user to install
a software component onto the computer, including, but not limited
to, deceptively misrepresenting that installing software is necessary
for security or privacy reasons or in order to open, view, or play a
particular type of content.
(g) Deceptively install and execute on the computer one or more
additional computer software components with the intent of causing an
authorized user to use the components in a way that violates any
other provision of this section.
(h) Through intentionally deceptive means, remove, disable, or
render inoperative a security, antispyware, or antivirus technology
installed on the computer.
22580.3. (a) It shall be the exclusive remedy for a violation of
Section 22580.2 for the Attorney General to bring a civil enforcement
action or to institute equity proceedings in any superior court of
this state to obtain the following:
(1) An injunction to restrain and enjoin the defendant from
violating Section 22580.2.
(2) One of the following:
(A) Actual damages.
(B) The lesser of a civil fine of one thousand dollars ($1,000)
for each violation of Section 22580.2, or five hundred thousand
dollars ($500,000) for all claims relating to a violation of Section
22580.2.
(C) A civil fine not exceeding one million dollars ($1,000,000)
for all claims relating to a pattern and practice of knowing and
willful violations of Section 22580.2.
(b) It shall be a defense to liability for civil fines recoverable
under subdivision (a) in an action brought to enforce subdivisions
(f) and (g) of Section 22580.2, that the defendant established and
implemented, with due care, practices and procedures reasonably
designed to prevent such violations.
(c) No person other than the Attorney General shall bring an
action at law or in equity, in an individual or representative
capacity, for a violation concerning the activities regulated by this
chapter.
22580.4. A provider of software or provider of interactive
computer service shall not be held liable under the law of this State
or any political subdivision thereof for any action voluntarily
taken in good faith, or any service provided in good faith, to remove
or disable programs used to violate Section 22580.2 of this chapter
that reside on the computer of a customer of the provider, if the
provider notifies the consumer prior to undertaking the action or
providing the service.