BILL NUMBER: SB 1436	CHAPTERED
	BILL TEXT

	CHAPTER  843
	FILED WITH SECRETARY OF STATE  SEPTEMBER 28, 2004
	APPROVED BY GOVERNOR  SEPTEMBER 28, 2004
	PASSED THE SENATE  AUGUST 26, 2004
	PASSED THE ASSEMBLY  AUGUST 23, 2004
	AMENDED IN ASSEMBLY  AUGUST 19, 2004
	AMENDED IN ASSEMBLY  AUGUST 17, 2004
	AMENDED IN ASSEMBLY  AUGUST 5, 2004
	AMENDED IN ASSEMBLY  JUNE 24, 2004
	AMENDED IN ASSEMBLY  JUNE 14, 2004
	AMENDED IN SENATE  MAY 11, 2004
	AMENDED IN SENATE  APRIL 22, 2004

INTRODUCED BY   Senator Murray
   (Principal coauthors:  Assembly Members Correa and Leslie)
   (Coauthor:  Senator Romero)
   (Coauthors:  Assembly Members Aghazarian, Chavez, Shirley Horton,
Jackson, Koretz, Leno, Maze, Nation, Negrete McLeod, Vargas, and Yee)

                        FEBRUARY 19, 2004

   An act to add Chapter 32 (commencing with Section 22947) to
Division 8 of the Business and Professions Code, relating to
business.



	LEGISLATIVE COUNSEL'S DIGEST


   SB 1436, Murray.  Computer spyware.
   Existing law provides for the regulation of various businesses by
the Department of Consumer Affairs.  No existing law provides for the
regulation of computer spyware.
   This bill would prohibit a person or entity other than the
authorized user of a computer owned by a person in California from,
with actual knowledge, conscious avoidance of actual knowledge, or
willfully, causing computer software to be copied onto the computer
and using the software to (1) take control of the computer, as
specified, (2) modify certain settings relating to the computer's
access to or use of the Internet, as specified, (3) collect, through
intentionally deceptive means, personally identifiable information,
as defined, (4) prevent, without authorization, an authorized user's
reasonable efforts to block the installation of or disable software,
as specified, (5) intentionally misrepresent that the software will
be uninstalled or disabled by an authorized user's action, or (6)
through intentionally deceptive means, remove, disable, or render
inoperative security, antispyware, or antivirus software installed on
the computer.  The bill would also prohibit a person or entity who
is not an authorized user from inducing an authorized user to install
a software component by intentionally misrepresenting that it is
necessary for security or privacy or in order to open, view, or play
a particular type of content.  The bill would prohibit a person or
entity who is not an authorized user from deceptively causing the
copying and execution on the computer of software components with the
intent of causing an authorized user to use the components in a way
that violates any of these prohibitions.
   The bill would provide that if any part of these provisions or
their applications are held invalid, the invalidity would not affect
other provisions.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:


  SECTION 1.  It is the intent of the Legislature that this act
protect California consumers from the use of spyware and malware that
is deceptively or surreptitiously installed on their computers.
Because the threats posed by these practices change over time, it is
the intent of the Legislature to revise the provisions in this act as
needed to fully protect consumers from additional unfair and
deceptive practices and to address future innovations in computer
technology and practices.
  SEC. 2.  Chapter 32 (commencing with Section 22947) is added to
Division 8 of the Business and Professions Code, to read:

      CHAPTER 32.  CONSUMER PROTECTION AGAINST COMPUTER SPYWARE ACT

   22947.  This chapter shall be known as and may be cited as the
Consumer Protection Against Computer Spyware Act.
   22947.1.  For purposes of this chapter, the following terms have
the following meanings:
   (a) "Advertisement" means a communication, the primary purpose of
which is the commercial promotion of a commercial product or service,
including content on an Internet Web site operated for a commercial
purpose.
   (b) "Authorized user," with respect to a computer, means a person
who owns or is authorized by the owner or lessee to use the computer.
An "authorized user" does not include a person or entity that has
obtained authorization to use the computer solely through the use of
an end user license agreement.
   (c) "Computer software" means a sequence of instructions written
in any programming language that is executed on a computer.
   (d) "Computer virus" means a computer program or other set of
instructions that is designed to degrade the performance of or
disable a computer or computer network and is designed to have the
ability to replicate itself on other computers or computer networks
without the authorization of the owners of those computers or
computer networks.
   (e) "Consumer" means an individual who resides in this state and
who uses the computer in question primarily for personal, family, or
household purposes.
   (f) "Damage" means any significant impairment to the integrity or
availability of data, software, a system, or information.
   (g) "Execute," when used with respect to computer software, means
the performance of the functions or the carrying out of the
instructions of the computer software.
   (h) "Intentionally deceptive" means any of the following:
   (1) By means of an intentionally and materially false or
fraudulent statement.
   (2) By means of a statement or description that intentionally
omits or misrepresents material information in order to deceive the
consumer.
   (3) By means of an intentional and material failure to provide any
notice to an authorized user regarding the download or installation
of software in order to deceive the consumer.
   (i) "Internet" means the global information system that is
logically linked together by a globally unique address space based on
the Internet Protocol (IP), or its subsequent extensions, and that
is able to support communications using the Transmission Control
Protocol/Internet Protocol (TCP/IP) suite, or its subsequent
extensions, or other IP-compatible protocols, and that provides,
uses, or makes accessible, either publicly or privately, high level
services layered on the communications and related infrastructure
described in this subdivision.
   (j) "Person" means any individual, partnership, corporation,
limited liability company, or other organization, or any combination
thereof.
   (k) "Personally identifiable information" means any of the
following:
   (1) First name or first initial in combination with last name.
   (2) Credit or debit card numbers or other financial account
numbers.
   (3) A password or personal identification number required to
access an identified financial account.
   (4) Social Security number.
   (5) Any of the following information in a form that personally
identifies an authorized user:
   (A) Account balances.
   (B) Overdraft history.
   (C) Payment history.
   (D) A history of Web sites visited.
   (E) Home address.
   (F) Work address.
   (G) A record of a purchase or purchases.
   22947.2.  A person or entity that is not an authorized user, as
defined in Section 22947.1, shall not, with actual knowledge, with
conscious avoidance of actual knowledge, or willfully, cause computer
software to be copied onto the computer of a consumer in this state
and use the software to do any of the following:
   (a) Modify, through intentionally deceptive means, any of the
following settings related to the computer's access to, or use of,
the Internet:
   (1) The page that appears when an authorized user launches an
Internet browser or similar software program used to access and
navigate the Internet.
   (2) The default provider or Web proxy the authorized user uses to
access or search the Internet.
   (3) The authorized user's list of bookmarks used to access Web
pages.
   (b) Collect, through intentionally deceptive means, personally
identifiable information that meets any of the following criteria:
   (1) It is collected through the use of a keystroke-logging
function that records all keystrokes made by an authorized user who
uses the computer and transfers that information from the computer to
another person.
   (2) It includes all or substantially all of the Web sites visited
by an authorized user, other than Web sites of the provider of the
software, if the computer software was installed in a manner designed
to conceal from all authorized users of the computer the fact that
the software is being installed.
   (3) It is a data element described in paragraph (2), (3), or (4)
of subdivision (k) of Section 22947.1, or in subparagraph (A) or (B)
of paragraph (5) of subdivision (k) of Section 22947.1, that is
extracted from the consumer's computer hard drive for a purpose
wholly unrelated to any of the purposes of the software or service
described to an authorized user.
   (c) Prevent, without the authorization of an authorized user,
through intentionally deceptive means, an authorized user's
reasonable efforts to block the installation of, or to disable,
