California Anti-Phishing Law–Cal. B&P Code Sec. 22948

By Eric Goldman

Going through my stack, I came across Cal. Business & Professions Code Sec. 22948-22948.3 (SB 355), California’s recently enacted anti-phishing law. In general, compared to other state anti-Internet behavior laws, this law is relatively targeted and unobjectionable. However, the substantive provision caught my attention for an unexpected reason. 22948.2 says:

“It shall be unlawful for any person, by means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business.”

I’ve highlighted the part that I find interesting. The term “business” isn’t defined, but per 22948.3(a), a business either provides Internet access to the public, owns a web page, or owns a trademark.

Because someone can be a web page owner even if they are not a trademark owner, this law is a quasi-trademark law–it gives trademark law-style rights to non-trademark owners. The way I read this, business owner X can prevent competitor Y from representing itself as business owner X (at least, for purposes of eliciting personal information via a transaction) even if business owner X doesn’t have a trademark–or even if business owner X can’t get a trademark (because, e.g., it is using a descriptive trademark that hasn’t derived secondary meaning). Anyone else have a different interpretation of this? If my reading is right, then it seems like this law provides a conceptually significant expansion of trademark law.

Further, if my reading is right, then I think trademark owners who can avail themselves of CA law can go after some alleged Internet trademark infringers under the anti-phishing law, even if there wasn’t a technical trademark infringement (at least, in the pure form of a likelihood of consumer confusion). If I were a California plaintiff-side trademark attorney, I would consider adding this cause of action as a standard pleading when online trademark infringement is involved. Note, among other things, 22948.3(a) provides statutory damages of $500,000, which might be a pretty good windfall for some trademark owners (and an even better windfall for someone who can’t get a trademark!).