Jennifer Scharre and Frank Busch authored “When Capacity Becomes A Catch-22: Defining Your Clients’ Due Process Rights After Herren” which was published in the California Trusts & Estates Quarterly. Their article examines the far-reaching implications of Herren v. George S. and offers guidance and sample trust provisions to help settlors protect themselves. The full article is linked here.
By Lindsay Gehman and Saachi S. Gorinstein
Artificial intelligence is rapidly transforming influencer marketing. Marketing agencies now use AI tools to identify influencers, optimize campaigns, draft captions and marketing copy, analyze audience engagement, and even create entirely synthetic influencers and virtual personas.
As agencies increasingly integrate these tools into influencer campaigns, an important legal question emerges: what risks arise when AI becomes part of the advertising process?
The legal risk is not simply that AI is being used in influencer marketing; rather, the risk depends on how AI is being used. Although regulators have not yet issued detailed rules governing ordinary AI-generated captions or standard influencer post copy, existing advertising laws already create meaningful liability exposure for agencies deploying AI in marketing campaigns. At the same time, recent regulatory developments suggest that regulators are increasingly focused on AI-generated endorsements, synthetic personas, and fabricated testimonial-style content.
AI tools are now integrated into nearly every stage of influencer marketing. Agencies commonly use AI to:
These technologies can improve efficiency, reduce production time, and generate valuable audience insights, but they also create new legal questions concerning transparency, authenticity, and intellectual property.
Importantly, there is still relatively little AI-specific regulation governing ordinary AI-assisted marketing copy. Regulators have not announced broad rules requiring disclosure every time generative AI assists with drafting a caption or social media post.
For now, agencies should assume that AI-assisted influencer content will generally be evaluated under traditional advertising law principles.
The primary legal framework governing influencer marketing in the United States remains the Federal Trade Commission Act and the FTC’s Endorsement Guides.
Under these rules:
These standards apply regardless of whether marketing content is generated manually or produced with the assistance of AI.
For agencies, this means that AI-generated or AI-assisted influencer content must still be reviewed for compliance before publication. Regulators have signaled that companies remain responsible for marketing claims disseminated through automated systems, influencers, and digital advertising tools.
Although the law governing ordinary AI-generated captions remains relatively undeveloped, regulators are beginning to address higher-risk uses of AI in advertising more directly.
The clearest example is the FTC’s 2024 final rule banning fake reviews and testimonials.
The rule prohibits businesses from creating, purchasing, or disseminating fake reviews or testimonials, including content generated via AI. The rule specifically targets testimonials that falsely represent that a reviewer exists or actually used the product or service.
This development is significant because it directly addresses AI’s ability to generate fabricated testimonial-style content at scale. While the rule is not specific to influencer marketing, agencies using AI tools to generate consumer-style endorsements, “first-person experience” narratives, or simulated product reviews may therefore face meaningful enforcement risk.
New York recently enacted legislation requiring advertisements that use a “synthetic performer” to include clear disclosure. The law, S.8420-A/A.8887-B, enacted in December 2025 and effective June 9, 2026, is particularly relevant to campaigns involving AI-generated human characters, synthetic influencers, and AI avatars used in advertising.
This statute is important for agencies experimenting with virtual influencers or AI-generated personalities because it moves beyond general deception principles and imposes an affirmative disclosure requirement when synthetic human personas are used in advertising.
California has also enacted laws addressing AI-generated replicas of a person’s voice or likeness.
The two statutes that took effect January 1, 2025, AB 2602 and AB 1836, protect performers and personalities from unauthorized digital replicas generated using artificial intelligence. Although these laws were developed primarily in the entertainment context, they may become increasingly relevant to influencer marketing campaigns involving cloned voices, AI-generated celebrity likenesses, or synthetic personas designed to resemble real individuals.
Together, these developments suggest that regulators are most concerned when AI is used not merely as a drafting tool, but as a mechanism to fabricate human identity, experience, or authenticity.
A useful way to think about the above described risks is through a two-tier framework.
Lower-risk uses of AI generally involve tools that assist with:
Although agencies should always review AI-generated copy carefully, these uses typically raise familiar advertising-law risks, including misleading claims, inadequate disclosure, or unsupported representations.
Higher-risk uses of AI involve:
These activities may implicate:
Marketing agencies should not assume that liability falls solely on brands or influencers. Regulators increasingly view agencies as active participants in advertising campaigns, particularly where agencies help develop campaign strategy, manage influencers, or create marketing content (See FTC’s Endorsement Guides: What People Are Asking). As such, agencies should consider implementing practical safeguards before deploying AI tools in influencer campaigns.
Agencies should adopt internal policies addressing:
Contracts with influencers, clients, and technology vendors should address:
Human review remains critical. Agencies should consider implementing:
Artificial intelligence offers marketing agencies powerful opportunities to scale influencer campaigns. At the same time, agencies should be especially mindful when AI is used to create or simulate human identity or experience, including fabricated testimonials, synthetic personas, or digital replicas.
Although the law remains less developed for ordinary AI-assisted captions and post copy, the key legal question for agencies is not simply whether AI is being used, but how it is being used.
Agencies that implement thoughtful compliance procedures, maintain human oversight, and structure contracts carefully will be better positioned to leverage AI responsibly while minimizing legal and reputational risk.
