In general, most forms of spyware are legal according to current US criminal laws. The US Computer Fraud and Abuse Act (CFAA), which established computer crimes and remains the primary law under which computer criminals are prosecuted, is generally considered inapplicable because spyware rarely causes destruction. The other major applicable law—the US Electronic Communications Privacy Act (ECPA), which prohibits third-parties from intercepting or disclosing private electronic communications—is also considered inapplicable because spyware often is installed with user consent (via an End User License Agreement—EULA).
The US Congress is working on new legislation to fill the holes left open by the CFAA and ECPA. As a result, both the Securely Protect Yourself Against Cyber Trespass Act (SPY ACT) and the Internet Spyware (I-SPY) Prevention Act passed the House of Representatives in October 2004. These bills are working their way through the Senate, and some form of antispyware legislation could pass Congress in 2005. In addition, action is being taken at the state level. Both California and Utah have passed spyware legislation, although the Utah law is currently under legal challenge by a spyware publisher (see the "Learning Path" box in the main article for links to more legal information).
Meanwhile, the US Federal Trade Commission (FTC) has made it clear to the US Congress that it sees no need to pass new legislation. The FTC has stated publicly that Title 5 of the Federal Trade Commission Act, which gives the government the authority to take action against unfair or deceptive trade practices, provides everything the government needs to control spyware. The FTC made its first step toward regulating spyware in October 2004 by filing its first injunction and civil action against a spyware publisher.