The proliferation of technology that enables monitoring of computer users’ actions online and collection of their personal information has given rise to public concerns about protecting individuals’ privacy rights. At the center of the debate about such technology is software that is pejoratively referred to as "spyware," though there is vast disagreement on what "spyware" means.
Legislators and government regulators typically use the term "spyware" to refer generally to that broad category of software that often resides on an end user’s computer without his or her knowledge and is capable of everything from annoyances such as slowing system performance and delivering unwanted pop-up advertisements to genuine dangers such as collecting credit-card numbers or passwords. During the first half of 2004, Internet service provider EarthLink convincingly demonstrated the pervasiveness of spyware by scanning the PCs of almost 2.1 million Internet users. Among the more startling facts revealed by their surveys was the existence of nearly 54.8 million applications deemed to be spyware on the users’ computers, almost all of which had been reportedly installed without their knowledge.
Besides the risks to individuals’ privacy rights, spyware can also impose added economic costs on corporations. For example, a lengthy service call from a customer frustrated by excessive spyware-generated pop-up ads on her computer reduces an ISP’s profit margin for that account. Computer software and hardware companies may suffer harm to their brands when customers mistakenly blame their equipment for decreases in download and processing speeds that are actually caused by spyware programs on their computers. Finally, corporations can incur increased costs and reductions in productivity arising out of the need to regularly clean hundreds of unwanted spyware programs from their employees’ hard drives and the resultant slow-down in their computing speed.
Companies engaged heavily in e-commerce, such as L.L. Bean, have also alleged harm to their brands from software programs which deliver pop-up advertisements based upon an end user’s search engine habits by alleging trademark and copyright infringement and unfair competition in lawsuits against competitors and adware distributors.1 Such suits have sought penalties and injunctions for the delivery of a competitor’s pop-up advertisement or web site to an end user originally searching for the plaintiff’s product or service. Many of these cases have settled out of court before any legal precedent was established. Where courts have ruled, their decisions have been inconsistent which has also fueled the growing interest from policymakers in crafting a legislative solution to the consumer and business objections to spyware. Utah, as discussed below, expressly outlawed software which permits a competitor to display its advertisement or Web site over the Web site of the company whose trademarked brand was searched by the end user.
Motivated by these revelations, privacy advocacy groups, corporations and individuals have begun demanding that actions be taken to protect Internet users and companies from the potential harms of spyware. Whether these actions are ultimately taken through industry self-regulation, private lawsuits, or government regulation, or some combination of these approaches, remains to be seen. Certainly regulators at both the federal and state levels have recently proposed multiple pieces of legislation targeting spyware that could significantly impact a wide range of companies, including those that use or provide software that could be regulated as spyware as well as those who have been adversely impacted by such software. Only one piece of anti-spyware legislation has been signed into law, that being Utah’s Spyware Control Act, which is currently on hold pending judicial review. This Client Alert provides an overview of the policy debate surrounding spyware as well as summarizes the current anti-spyware legislative landscape.
Policy Debate: Self Regulation or Government Regulation
With support from leading consumer and privacy groups such as the Center for Democracy and Technology, industry leaders in the adware business have proposed key principles for self-regulation, which such companies already claim to be following voluntarily, including: (1) end user license and consent must be clearly visible to the end user; (2) the EULA itself must be clear and understandable; (3) ads delivered via the adware should be labeled to show the source, e.g., the brand name of the adware supplier is displayed; (4) the uninstall process should be easy; and (5) applications should protect end user privacy by avoiding practices such as keystroke logging or collecting personal information about end users. Federal regulators, such as the Federal Trade Commission, have professed optimism that the combination of such voluntary actions and enforcement based upon existing laws prohibiting consumer deception are sufficient.
However, the unpopularity of spyware among consumers generally has caused some key federal lawmakers, and numerous state legislatures, to reject any self-regulatory approach. Consequently, legislation continues to advance at both the federal and state level. The chart set forth below shows the current state of each piece of federal and state anti-spyware legislation as of September 3, 2004.