To view a PDF version of this article, please click here.
By Peter Wang and Hunter Moss
California has joined the growing number of states adopting their own premerger-notification regimes. On February 10, 2026, Governor Newsom signed SB 25, the California Uniform Antitrust Premerger Notification Act, requiring certain parties making federal Hart-Scott-Rodino (HSR) filings to submit a copy of that filing to the California Attorney General.[1] The law applies to premerger notifications filed on or after January 1, 2027.[2]
For dealmakers, the significance is practical. California’s new law does not replace HSR and does not create a separate California waiting period or state clearance requirement. But it does add another filing obligation for certain HSR-reportable transactions, gives California earlier visibility into qualifying deals, and creates a fresh issue that both buyers and sellers should address early in transaction planning.
SB 25 requires a person filing under the federal HSR Act to submit an electronic copy of the HSR filing to the California Attorney General within one business day after the federal filing if either of two statutory triggers is met. The first trigger is met if the filing person has its principal place of business in California.[3] The second trigger is met if the filing person, or a controlled entity, has California annual net sales of the goods or services involved in the transaction equal to at least 20% of the HSR filing threshold.[4]
The documents required to be filed depend on which trigger is met. If the filing obligation is based on the filer’s principal place of business in California, the filer must provide both the HSR form and the additional documentary material. If the filing obligation is based only on the California sales test, the filer initially submits the HSR form and then provides the additional documentary material only if the Attorney General requests it, in which case the documents must be submitted within seven business days. The statute also authorizes filing fees and civil penalties, including up to $25,000 per day after notice and a three-business-day cure period.[5]
SB 25 does not apply to every merger or acquisition. It applies only where a party is already required to file under the federal HSR Act. For 2026, the FTC announced that the adjusted federal size-of-transaction threshold is $133.9 million, effective February 17, 2026. Because California’s sales trigger is pegged to 20% of the HSR filing threshold, the current California benchmark is roughly $26.8 million in annual California net sales of the goods or services involved in the transaction, although that figure will change as the HSR thresholds are adjusted.[6]
In practical terms, the law is most relevant where a transaction is already large enough to trigger HSR and one or both filing parties has a meaningful California nexus. That nexus may be based on headquarters, California operations, or California sales tied to the relevant goods or services. Because the statute applies to the filing “person,” the analysis should be made carefully for each of the filing parties in a transaction.
For buyers, SB 25 is another execution and diligence issue. It should now be part of the early antitrust and closing analysis for transactions where HSR may be required and there is a California nexus. Buyers will want to understand whether the law applies, whether California document production may be required, and whether the transaction could attract additional state-level attention.
For sellers, the law can be just as important. Sellers planning on negotiating a sale may want to identify early whether the company’s California footprint could make SB 25 relevant to any likely bidders or to the seller itself. Evaluating the applicability of SB 25 early on in the process would help inform process planning, diligence preparation, document management, and discussions around timing and regulatory obligations. Sellers also have a strong interest in avoiding preventable timing friction late in the process, especially when HSR compliance and filings are already on the path to closing.
In short, SB 25 is not just a buyer-side filing issue. It is also an issue during the sale process for companies seeking to position themselves for a smooth transaction.
The right time to analyze California’s new law is not when the HSR form is nearly complete. Getting ahead of the filing requirements is important – the parties should consider their California obligations early on when building the transaction timetable and identifying regulatory workstreams.
For buyers, that means assessing early on whether the buyer or target has a California principal place of business or sufficient California sales in the relevant goods or services to trigger the filing. For sellers, that means understanding whether the company’s California profile is likely to matter in a future HSR-reportable transaction and being prepared to respond adeptly if a buyer or its counsel raises the issue. For both sides, early analysis can improve coordination around filing timing, document preparation, and allocation of regulatory responsibilities.
The law may be particularly relevant in service-heavy sectors such as advertising, marketing, digital media, and related creative-services businesses. One reason is that the California sales test refers to California annual net sales of the “goods or services involved in the transaction” – understanding what falls under this definition may be more of a challenge to analyze. The law’s language is easier to apply in a business selling discrete products than in a services business with multiple offerings, bundled work, retainer relationships, media buying, creative production, strategy, and platform or subscription revenue.
The potential ambiguity of applicability matters for both sides of a deal. Buyers evaluating an agency platform or creative-services business may need to understand how California revenue maps onto the service lines implicated by the transaction. Sellers in those sectors may likewise benefit from understanding in advance how their California client base or service mix could affect the regulatory analysis in a sale process.
The new law is relevant to transactions in the food, beverage, and wine sectors, where California often plays an outsized commercial role. For branded products businesses, the California sales analysis may be more straightforward than in some services sectors because the relevant products involved in the transaction may map more directly onto product sales by state.
That can matter for both buyers and sellers. A buyer evaluating a beverage brand, winery, food manufacturer, or distribution business may want to test California revenue early in diligence. A seller in those sectors should also understand before going to market whether California product sales or operations could make SB 25 part of the transaction landscape. Even where one side of the deal is headquartered elsewhere, California may still be important because of production, brand identity, distribution, or consumer demand.
HSR remains the primary federal merger-notification regime. California’s law does not replace HSR, and it does not create a separate California approval requirement. Instead, SB 25 is derivative of HSR: if there is no HSR filing, there is no California filing under this statute.
