Utah Amends Spyware Control Act

Last week, the Utah governor signed HB 104, the amendment to Utah’s Spyware Control Act. The amendment is, in fact, a nearly complete rewrite of the prior law. I blogged on the proposed law last month, and since then further changes were made. Here’s an initial critique of the law.

Definition of Spyware

The act defines “spyware” as adware that displays trademark-triggered pop-up ads. There is no user consent exception to the definition. Software is regulated even if the user enthusiastically consents to its installation after comprehensive disclosure. As I complained last time, this law is not about protecting consumers, it’s about limiting competition.

Prohibited Acts

The law prohibits using adware to display a pop-up ad (1) contemporaneously in response to a specific trademark or URL, (2) that infringes a registered state or federal trademark, and (3) for an advertiser who is not one of six classes of permitted purchasers (including users engaged in trademark fair use).

Requirement #2 was added since my last critique, and it changes the law significantly. It removes my concern that the law creates trademark-like protection for domain names that are not registered trademarks (which, though included in the definition of a “Mark,” receive no protection under Requirement #2).

In fact, because the law requires that the plaintiff must prove trademark infringement, I’m not entirely clear what this law adds to existing trademark law. As far as I can tell, there are really only two new consequences. First, this law may create some new remedies against the infringing advertiser, such as statutory damages. Second, it codifies a cause of action against the adware vendor rather than relying on an unproven contributory trademark claim. (I should note that, like trademark law generally, the law does not create a private cause of action for affected consumers).

Nevertheless, the law still leaves open the most basic question—does triggering a pop-up ad in response to a registered trademark constitute trademark infringement in the first place? If the answer is no, then by definition this law is moot. I’m pretty surprised if the legislative patrons missed this point—they could have simply defined triggering as a per se trademark infringement. Without that definition, a court could deem triggering a trademark non-use, non-infringing, or fair use—any of which cause the plaintiff to lose both the trademark infringement and spyware control act claims.

Anti-Spyware Software

The act gives software vendors and websites a safe harbor if they clean a user’s computer of spyware if (a) they have a relationship with the user, and (b) they gives notice to the user. There has been some litigation over this very question, so Utah appears to be the first state to offer a safe haven for attack software. Given the legislative patrons for this act, it wouldn’t surprise me if Overstock.com and 1-800 Contacts start offering hard disk cleansing services for their customers (that conveniently look for certain adware from, say, Claria or WhenU).

Open Issues

· What does this law do to the pending lawsuit to enjoin the prior version of the law? WhenU won a preliminary injunction against the previous version of the act. I assume the existing lawsuit is now moot, though perhaps we will see a new challenge to this version.

· Does this law survive the dormant commerce clause? As I discussed earlier, the law contemplates that adware vendors will ask users to reveal their geography—creating the specter that users will be bombarded with pop-ups requesting geographic information as they use the web. I’m not entirely sure this structure avoids the DCC claim, however. The law puts the burden on adware vendors not otherwise doing business in Utah to ask geography, even if the adware vendor has no users in Utah. This seems to be a pretty clear extraterritorial reach by Utah, so I could see that raising a serious DCC claim.

· Will the adware vendor’s liability be preempted by 47 USC 230? 230 does not preempt IP laws, and this law may or may not be considered a trademark law. Certainly its title—attempts to control spyware—suggests that this is not an IP law, although the prima facie requirement of a trademark infringement supports a contrary conclusion. If this is not an IP law, then I think adware vendors may be able to claim that this law is preempted by 230 because it attempts to treat them as the publisher/speaker of its advertisers’ content. In fact, 230 has specifically protected a website from being liable for its advertiser’s content in Ramey v. Darkside Productions, although that case involved claims for emotional distress (and others).