Legislature |
Bill |
Status |
U.S. Senate |
S. 2145 "SPYBLOCK Act" |
Pending before Senate Committee on Commerce, |
U.S. House of Representatives |
H.R. 2929 "SPY Act" |
Placed on the Union Calendar. |
U.S. House of Representatives |
H.R. 4255 "Computer Software rivacy and Control Act" |
Pending before House Subcommittee on Crime, Terrorism and Homeland Security. |
U.S. House of Representatives |
H.R. 4661 "Internet Spyware Prevention Act" |
Pending before House Committee on the Judiciary. |
Utah State Legislature |
Utah Code § 13-39 "Spyware |
Signed into law on March 23, 2004; temporarily enjoined by Utah state district court on June 22, 2004. |
California State Senate |
S.B. 1436 "Consumer Protection Against Computer Spyware Act" |
Passed in Senate and pending before Assembly. |
California State Assembly |
A.B. 2787 "Protection Against |
Passed in Assembly and pending before Senate. |
Michigan State Senate |
S.B. 1315 and S.B. 1316 |
Pending before Senate Committee on Technology and Energy. |
Pennsylvania House of Representatives. |
H.B. 2788 |
Pending before House Committee on Consumer Affairs. |
New York State Senate |
S.B. 7141 |
Passed in Senate and pending before Assembly. |
Iowa State Senate |
S.F. 2200 |
Legislature adjourned, bill will be taken up again in 2005. |
At the core of the policy debate is the feasibility of adequately regulating a class of software known as "spyware." Legislators are grappling with the issue of: (1) whether they should define a distinct category of software as "spyware" that is subject to regulation; or (2) whether it is more appropriate to try to regulate specific "bad acts" made possible by such software.
Challenges of Defining Spyware
Despite the difficulty of defining "spyware," lawmakers at the state level have introduced five new pieces of legislation within the last year that attempt to create a distinct class of software called "spyware" that is significantly regulated or prohibited altogether as described in more detail below.
"Bad Acts Approach"
Set forth below is a brief summary of recently proposed legislation intended to regulate spyware.
Legislative Summary
On March 23, 2004, Utah enacted the "Spyware Control Act" and became the first state to pass a law geared towards prohibiting spyware.
Several other states, including California, New York, Michigan, Pennsylvania and Iowa have proposed similar, though not nearly as aggressive, prohibitions on spyware.3 The Utah law and the other pending state proposals are summarized below.
Utah
"Spyware Control Act"
The law defines "spyware" as software residing on a computer that: (1) monitors the computer’s usage; (2) sends information about the computer’s usage to a remote computer or server or displays advertising in response to the computer’s usage; and (3) does not obtain the consent of the user and does not provide a method of disabling or uninstalling the software from the computer.
The law also makes it illegal to "use a context based triggering mechanism to display an advertisement that... covers or obscures paid advertising or other content on an Internet Web site." This aspect of the law would effectively make software by adware companies such as WhenU.com and Claria illegal in Utah, and perhaps elsewhere. The statute includes limited exemptions for software such as operating systems, diagnostic and repair utilities and cookies. In addition, ISPs cannot be prosecuted for apparent violations of the statute to the extent that the violations occur as part of the routine transmission of security-related information or information containing advertisements. Consistent with the sponsors’ primary focus on protecting the rights of trademark owners, the law lacks any public enforcement component. The only enforcement mechanism is through private actions by any of the following who are adversely affected by a violation of this chapter: an Internet Web site owner or registrant, a trademark or copyright owner, or an authorized advertiser on an Internet Web site. Such plaintiffs can either seek an injunction or file a lawsuit for the greater of their actual damages or $10,000 for each infraction, with the possibility of recovering treble damages for willful violations.