California’s law is also generally described as “non-suspensory,” meaning that it does not independently impose a separate California waiting period before closing. But that does not make it insignificant. It still gives the California Attorney General earlier notice of certain transactions and adds another compliance step that parties must address alongside HSR.
California is the third state, after Washington and Colorado, to adopt a mini-HSR law modeled on the Uniform Antitrust Premerger Notification Act. That broader trend is important because it suggests that merger-control compliance may increasingly require a state-by-state lens, not just a federal one.
For active buyers, that may mean more multijurisdictional filing analysis. For potential sellers, it means that regulatory preparedness has become part of transaction readiness. In either case, California’s adoption of SB 25 is a reminder that state-level merger oversight continues to expand.
Companies that are likely to be involved in HSR-reportable transactions should begin treating California nexus as an early merger-planning issue. Buyers should consider whether the target or the buyer itself may trigger the California filing, while sellers should consider whether their California footprint may affect how a future transaction is structured, timed, and diligenced. Both sides should be prepared to coordinate California filing obligations with the federal HSR process.
As state-level merger-control regimes continue to expand, early planning can help parties avoid unnecessary delay, reduce last-minute filing issues, and better allocate regulatory risk in transaction documents. For both buyers and sellers, the most effective approach is to evaluate these issues early – before the HSR filing is underway and before timing assumptions are baked into the deal process.
California’s new law may not create a separate state waiting period, but it does create a new compliance obligation for certain HSR-reportable deals. For both companies pursuing acquisitions and preparing for a sale, that means state-level merger-control analysis is becoming a more important part of transaction planning. Thoughtful counsel can help parties identify these issues early, integrate them into the deal timeline, and manage the regulatory process with greater predictability and ease.
If your company needs assistance, Coblentz’s Corporate attorneys can help. Please reach out to Peter Wang at pwang@coblentzlaw.com or Hunter Moss at hmoss@coblentzlaw.com for further information or assistance.
[1] Governor Newsom Signs Legislation 2.10.26, https://www.gov.ca.gov/2026/02/10/governor-newsom-signs-legislation-2-10-26/.
[2] SB 25, Uniform Antitrust Pre-Merger Notification Act, Section 16787.
[3] Id. at Section 16782(a)(1).
[4] Id. at Section 16782(a)(2).
[5] Id. at Section 16785.
[6] Federal Trade Commission, Current Thresholds, https://www.ftc.gov/enforcement/premerger-notification-program/current-thresholds.
By Scott Hall and Phillip Wiese
The Third Circuit recently added to the growing body of wiretapping law addressing the use of session replay technology in In re BPS Direct, LLC; Cabela’s LLC Wiretapping Litig., 2026 WL 1280969 (May 11, 2026). Expanding on its prior decisions, the court held that in certain circumstances, data collected through session replay technology could give rise to a concrete injury sufficient for standing to pursue claims under wiretapping laws including the Electronic Communications Privacy Act (ECPA).
The Third Circuit’s decision is a departure from its prior decision in Cook v. GameStop, Inc.[1] and from Ninth Circuit authority that as to session replay software, consumers have no reasonable expectation of privacy.[2] In light of the Third Circuit’s decision, going forward, online retailers should tread carefully when using session replay to collect analytics on their websites because there may be different risk profiles in different jurisdictions.
Session replay technology allows businesses to collect and understand how website visitors browse and interact with their websites. Depending on how it is configured, the software may collect anonymized mouse movements, clicks, keystrokes, scrolls, and text inputs and interactions that can be used to improve website functionality and user experience. Plaintiffs claim that the aggregated data can be combined with user identifiers to create “fingerprints” of a user, and, in some circumstances, can be matched to specific visitors, particularly when the visitor provides identifying information on the website.
Here, eight plaintiffs brought suit against retailers Bass Pro Shops and Cabela’s (together, BPS) for the retailers’ use of session replay technology without their consent. They claimed that the session replay providers (e.g., Microsoft, Quantum Metric, and Mouseflow) created fingerprints of their specific visiting sessions and were able to specifically identify each plaintiff. Crucially, only two plaintiffs alleged that they made any purchases on the websites. The remaining plaintiffs only visited the websites but made no purchases and entered no personally identifying information into the site. Plaintiffs alleged violations of the ECPA and the Computer Fraud and Abuse Act.
BPS successfully moved to dismiss the complaint at the trial court on the basis that the plaintiffs lacked standing to bring their claims. To assert standing, plaintiffs needed to allege, among other things, that they suffered an injury in fact. In determining whether this element is satisfied, courts often look to traditional common law harms to provide the basis for standing in wiretap and privacy actions like this one. The district court compared the plaintiffs’ wiretap claims to the torts of public disclosure of private facts and intrusion upon seclusion and found the plaintiffs’ claims lacking.
Drawing upon two prior decisions,[3] the district court determined, and the Third Circuit agreed, that plaintiffs lacked standing to show an injury under the public disclosure of private facts tort. As to the plaintiffs who did not make a purchase, information allegedly collected was not sensitive or identifiable. As to the plaintiffs who did make purchases, the credit card information and other identifiable information was not publicly disclosed because it remained internal between BPS and its session reply providers.
