(3) It is a data element described in paragraph (2), (3), or (4) of subdivision (k) of Section 22947.1, or in subparagraph (A) or (B) of paragraph (5) of subdivision (k) of Section 22947.1, that is extracted from the consumer’s computer hard drive for a purpose wholly unrelated to any of the purposes of the software or service described to an authorized user.
While the enumerated acts include what would generally be classed as activities performed by spyware, the law is actually much broader than spyware and includes other conduct that would not generally be classed as spyware.
A debatable issue is whether this law actually brings anything new to the fight against spyware. As noted by one commentator:
These are surely bad actions. But they’re all prohibited under existing law – fraud, unfair trade practice, computer fraud and abuse act, etc. * * * In contrast, [the Act] fails to speak to the truly controversial activities – many of them arguably “borderline: -- that have actually been used by major players in the spyware space, whose installed user counts now reach into the tens of millions.