On June 22, 2004, a Utah state court judge granted adware provider WhenU.com’s motion for preliminary injunction against enforcement of the Spyware Control Act in its entirety. WhenU sought the injunction on the grounds that the Act violated both the Utah and the United States Constitutions. Consequently, concerns regarding the ultimate impact of Utah’s anti-spyware law on corporations doing business in Utah, as well as questions of whether the law could be preempted by federal laws, will remain unsettled pending a judicial determination as to its constitutionality.
California
S.B. 1436: "Consumer Protection Against Computer Spyware Act"
A.B. 2787: "Protection Against Computer Spyware Act"
New York
S.B. 7141: Act to Amend the Penal Law and General Business Law.
Michigan
S.B. 1315 and S.B. 1316: Acts to Amend the Michigan Compiled Laws and the Code of Criminal Procedure.
Pennsylvania
H.B. 2788: Act to Amend Title 18 (Crimes and Offenses) of Pennsylvania Consolidated Statutes.
Iowa
S.F. 2200: Act to Amend Iowa Criminal Code.
Federal Legislation
H.R. 2929: "SPY Act"
Section 2 of the bill would prohibit any party from engaging in any one of a specific list of deceptive or malicious acts, including logging a user’s keystrokes or generating pop-up ads that cannot be closed.
Section 3 of the bill would require all software programs that collect and use personally identifiable information, including a person’s name, email address, or bank account numbers, to first include an affirmative opt-in step with a descriptive notice, including one of three prescribed identity statements.
Exempted from these requirements are acts by telecommunications carriers, ISPs, and cable operators as well as law enforcement agents and network security providers that would otherwise be violations of Section 3.
Reflecting a clear intention to preempt the Utah Spyware Control Act’s ban on the use of context-based triggering mechanisms, all state anti-spyware laws – apart from those regulating fraud, trespass, contract, or tort – would be preempted by the SPY Act. The FTC would be given the exclusive authority to enforce the statute and to impose fines of up to $3 million for each violation of Section 2 and up to $1 million for each violation of Section 3.
S. 2145: "SPYBLOCK Act"
S. 2145 would affect any entity who provides software that: (1) collects personal information or monitors the activities of an Internet user; (2) modifies a computer user’s computer settings; or (3) generates pop-up advertisements if the software does not first provide notice to and obtain the consent of the computer user according to statutorily-prescribed standards. Furthermore, it would exempt Internet search providers, ISPs and data storage companies who did not receive a direct economic benefit from the transgression. S. 2145 also contains specific exemptions for certain types of preinstalled software, browser, email and instant messaging software, and software used to provide technical support and to validate the existence of a license. The bill empowers the FTC and state attorneys general to enforce its provisions, and would impose punishments including fines and possible prison sentences for violations.
Conclusion
- Ensure that privacy policies and end user license agreements are easily understood by a layperson and contain clear, conspicuous policies regarding notice, disclosure and consent, particularly with regard to the collection and distribution of behavioral or personal information.
- Establish internal procedures to monitor and assure compliance with the terms of any such privacy policy.
- Conduct an inventory and legal review regarding the company’s search engine advertising practices, particularly with regard to contractual or other means for protecting the company’s brands. Develop and adopt sound practices for the use of interactive advertising software.
- Be judicious in the use of the term "spyware" or "adware" when referring to or describing third party software providers in company documents or Web sites.
We will continue to track legislative efforts relating to spyware in the United States and abroad and will report on any significant developments in this area as they occur.
Endnotes
2 The desire to protect individual users while still encouraging innovation by industry, at least in part, has propelled a large number of industry players to participate in the ongoing debate over spyware and the new legislation designed to limit it. In a letter addressed to the sponsors of Utah’s anti-spyware bill, companies including eBay, Google, and Yahoo!, as well as industry trade groups like the Business Software Alliance and the Information Technology Association of America, stated that they supported the bill’s general intent. They nevertheless opposed the legislation on the grounds that its definition of "spyware," among other things, was so broad that they claimed it could have "serious unintended consequences on everyday, legitimate activities on the Internet." Letter from Google, et al. to John Valentine, Senator, Utah State Senate and Steve Urquhart, Representative, Utah State House of Representatives (Mar. 1, 2004) (On file at the Utah State Legislature).