With respect to the intrusion upon seclusion analysis, the Third Circuit reached a different conclusion from the district court for the two purchasing plaintiffs. For the plaintiffs who did not make a purchase, the court held that “clicks, scrolls, and searches for outdoor products” were not private or worthy of protection because plaintiffs entered no personal or sensitive information. But for the two plaintiffs who purchased products, the analysis was different. By submitting their credit card information to BPS, those two plaintiffs entered “personal or sensitive” information, and thus were injured in a manner similar to intrusion upon seclusion. The Third Circuit determined those two plaintiffs had standing, and their privacy claims against BPS could proceed past the pleading stage, reversing the district court’s dismissal of the claims and remanding for further proceedings.
This decision, and its holding that session replay could run afoul of wiretapping laws, is in direct tension with Popa, where the Ninth Circuit found the purported harm caused by session replay technology was not analogous to the traditional harms for public disclosure of private facts or intrusion upon seclusion. Although the plaintiff in Popa did not allege her credit card information was collected by the session replay technology, she did allege that it captured her mailing address. Notably, California district courts have held that there is no expectation of privacy for credit card information collected by session replay technology. It remains to be seen whether the Ninth Circuit decision would have come out differently had credit card information been at issue.
While the Third Circuit confirmed that, in general, there are no issues with session replay technology, companies may still face exposure if they collect “personal and sensitive” information, such as financial or health care data. Going forward, companies may consider the following steps:
If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please reach out to Scott Hall or Phillip Wiese for further information or assistance.
[1] 148 F.4th 153 (3d Cir. 2025).
[2] Popa v. Microsoft Corp., 143 F.4th 784 (9th Cir. 2025).
[3] Barclift Keystone Credit Servs., LLC, 93 F.4th 136 (3d Cir. 2024); Cook, 148 F.4th 153.
Coblentz is pleased to announce that nine partners and four practices have been recognized by Chambers & Partners in the 2026 edition of Chambers USA. Our individual honorees include Miles Imwalle and Tay Via for Real Estate: Zoning/Land Use – California; Alan Gennis and Danna Kozerski for Real Estate – Northern California; Timothy Crudo, Rees Morgan, and Sean Coyle for Litigation: White-Collar Crime & Government Investigations – California; and Fred Alvarez and Hannah Jones for Labor & Employment – California. Coblentz’s real estate and land use, white collar defense and investigations, and employment practices are also recognized as leading practices in the Chambers USA 2026 guide.
Coblentz’s land use practice is again ranked in Band 1 in the Real Estate: Zoning/Land Use category for California. The firm’s real estate transactional practice is ranked in Band 2 in the Real Estate – Northern California category. Clients note that our team is “responsive and very proactive, which makes it easy for us to help manage the process of attaining approvals.”
Four real estate and land use partners received individual rankings:
Miles Imwalle is newly ranked as a Leading Lawyer in Band 4 in the Real Estate: Zoning/Land Use – California category. A client remarks that Miles is “very proactive in the industry and is very aware of how to apply the laws in California to our situations.”
Tay Via is ranked as a Leading Lawyer in Band 3 in the Real Estate: Zoning/Land Use – California category. Tay has been recognized by Chambers since 2022.
Alan Gennis is ranked as a Leading Lawyer in Band 2 in the Real Estate – Northern California category. “Alan is incredibly intelligent, an excellent negotiator and able to speak to our business team and represent our interests with all stakeholders,” remarks a client. Alan has been recognized by Chambers since 2018.
Danna Kozerski moved up one band and is ranked as a Leading Lawyer in Band 3 in the Real Estate – Northern California category. A client notes, “Danna is an excellent deal-maker; she is intelligent and effective in negotiations.” Danna has been recognized by Chambers since 2024.
Coblentz’s white collar defense and investigations practice is ranked in Band 3 in the Litigation: White-Collar Crime & Government Investigations category for California. “The team at Coblentz Patch Duffy & Bass is highly knowledgeable. They are expert negotiators, have excellent contacts and provide empathetic counsel,” notes a client, while another adds, “I have seen my share of frivolous suits, as well as tough, complex facts, and they excel in both arenas.”
Three litigation partners received individual rankings in the category:
Timothy Crudo is ranked as a Leading Lawyer in Band 1 in the Litigation: White Collar Crime & Government Investigations category for California. Clients note, “Tim exercises extraordinary judgment and is recognized by the United States Attorney’s offices and by regulators nationwide,” and “Tim Crudo is a truly amazing talent. He is a perfect blend of experience, wisdom, empathy and counsel.” Tim has been recognized by Chambers since 2016.
Rees Morgan is ranked as a Leading Lawyer in Band 3 in the Litigation: White Collar Crime & Government Investigations category for California. “Rees is tenacious, a team player and a great asset. I value his insights on cases,” notes a client, while another adds, “He is someone with good instincts you can totally trust. He gets how cases are tried and knows the likely next moves.” Rees has been recognized by Chambers since 2021.
Sean Coyle is ranked as a Leading Lawyer in Band 5 in the Litigation: White Collar Crime & Government Investigations category for California. A client notes, “Sean is zealous for clients and a pleasure to work with.” Sean has been recognized by Chambers since 2024.
Coblentz’s employment practice is ranked in Band 3 in the California: Labor & Employment – Highly Regarded category. “Coblentz have a very business-minded approach with a lot of experience. They navigate very challenging situations with experience and creativity, always thinking of the big picture while being mindful of the details,” remarks a client. Another client says, “The Coblentz team provide highly tailored and business-friendly advice.”
