California Toughens Spyware Laws

Starting next year, most companies that do business in California face a new law requiring that they tell their customers what personal information they share and with whom they share it. And, for software companies and Web sites using spyware, they'll need to reveal what information they collect and face penalties if they place spyware without consent.

The two new laws take effect Jan. 1. The first, sponsored by Sen. Liz Figueroa, requires companies, if a customer asks, to explain the type of personal information they share with other businesses, along with the names and addresses of those with whom the information has been shared. Alternatively, a business may provide a privacy statement that offers customers a cost-free means to opt out of a businesses' information-sharing activities. The law excludes financial-services companies, which face similar federal requirements.

In practice, the law may accomplish little more than reinforcing the need for marketers to offer opt-out options. "Either you have to have what I call a mini-FOIA [Freedom of Information Act] department within your retail establishment, or you need to offer your consumers the ability to opt out or opt in," says Elise Berkower, senior compliance officer at DoubleClick Inc., a service and technology provider for marketers. The Direct Marketing Association--which lobbied for the opt-out alternative--says some 95% of its members comply because they offer opt-out avenues.

The law could narrow the discrepancy in data-sharing standards between online and mail-order marketing, since it applies to both, says Alan Chapell, president of privacy and data-collection consultancy Chapell & Associates. "Historically, the direct-marketing industry has been one that has lacked transparency," Chapell says. "When people don't know what's happening with their data, they assume the worst."

Some businesses are beginning to assume the worst about legislation coming out of California--to the point where they welcome federal laws to repair aggressive and uneven state statutes toward customer information and marketing. E-mail legislation passed in California would have been unworkable if the federal Can-Spam Act of 2003 hadn't come along, says Jennifer Barrett, chief privacy officer at marketing-information-management company Acxiom Corp. "There's a high level of frustration throughout the business community with privacy legislation initiated at the state level."

Separately, California's anti-spyware law bans secret placement of software, and it requires notification when spyware is installed and for what purpose, with penalties of up to $1,000 for each violation. Spyware can be anything from hacker tools such as Trojan horses and keystroke loggers to programs to track what Web-search terms a consumer uses. The U.S. House of Representatives passed two anti-spyware bills last week.

Awareness already may have spyware declining; instances of adware and adware cookies decreased from July to September, as did the number of system monitors and Trojan-horse applications on Internet users' systems, Internet service provider EarthLink Inc. and anti-spyware software maker Webroot Software Inc. said last week. Yet it remains a big problem: They found, on average, 25 spyware-related applications on each system, compared with 26.5 in the January to March time frame.