3 State legislators in Virginia have also indicated in proposed bill H.B. 1304 their intent to conduct an analysis of regulations regarding spyware by 2006. See H.B. 1304, 2004 Gen. Assem., Reg. Sess., (Va. 2004).
4 H.B. 323, 56th Leg., Gen. Sess. (Ut. 2004). Enacted as Spyware Control Act, Utah Code § 13-39-101 through §13-39-401.
5 A.B. 2787, 2003-2004 Reg. Sess., (Ca. 2004).
6 S.B. 7141, 227th Ann. Leg. Sess., (Ny. 2004).
7 S.B. 1315, 2004 Leg., 92nd Sess. (Mich. 2004).
8 S.B. 1316, 2004 Leg., 92nd Sess. (Mich. 2004).
9 H.B. 2788, 2003-04 Leg., 187th Sess. (Pa. 2004).
10 S.F., 2200, 80th Gen. Assem., 2nd Reg. Sess., (Ia. 2004).
11 Internet Spyware Prevent Act of 2004, H.R. 4255, 108th Cong. (2004).
12 Computer Software Privacy and Control Act, H.R. 4255, 108th Cong. (2004).
13 Securely Protect Yourself Against Cyber Trespass Act, H.R. 2929, 108th Cong. (2003). The short title of this bill as originally introduced was the "Safeguard Against Privacy Invasions Act."
14 Software Principles Yielding Better Levels of Consumer Knowledge Act, S. 2145, 108th Cong. (2004). This proposal is currently pending before the Senate Committee on Commerce, Science and Transportation. As of the publication of this Client Alert, the committee was considering a number of
possible changes to the bill but had not yet issued any official amendments to it. Therefore it is possible that a revised version of S. 2145 could come out of this committee in the near future.
Outsourcing is the topic of conversation everywhere — and the world of fund management is no exception. Fund Managers are looking to outsource to reduce operational risk, to focus on supporting the business more effectively and to reduce costs.
Leading global law firm Latham & Watkins, in conjunction with Putnam Lovell, an investment banking firm focused on the financial services industry, will bring together industry specialists to debate the outsourcing trend, and its impact and influence on the future shape of the fund management industry. Aimed at CEOs, COOs and CFOs of fund management firms, as well as the heads of procurement and the in-house lawyers, the seminar will provide a strategic overview as well as explore implementation and regulatory issues. The event will take place in London on 20 October 2004.
Background
As recently as 18 months ago, Schroders, the UK's second largest listed fund management company, Merrill Lynch Investment Managers and Scottish Widows Investment Partnership, part of Lloyds TSB, the UK bank, were among the few to have signed outsourcing deals that handed considerable administrative functions to the leading custody banks.
Last year, however, there was a sudden surge of business. It began when Standard Life Investments, the Edinburgh-based subsidiary of Europe's biggest mutual, entered exclusive talks with Citigroup, the world's fourth largest custody bank. Within weeks, F&C Management, a London-based subsidiary of Eureko, a pan-European financial services group, had forged a link with Mellon Financial, another leading US bank. Since then there has been a host of significant lift-out deals.
Earlier in May, the first continental European fund management outsourcing was announced: ABN Amro Asset Management outsourced their €75 billion fund administration and investment operations services to State Street. The outsourcing trend continues unabated within the sector.
In addition to the complexity of conducting a major outsourcing transaction—people, contractors, negotiations, vendors, etc.— Fund Managers also need to focus on the regulatory implications of the business process change.
Putnam Lovell and Latham & Watkins are running a half-day seminar, specifically designed for the Fund Management sector, on the strategic role of outsourcing and the best approach to implementation. The event will include insights into the transactions already completed through the panel contribution of both vendors and fund management customers.
