Part 2: Could “Undeletable” Cookies Be a Felony in Pennsylvania?

Pennsylvania’s New Consumer Protection Against Computer Spyware Act

In 2012, Could “Undeletable” Cookies Be a Felony in Pennsylvania? addressed the criminal implications in Pennsylvania of undeletable cookies. The Pennsylvania Computer Offenses Law (18 Pa. C.S. 7601 et seq.) provides for felony penalties for violations.

Interestingly, Pennsylvania also has a new (2010, P.L. 855, No. 86) Consumer Protection Against Computer Spyware Act (73 P.S. 2330.1–2330.9, and 2330.19). The apparent aim of the Act is to prevent software from being deceptively installed on a user’s computer and compromising personally identifiable information. The Act provides second-degree felony penalties for persons who violate the Spyware Act—with up to ten years in prison and/or a fine of up to $25,000. 73 P.S. 2330.8.

While written in a cumbersome and highly confusing manner, the Spyware Act makes several activities illegal including

  • installing software without the authorized user’s knowledge;
  • mis-leadingly installing software (installing as part of another install or deceiving a person into installing an application);
  • saying software was not installed when it was;
  • saying software was uninstalled when it was not;
  • triggering the opening of multiple, un-closeable browser windows;
  • tampering with security settings; and
  • inducing a person to install software claiming the software is necessary for privacy or security.

The Act appears to exclude caching (cookies) as data (but apparently not software that mis-leadingly permits spyware-like activities) and other data-only issues (73 P.S. 2330). But software companies, cloud services, and other providers should be aware of the new law.

Notably, the Act criminalizes acts of the alleged wrongdoer that are either done with actual knowledge or “with conscious avoidance of actual knowledge or willfully.” Thus, one cannot simply claim they “didn’t know” that the software would be used in a way to violate the Act.

Furthermore, the Act specifically appears to prohibit activities analogous to wiretapping (18 Pa. C.S. 5741 et seq.) such as installing keyloggers—sometimes an issue in employer or marital disputes.

The Act also takes a fairly expansive view of personally identifiable information including:

  • first and last name;
  • address information; and
  • financial account information including log-ins, passwords, and account balances.

The Act deems this type of information as protected.

As with other statutes previously mentioned (18 Pa. C.S. 7601 et seq.), these newer statutes attempt to protect consumers. The Act, however, poses formidable perils for software companies and software services providers—the simple answer is be honest and accurate in claims.