software, by causing software that the authorized user has properly
removed or disabled to automatically reinstall or reactivate on the
computer without the authorization of an authorized user.
   (d) Intentionally misrepresent that software will be uninstalled
or disabled by an authorized user's action, with knowledge that the
software will not be so uninstalled or disabled.
   (e) Through intentionally deceptive means, remove, disable, or
render inoperative security, antispyware, or antivirus software
installed on the computer.
   22947.3.  A person or entity that is not an authorized user, as
defined in Section 22947.1, shall not, with actual knowledge, with
conscious avoidance of actual knowledge, or willfully, cause computer
software to be copied onto the computer of a consumer in this state
and use the software to do any of the following:
   (a) Take control of the consumer's computer by doing any of the
following:
   (1) Transmitting or relaying commercial electronic mail or a
computer virus from the consumer's computer, where the transmission
or relaying is initiated by a person other than the authorized user
and without the authorization of an authorized user.
   (2) Accessing or using the consumer's modem or Internet service
for the purpose of causing damage to the consumer's computer or of
causing an authorized user to incur financial charges for a service
that is not authorized by an authorized user.
   (3) Using the consumer's computer as part of an activity performed
by a group of computers for the purpose of causing damage to another
computer, including, but not limited to, launching a denial of
service attack.
   (4) Opening multiple, sequential, stand-alone advertisements in
the consumer's Internet browser without the authorization of an
authorized user and with knowledge that a reasonable computer user
cannot close the advertisements without turning off the computer or
closing the consumer's Internet browser.
   (b) Modify any of the following settings related to the computer's
access to, or use of, the Internet:
   (1) An authorized user's security or other settings that protect
information about the authorized user for the purpose of stealing
personal information of an authorized user.
   (2) The security settings of the computer for the purpose of
causing damage to one or more computers.
   (c) Prevent, without the authorization of an authorized user, an
authorized user's reasonable efforts to block the installation of, or
to disable, software, by doing any of the following:
   (1) Presenting the authorized user with an option to decline
installation of software with knowledge that, when the option is
selected by the authorized user, the installation nevertheless
proceeds.
   (2) Falsely representing that software has been disabled.
   (d) Nothing in this section shall apply to any monitoring of, or
interaction with, a subscriber's Internet or other network connection
or service, or a protected computer, by a telecommunications
carrier, cable operator, computer hardware or software provider, or
provider of information service or interactive computer service for
network or computer security purposes, diagnostics, technical
support, repair, authorized updates of software or system firmware,
authorized remote system management, or detection or prevention of
the unauthorized use of or fraudulent or other illegal activities in
connection with a network, service, or computer software, including
scanning for and removing software proscribed under this chapter.
   22947.4.  (a) A person or entity, who is not an authorized user,
as defined in Section 22947.1, shall not do any of the following with
regard to the computer of a consumer in this state:
   (1) Induce an authorized user to install a software component onto
the computer by intentionally misrepresenting that installing
software is necessary for security or privacy reasons or in order to
open, view, or play a particular type of content.
   (2) Deceptively causing the copying and execution on the computer
of a computer software component with the intent of causing an
authorized user to use the component in a way that violates any other
provision of this section.
   (b) Nothing in this section shall apply to any monitoring of, or
interaction with, a subscriber's Internet or other network connection
or service, or a protected computer, by a telecommunications
carrier, cable operator, computer hardware or software provider, or
provider of information service or interactive computer service for
network or computer security purposes, diagnostics, technical
support, repair, authorized updates of software or system firmware,
authorized remote system management, or detection or prevention of
the unauthorized use of or fraudulent or other illegal activities in
connection with a network, service, or computer software, including
scanning for and removing software proscribed under this chapter.
   22947.5. It is the intent of the Legislature that this chapter is
a matter of statewide concern.  This chapter supersedes and preempts
all rules, regulations, codes, ordinances, and other laws adopted by
a city, county, city and county, municipality, or local agency
regarding spyware and notices to consumers from computer software
providers regarding information collection.
   22947.6.  The provisions of this chapter are severable.  If any
provision of this chapter or its application is held invalid, that
invalidity shall not affect any other provision or application that
can be given effect without the invalid provision or application.