Program Agenda [For more information, please call Anine Leakey on +44 207 710 1865.]
Welcome and Introduction
Martin Saywell (Latham & Watkins) and Darlene DeRemer (Putnam Lovell)
The Role of Outsourcing in Fund Management: A Strategic Overview
This panel session moderated by Andrew Moyle (Latham & Watkins, London), speakers Don Putnam (Putnam Lovell) and Jeff Conway (State Street) will cover:
- driving forces behind fund management outsourcing;
- norms of fund management outsourcing; and
- 10 things a fund management CEO needs to know about outsourcing
Key Things to Consider from the Regulatory Side
Chaired by Nigel Campion-Smith (Latham & Watkins, London)
Implementation: A Case Study
A panel discussion moderated by Putnam Lovell, speakers Dan Kramer (COO, Deutsche Asset Management), Darren Pearce (Managing Director, Bank of New York) and Nick Wright (Senior Vice President, Northern Trust) will discuss the life cycle of a real case study.
Implementation: Process, Process, Proccess
Alex Hamilton (Latham & Watkins, London) and Scott Sullivan (In-house Counsel, Deutsche Asset Management) will cover the five stages of an outsourcing.
Lunch with guest speaker, Mike Foster (Associate Editor, Financial News)
Sponsors
Latham & Watkins
is a leader in corporate finance, capital markets transactions, mergers and acquisitions, and complex business litigation. With over 1,500 lawyers practicing in 21 offices, Latham is one of the few law firms capable of working seamlessly across geographic and practice boundaries to deliver top quality representation worldwide. For more information, visit us on our Web site at www.lw.com.Putnam Lovell NBF Securities Inc. ("Putnam Lovell NBF") is an investment banking firm focused on the financial services industry. It offers merger and acquisition advice, equity capital markets, fixed income trading, and general corporate finance advisory services. It serves a global client base comprised of diversified financial services firms, institutional asset managers, mutual fund managers, banks, broker-dealers, insurers, and financial technology firms. Putnam Lovell NBF was founded in 1987 and operates from offices in Boston, London, New York and San Francisco. Putnam Lovell NBF Securities Inc. is regulated by the FSA and is an affiliate of NBC Financial (UK) Ltd. For more information on Putnam Lovell NBF, please visit: www.putnamlovellnbf.com.
Latham & Watkins operates as a limited liability partnership worldwide with an affiliate in the United Kingdom and Italy, where the practice is conducted through an affiliated multinational partnership. © Copyright 2003 Latham & Watkins. All Rights Reserved.
Latham & Watkins is an international law firm of more than 1,500 attorneys in 21 offices worldwide, including Boston, Brussels, Chicago, Frankfurt, Hamburg, Hong Kong, London, Los Angeles, Milan, Moscow, New Jersey, New York, Northern Virginia, Orange County, Paris, San Diego, San Francisco, Silicon Valley, Singapore, Tokyo, and Washington, D.C.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances
Outsourcing is the topic of conversation everywhere — and the world of fund management is no exception. Fund Managers are looking to outsource to reduce operational risk, to focus on supporting the business more effectively and to reduce costs.
Leading global law firm Latham & Watkins, in conjunction with Putnam Lovell, an investment banking firm focused on the financial services industry, will bring together industry specialists to debate the outsourcing trend, and its impact and influence on the future shape of the fund management industry. Aimed at CEOs, COOs and CFOs of fund management firms, as well as the heads of procurement and the in-house lawyers, the seminar will provide a strategic overview as well as explore implementation and regulatory issues. The event will take place in London on 20 October 2004.
Background
As recently as 18 months ago, Schroders, the UK's second largest listed fund management company, Merrill Lynch Investment Managers and Scottish Widows Investment Partnership, part of Lloyds TSB, the UK bank, were among the few to have signed outsourcing deals that handed considerable administrative functions to the leading custody banks.
