Utah May Repeal Its Spyware Control Act–SB 26

By Eric Goldman

It’s that time of year again. The Utah legislature is back in session and cooking up new schemes to regulate the Internet. So far I only see one Internet-specific bill in queue, SB 26. Surprisingly, it does not directly attempt to regulate keyword advertising.

SB 26 is sponsored by Sen. Stephen H. Urquhart, who rocketed to national cyberlaw fame (infamy?) in 2004 when he sponsored Utah’s Spyware Control Act. It was such a misguided law that it motivated me (in part) to write a 71 page magnum opus explaining its policy deficiencies. It was also hampered by its fairly obvious unconstitutionality, which was confirmed by a Utah court a few months after passage. (Note: I helped write an amicus brief in that court challenge, so you might interpret my assessment as an advocacy statement). Following the judicial thumping, then-Rep. Urquhart shepherded an amendment to the Spyware Control Act in 2005 that effectively neutered the law. Since then, I believe the law has sat largely dormant. The only court citation I know of was in the 2008 Overstock v. SmartBargains case, easily rejecting Overstock’s mystifying attempt to make a claim under the superseded 2004 version of the law.

Among other items I’ll discuss in a moment, SB 26 proposes to repeal the Spyware Control Act entirely. If passed, that would be a remarkable development because most legislators let their failed laws sit on the books unused. It takes some work to repeal a law, plus it can be a little embarrassing to repeal a law–especially after hyping up the law to get it passed initially (Urquhart had a lot of tough talk about spyware/adware in 2004-05, see, e.g., here). Kudos to Sen. Urquhart for having the fortitude to admit and fix his errors publicly.

While repealing the law would be a remarkable step on its own, it’s even more remarkable in the context of the Utah legislature’s track record of Internet regulation. By my count, repealing the Spyware Control Act would be at least the THIRD Utah Internet law that its legislature repealed in the past few years–the other two being Utah’s 1995 digital signature act and its infamous Trademark Protection Act. For a legislature that meets only a couple of months a year, a trifecta of repealed Internet laws in the past couple of years is a stunning waste of scarce legislative resources. Wow.

As bad as that is, the three repealed laws don’t even tell the full story of the Utah legislature’s incompetence when it comes to Internet regulation. Recall Utah’s failed attempt to line its coffers by taxing email (which turned into a big money-loser), and don’t forget its repeated attempts to regulate Internet content that have spawned years of costly litigation (see, e.g., Free Speech Coalition v. Shurtleff). From my perspective, anyone looking objectively at the Utah legislature’s track record of regulating the Internet would logically conclude that they should cut their losses and focus on other legislative priorities.

Unfortunately, SB 26 indicates that either hope springs eternal in the Utah legislature or they are doomed to forget the lessons of history. Despite doing some good by putting down the Spyware Control Act, the bill amazingly proposes more regulations of the Internet! To Sen. Urquhart’s credit, the bill is largely clone-and-revise proposals from other places and not drafted from scratch, which may contribute less from a regulatory standpoint but at least they aren’t quite as error prone. The proposed law has three main components:

1) anti-phishing/anti-pharming restrictions. I’m not sure where the original text came from. California has an anti-phishing law but I don’t think this is a clone-and-revise of that law. Maybe it’s cloned from another state’s anti-phishing law. In any case, the anti-”phishing” proposal is noteworthy because the regulation doesn’t restrict itself to email (presumably to avoid any risk of CAN-SPAM preemption). As a result, as currently drafted, it’s an unlimited anti-pretexting law applicable to both online and offline conduct.

2) anti-spyware restrictions. After wiping out the Spyware Control Act, the new anti-spyware proposals are based on the California model of state anti-spyware laws, which have been followed by a couple dozen other states. The California model regulates various types of “intentionally deceptive” conduct regarding software activity. This is what Utah should have done in 2004-05 rather than trying to develop its own sui generis law. I generally don’t have a problem with regulating intentionally deceptive software behavior, but it seems a little late to be enacting the laws now. Most of the regulations contemplate practices more common in 2003-06 and largely defunct now, so Utah is showing up late to a party that ended years ago.

3) a state version of the federal Anti-Cybersquatting Consumer Protection Act. I know some other states have enacted domain name protection laws (California comes to mind), but it’s not clear what benefits these state laws have. As far as I know, California’s law is almost never used. Tom O’Toole speculates that this bill will make it easier for Utah trademark owners to bring in rem lawsuits, but it’s not clear to me how much this law will help given the rarity of ACPA in rem lawsuits (UDRPs are usually cheaper and faster for the same results) and already expansive jurisdictional principles under ACPA. Further, I wonder if this law is preempted either by the dormant commerce clause or via field preemption of the federal ACPA.

I should add that I’ve observed that Utah bills can change radically from draft to draft with little warning, even if the law is on the legislative floor for a final vote, so we’ll have to see if this law transmogrifies through the process. And I am keeping a vigilant watch for any resurrected attempts to regulate keyword advertising.