Two employment partners received individual rankings in the category:
Fred Alvarez is recognized as a Senior Statesperson in California in the Labor & Employment category. “Fred is a true advocate for his clients and understands how to get to the best result,” raves a client. Fred has been recognized by Chambers for more than 20 years.
Hannah Jones moved up one band and is ranked in Band 6. “Hannah’s strategy was incredibly helpful. Her business lens gave us confidence,” says a client. Another adds, “Hannah is very detailed, quick and very clear. Her knowledge, speed and clarity stand out. She is a precise and a very good communicator.” Hannah has been recognized by Chambers since 2024.
Independent and objective, Chambers USA is carefully researched and widely considered to be one of the most reputable law firm directories in the world. Ranking criteria include technical legal ability, client service, commercial vision and business understanding, diligence, depth of the team, value for money, and other qualities most valued by legal clients.
To view the complete list of Coblentz rankings in the 2026 edition of Chambers USA, please visit the publication’s website linked here.
By Scott Hall and Leeza Arbatman
The privacy litigation landscape in California continues to grow in complexity, with plaintiffs advancing new theories of liability based on the use of website tracking technologies. Although California Invasion of Privacy Act (“CIPA”) claims under California Penal Code §§ 631 and 638.51 remain the dominant privacy theories in this space, plaintiffs are increasingly asserting claims under the California Comprehensive Computer Data Access and Fraud Act, California Penal Code § 502 (“CDAFA”).
CDAFA is the California analog to the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”). The CFAA, an anti-computer-hacking statute, prohibits intentionally accessing and obtaining information from computers without authorization. Congress enacted the CFAA in 1986 when computer hacking was a growing problem. The statute provided only criminal penalties until 1994, when it was amended to add a private right of action, and then amended further throughout the 1990s and 2000s, most notably following 9/11. As a federal statute, CFAA focuses on interstate issues and activity that jeopardizes national security. CDAFA focuses only on conduct within California.
CDAFA was enacted in 1989 and prohibits 13 categories of activity. Broadly speaking, it penalizes knowingly accessing computers without permission to alter or damage data, wrongfully acquiring or retaining unauthorized access to computers to take or make use of data, and related conduct. Like its federal analog, it creates a private right of action for any “owner or lessee of a computer or computer system” that “suffers damage or loss by reason of a violation of [the CDAFA].”[1] CDAFA does not define “damage or loss,” but expressly allows compensatory damages for “any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, damaged, or deleted by the access.”[2] Unlike the CFAA, which imposes a $5,000 loss threshold for civil claims, CDAFA contains no comparable minimum.
Despite the overlap in purpose between the CFAA and CDAFA, courts have recognized important differences between the two statutes. Notably, in United States v. Christensen, the Ninth Circuit explained that the CFAA criminalizes unauthorized access to data, while CDAFA criminalizes the unauthorized taking or use of data. 828 F.3d 763, 789 (9th Cir. 2015). In other words, CFAA focuses on whether permission was given for any access, whereas CDAFA focuses on knowing access (whether authorized or not) that becomes unlawful as a result of taking or using data without authorization. An example of the former is someone logging into another person’s computer using a password they stole. Even if no data was taken or used, such access could lead to CFAA liability. An example of the latter is a website owner knowingly obtaining access to a user’s geolocation data that the user permitted them to access, but then sharing that data with third parties without permission. Even though the collection was permissible, the distribution was not, potentially leading to CDAFA liability.
Under CDAFA, “access,” broadly speaking, means gaining entry to, causing input to or output from, or communicating with a computer system or network.[3] The fact that a third-party technology was the one that actually collected the data does not mean that the website where the collection occurred cannot be held liable. If the website owner caused a third-party application to output user data, that constitutes knowing access and use.
In the recent wave of CDAFA tracking technology litigation, plaintiffs are asserting that defendants violate CDAFA by placing third-party tracking technologies on their websites, which obtain information about website users without their consent. Because plaintiffs have not consented to the collection or use of their data by these third parties, plaintiffs claim this is the type of unauthorized taking or use that CDAFA makes unlawful.
To state a CDAFA claim, plaintiffs must plead that the defendant “either acted without authorization or exceeded its authorization.”[4] To have “authorization” means to be “specially recognized or admitted” to have access to that data.[5]
Historically, courts have interpreted acting “without permission” under CDAFA to require that the defendant accessed a computer, network, or website in a manner that overcame technical or code-based barriers.[6] Under this interpretation, a website does not act “without permission” merely by sharing information about users with third parties where no technical barriers prevented the website or third-party tracking technology from accessing that information.
After Christensen, however, some courts have taken a broader approach, holding that overcoming technical or code-based barriers is sufficient to show that someone acted without permission, but not necessary.[8]
These recent interpretations make it easier for CDAFA claims to survive the pleading stage and have led to a growing number of CDAFA suits because there is no need to show a plausible circumvention of a technical barrier; a plaintiff must simply allege that data was plausibly taken or used without permission.
As with other privacy statutes, consent of the user to the data collection is an important consideration. Some courts have applied the defense narrowly in the CDAFA context. To rely on the consent defense, these courts have held that the website must “explicitly notify users of the practice at issue.”[9] Accordingly, consent has been limited to the specific disclosures provided, which courts have held should have only one plausible interpretation. In other words, if the disclosure “does not specifically and unambiguously inform the user of the data collection practices,” the consent defense may fail.[10]
At the same time, some courts have found general consent to be viable, recognizing the limits on how far CDAFA can be stretched. Under this reasoning, website owners do not have a duty “to disclose how permissions will be exercised,” especially in light of the Supreme Court’s decision in Van Buren v. United States, 593 U.S. 374 (2021), where the Court clarified that the CFAA does not attach to authorized uses of computer databases even when a defendant had “obtained information from the database for an improper purpose.”[11] Since CFAA authorization is a “gates-up-or-down inquiry,” meaning that “one either can or cannot access a computer,”[12] companies can argue that by extension, under CDAFA, if a plaintiff has given a website permission to collect their data, they cannot then argue that the subsequent use of that data for particular purposes exceeds the authorization originally granted.[13]
CDAFA also requires the plaintiff to have the required ownership or possessory interest in the computer or data at issue.[14] “[O]wnership is often linked to the entity who created the property at issue. For instance, where a plaintiff drafts emails or technical documents that are stored in a third-party’s servers and then accessed by a defendant without authorization, a CDAFA claim is cognizable because the plaintiff author retains some ownership interest in the data at issue.”[15]
That ownership theory becomes more difficult where the plaintiff asserts an interest in data collected or generated by someone else. As one court explained, “where a plaintiff’s personal data (e.g., financial information, health data) is collected or generated by a third-party, and stored by a third-party, the plaintiff may retain some form of interest—for example, a privacy interest, but cannot necessarily claim an ownership interest in that data under the CDAFA.”[16] So, under this theory, website owners that collect and store third-party information can argue that any plaintiffs suing under CDAFA do not have the type of ownership interest in such data that permits recovery under the statute.
Courts have also dismissed CDAFA claims where the alleged website tracking does not amount to the kind of access or use that CDAFA prohibits, meaning plaintiffs suffered no cognizable damage or loss. For example, courts may find that the installation of web tracking technologies on a website does not equate to trackers being installed on a user’s own device or that the alleged data collection occurred on the user’s own device rather than on the website the plaintiff was browsing (thus defeating any claim that there was unauthorized access of the plaintiff’s computer).[17]
Plaintiffs have tried to frame their injury as the loss of the ability to control their data, the loss of the value of their data because it has been disseminated to third parties, and the loss of the ability to protect their data. Courts have rejected these damages theories, finding that damages or loss under CDAFA should be understood as damages to the underlying computer system or data on that computer, rather than the data that a plaintiff generates when on a defendant’s website.[18] Plaintiffs have had some success by alleging that the company unjustly profited from the use of their data by selling it to third parties or using it for targeted advertising.[19] That said, other courts have rejected this theory as well, explaining that disgorgement could be viable if plaintiffs alleged an intent to personally sell their data, but that such an allegation would contradict related invasion of privacy claims that are often asserted in conjunction with CDAFA.[20]
CDAFA claims are likely to become a more common companion to CIPA and pen-register theories in website tracking litigation. Plaintiffs will try to frame pixels, cookies, session-replay tools, and other commonplace tracking technologies as code that knowingly accesses their data and takes or uses it without authorization. They will assert that they have suffered damages either because the value of their data has been diminished, they lost control of their data, or the defendant has been unjustly enriched by accessing and profiting from their data.
As these new privacy liability theories play out, businesses should be proactive about protecting themselves from becoming the target of one of these lawsuits. Consent remains important: companies should use clear and specific consent banners, avoid placing non-essential cookies and tracking technologies before authorization, and ensure that their privacy policies and related disclosures accurately describe the technologies in use and the types of tracking occurring. If sued, businesses should consider whether the plaintiff consented to the collection or use of their data, the alleged tracking actually accessed the plaintiff’s computer, the plaintiff maintained the required ownership interest in the data, and the alleged injury is a cognizable damage or loss under CDAFA.
If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.
[1] Cal. Pen. Code § 502(e)(1).
[2] Id.
[3] Cal. Pen. Code § 502(b)(1).
[4] Wendover Prods., LLC v. Paypal Inc., 2025 WL 3251667, at *4 (N.D. Cal. Nov. 21, 2025).
[5] See hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1195–96 (9th Cir. 2022).
[6] See, e.g., In re Facebook Priv. Litig., 791 F. Supp. 2d 705, 715 (N.D. Cal. 2011), aff’d, 572 F. App’x 494 (9th Cir. 2014); Sunbelt Rentals, Inc. v. Victor, 2014 WL 4274313 (N.D. Cal. Aug. 28, 2014).
[7] See In re Facebook Priv. Litig., 791 F. Supp. 2d at 715.
[8] See, e.g., Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024, 1049 (S.D. Cal. 2023); Esparza v. Kohl’s Inc., 723 F. Supp. 3d 934, 945 (S.D. Cal. 2024).
[9] Greenley, 684 F. Supp. 3d at 1048 (citing Brown v. Google LLC, 525 F. Supp. 3d 1024, 1063).
[10] Id.
[11] Wendover Prods. LLC v. Paypal Inc., 2025 WL 3251667, at *5 (N.D. Cal. Nov. 21, 2025) (citing Van Buren, 593 U.S. at 396).
[12] Van Buren, 593 U.S. at 390.
[13] Wendover Prods. LLC, 2025 WL 3251667, at *5 (plaintiffs admit “that PayPal uses the very same permissions it was granted to carry out the challenged conduct”—since neither CFAA nor CDAFA impose any duty “to disclose how permissions will be exercised,” plaintiffs fail to demonstrate PayPal has acted without authorization).
[14] Cal. Penal Code § 502(e)(1).
[15] In re Cap. One Fin. Corp., 2025 WL 1570973, at *14 (E.D. Va. June 2, 2025).
[16] Id. (cleaned up).
[17] See, e.g., Allison v. PHH Mortg., 2026 WL 899438, at *7 (N.D. Cal. Mar. 27, 2026).
[18] See, e.g., Doe v. Cnty. of Santa Clara, 2024 WL 3346257, at *9 (N.D. Cal. July 8, 2024); Doe v. Meta Platforms, Inc., 690 F. Supp. 3d 1064, 1082 (N.D. Cal. 2023); Cottle v. Plaid Inc., 536 F. Supp. 3d at 461, 487-88 (N.D. Cal. 2021).
[19] See, e.g., Tsering v. Meta Platforms, Inc., 2026 WL 89320, at *5 (N.D. Cal. Jan. 12, 2026) (citing Smith v. Rack Room Shoes, Inc., 2025 WL 2210002, at *3 (N.D. Cal. Aug. 4, 2025)).
[20] See, e.g., Dellasala et al. v. Samba TV, Inc., 2026 WL 1138358, at *8-9 (N.D. Cal. Apr. 21, 2026); Doe v. Tenet Healthcare Corp., 789 F. Supp. 3d 814, 844-45 (E.D. Cal. 2025).
By Scott Hall and Phillip Wiese
Plaintiffs have continued to file privacy litigation at a furious pace, asserting claims under the California Invasion of Privacy Act (CIPA), the federal Video Privacy Protection Act (VPPA), and, increasingly, the federal Electronic Communications Privacy Act (ECPA). Plaintiffs have paid particular attention to the healthcare and financial services spaces, focusing on purported collection of sensitive personal information, but suits against other consumer retailers and service providers have not slowed either. These suits remain centered on modern tracking technologies like pixels, session replay tools, cookies, and embedded analytics software.
Case law on these issues remains in flux, although suits are beginning to trickle up to the appellate level for review. With respect to the VPPA, the Supreme Court is set to hear a case about how broadly the definition of “consumer” should be interpreted. Additionally, the Ninth Circuit attempted to clarify Article III standing in CIPA and ECPA claims, but lower courts have split when applying its holding. And the California federal court/state court divide continues to deepen when determining if cookies and pixels are covered by the CIPA pen register and trap and trace law. Against this backdrop of uncertainty, the California legislature is weighing whether to amend CIPA through SB 690, but there has been no movement at this point in the legislative cycle.
In January 2026, the Supreme Court agreed to hear Salazar v. Paramount Global, arising from the Sixth Circuit, to settle a circuit split about whether the VPPA requires that a “consumer” subscribe to audiovisual goods or services from a video tape service provider.
The VPPA prohibits a “video tape service provider” from disclosing any personally identifiable information about a “consumer.” A “video tape service provider” is someone that rents, sells, or delivers “prerecorded video cassette tapes or similar audio visual materials.” A “consumer” is “any renter, purchaser, or subscriber of goods or services from a video tape service provider.”
The plaintiff alleged that he watched video content on a college sports news site, 247Sports.com, and that his Facebook ID and video-viewing history were disclosed to Facebook by Paramount Global, the sports news site’s parent company. This disclosure, he claimed, violated the VPPA because 247Sports.com was a video tape service provider and improperly disclosed to Facebook the videos he watched on the website.[1]
The Sixth Circuit disagreed, holding that the plaintiff was not a “consumer” under the statute because while he subscribed to the 247Sports.com newsletter, that was separate from the subscription of audiovisual materials on the website. The Sixth Circuit split from the Second Circuit, which held the opposite, that newsletter subscriptions were sufficient to be a “consumer” under the VPPA, even if the newsletter had no audiovisual content.[2]
The case is likely to be heard during the Court’s 2026/2027 term and if the Court adopts the narrow definition of consumer, the result could significantly slow future VPPA litigation.
The Ninth Circuit limited Article III standing in privacy cases in its August 2025 decision Popa v. Microsoft Corp., 153 F.4th 784 (9th Cir. 2025). In that case, the plaintiff alleged that while browsing for pet food on a pet supply website, her browsing activity was captured by Microsoft’s session replay technology. Her claims for violation of Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA) and intrusion upon seclusion were dismissed by the trial court for lack of Article III standing.
The Ninth Circuit affirmed the trial court, concluding that the plaintiff failed to allege a “concrete” injury to support her claim and that a bare statutory violation of WESCA did not satisfy the tests set forth in Spokeo and TransUnion.[3] Drawing upon TransUnion, the Ninth Circuit analyzed whether the plaintiff alleged an injury bearing “a close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courts.”[4] The Ninth Circuit analogized the plaintiff’s claim to the common law torts of intrusion upon seclusion and public disclosure of private facts, both of which require that any intrusion or disclosure be “highly offensive to a reasonable person,” and found plaintiff’s claims to be lacking.[5] Notably, the plaintiff did not identify any “embarrassing, invasive, or otherwise private information collected by” Microsoft’s software.[6] Plaintiff instead pleaded that the technology gathered her pet-store preferences and her street name, none of which was protected or highly offensive. Rather, the interactions were more similar to “a store clerk’s observing shoppers in order to identify aisles that are particularly popular or to spot problems that disrupt potential sales.”[7] The court noted that the result may differ in other circumstances if a greater volume of data is collected from across the internet and used to create user profiles.
Companies were quick to invoke Popa to dismiss claims, but the district courts continue to be split on the issue. Some courts have applied Popa broadly, finding that the disclosure of website browsing data was not highly offensive:
Other courts distinguish Popa by finding the type of data and sheer volume of data allegedly collected cross the “highly offensive” line:
This decision may not be the panacea companies hoped for, but it, at minimum, increases the burden for plaintiffs at the pleading stage and provides a new line of attack in these challenging CIPA cases.
There also appears to be a growing split between state and federal courts in California over whether tracking technology, including cookies and pixels, are pen registers or trap and trace devices that can form the basis of a CIPA section 638.51 claim. Interestingly, both state and federal courts ground their analysis in the statutory text and the legislative history yet reach conflicting results.
Section 638.51 prohibits using a pen register or trap and trace device without a court order. The state court decisions interpreting this section typically draw on the language from section 638.52 to limit the definition of pen register and trap and trace to telephone lines.[8] This cross-referenced language demonstrates that pen registers and trap and trace devices are separate from software or technology that operates on a computer or other device.[9] State courts also refer to the legislative history of section 638.51 that described the purposes as allowing law enforcement officers to monitor telephonic communications after obtaining a court order.[10]
While federal courts are obligated to interpret California laws like CIPA the same way the California Supreme Court would, there are no California Supreme Court or Court of Appeals decisions interpreting section 638.51, leaving the federal courts to apply their own standard. The federal courts have, by and large, found that sections 638.50 and 638.51 lack any limitation to telephone, and thus the legislature intended the law to apply broadly to include “evolving privacy threats.”[11] This broad statutory language, these courts hold, “is consistent with the California Legislature’s stated intent to protect privacy interests.”[12]
These conflicting decisions have led to confusion and uncertainty for companies trying to comply with CIPA. For now, section 638.51 liability may depend on the forum in which a suit is filed and the preferences of the individual judge.
Meanwhile, plaintiffs and defendants alike continue to watch the California legislature to see whether it will pass legislation to amend CIPA. SB 690, which was introduced in February 2025 but advanced to the 2026 legislative session, would significantly curb the ongoing deluge of CIPA litigation. Specifically, the bill would exempt from CIPA liability the use of recording or tracking technologies that serve a “commercial business purpose,” targeting the near-ubiquitous pixels, cookies, and other website tracking technology.
SB 690 garnered strong support in 2025, but there has been no action thus far in the legislative cycle.
Until either the legislature or appellate courts provide clearer guidance, companies should continue to treat website tracking litigation as an active and evolving risk area. Regular review of tracking technologies, consent flows, vendor contracts, and privacy disclosures remains important, especially for businesses operating in sensitive sectors or using tools that collect data across multiple websites or services.
If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com or Phillip Wiese at pwiese@coblentzlaw.com for further information or assistance.
[1] Salazar v. Paramount Global, 133 F.4th 642 (6th Cir. 2025).
[2] Salazar v. National Basketball Ass’n, 118 F.4th 533 (2d Cir. 2024).
[3] Spokeo, Inc. v. Robins, 578 U.S. 330 (2016); TransUnion LLC v. Ramirez, 594 U.S. 413 (2021).
[4] Popa, 153 F.4th at 789.
[5] Id. at 791.
[6] Id.
[7] Id.
[8] An order authorizing installation of a pen register or trap and trace device must specify: “(1) The identity, if known, of the person to whom is leased or in whose name is listed the telephone line to which the pen register or trap and trace device is to be attached. . . . [and] (3) The number and, if known, physical location of the telephone line to which the pen register or trap and trace device is to be attached . . . .” Cal. Pen. Code § 638.52(d) (emphasis added).
[9] See Schallert v. Orkin LLC, 2025 WL 4332757, at *4 (L.A.S.C. Dec. 15, 2025).
[10] Id.; see also Rodriguez v. Ink America Int’l Grp. LLC, 2025 WL 4034985, at *4 (L.A.S.C. Dec. 10, 2025) (holding that the lack of reference to website tracking technology when the law was amended in 2016 and 2022 confirms that the legislature made a “deliberate choice not to sweep ordinary website analytics” into the law’s provisions); Schallert v. Palo Alto Networks, Inc., 2026 WL 54028, at *2 (L.A.S.C. Mar. 6, 2026) (same).
[11] See Fregosa v. Mashable, Inc., 2025 WL 2886399, at *5 (N.D. Cal. Oct. 9, 2025).
[12] Walsh v. Dollar Tree Stores, Inc., 2025 WL 2939229, at *18 (N.D. Cal. Oct. 16, 2025) (quoting Shah v. Fandom, Inc., 754 F. Supp. 3d 924, 930 (N.D. Cal. 2024)).