Last year, however, there was a sudden surge of business. It began when Standard Life Investments, the Edinburgh-based subsidiary of Europe's biggest mutual, entered exclusive talks with Citigroup, the world's fourth largest custody bank. Within weeks, F&C Management, a London-based subsidiary of Eureko, a pan-European financial services group, had forged a link with Mellon Financial, another leading US bank. Since then there has been a host of significant lift-out deals.
Earlier in May, the first continental European fund management outsourcing was announced: ABN Amro Asset Management outsourced their €75 billion fund administration and investment operations services to State Street. The outsourcing trend continues unabated within the sector.
In addition to the complexity of conducting a major outsourcing transaction—people, contractors, negotiations, vendors, etc.— Fund Managers also need to focus on the regulatory implications of the business process change.
Putnam Lovell and Latham & Watkins are running a half-day seminar, specifically designed for the Fund Management sector, on the strategic role of outsourcing and the best approach to implementation. The event will include insights into the transactions already completed through the panel contribution of both vendors and fund management customers.
Program Agenda [For more information, please call Anine Leakey on +44 207 710 1865.]
Welcome and Introduction
Martin Saywell (Latham & Watkins) and Darlene DeRemer (Putnam Lovell)
The Role of Outsourcing in Fund Management: A Strategic Overview
This panel session moderated by Andrew Moyle (Latham & Watkins, London), speakers Don Putnam (Putnam Lovell) and Jeff Conway (State Street) will cover:
- driving forces behind fund management outsourcing;
- norms of fund management outsourcing; and
- 10 things a fund management CEO needs to know about outsourcing
Key Things to Consider from the Regulatory Side
Chaired by Nigel Campion-Smith (Latham & Watkins, London)
Implementation: A Case Study
A panel discussion moderated by Putnam Lovell, speakers Dan Kramer (COO, Deutsche Asset Management), Darren Pearce (Managing Director, Bank of New York) and Nick Wright (Senior Vice President, Northern Trust) will discuss the life cycle of a real case study.
Implementation: Process, Process, Proccess
Alex Hamilton (Latham & Watkins, London) and Scott Sullivan (In-house Counsel, Deutsche Asset Management) will cover the five stages of an outsourcing.
Lunch with guest speaker, Mike Foster (Associate Editor, Financial News)
Sponsors
Latham & Watkins
is a leader in corporate finance, capital markets transactions, mergers and acquisitions, and complex business litigation. With over 1,500 lawyers practicing in 21 offices, Latham is one of the few law firms capable of working seamlessly across geographic and practice boundaries to deliver top quality representation worldwide. For more information, visit us on our Web site at www.lw.com.Putnam Lovell NBF Securities Inc. ("Putnam Lovell NBF") is an investment banking firm focused on the financial services industry. It offers merger and acquisition advice, equity capital markets, fixed income trading, and general corporate finance advisory services. It serves a global client base comprised of diversified financial services firms, institutional asset managers, mutual fund managers, banks, broker-dealers, insurers, and financial technology firms. Putnam Lovell NBF was founded in 1987 and operates from offices in Boston, London, New York and San Francisco. Putnam Lovell NBF Securities Inc. is regulated by the FSA and is an affiliate of NBC Financial (UK) Ltd. For more information on Putnam Lovell NBF, please visit: www.putnamlovellnbf.com.
Latham & Watkins operates as a limited liability partnership worldwide with an affiliate in the United Kingdom and Italy, where the practice is conducted through an affiliated multinational partnership. © Copyright 2003 Latham & Watkins. All Rights Reserved.
Latham & Watkins is an international law firm of more than 1,500 attorneys in 21 offices worldwide, including Boston, Brussels, Chicago, Frankfurt, Hamburg, Hong Kong, London, Los Angeles, Milan, Moscow, New Jersey, New York, Northern Virginia, Orange County, Paris, San Diego, San Francisco, Silicon Valley, Singapore, Tokyo, and Washington, D.C.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances