Beyond CIPA: The Rise of CDAFA in Tracking Technology Litigation

The privacy litigation landscape in California continues to grow in complexity, with plaintiffs advancing new theories of liability based on the use of website tracking technologies. Although California Invasion of Privacy Act (“CIPA”) claims under California Penal Code §§ 631 and 638.51 remain the dominant privacy theories in this space, plaintiffs are increasingly asserting claims under the California Comprehensive Computer Data Access and Fraud Act, California Penal Code § 502 (“CDAFA”).

Background

CDAFA is the California analog to the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”). The CFAA, an anti-computer-hacking statute, prohibits intentionally accessing and obtaining information from computers without authorization. Congress enacted the CFAA in 1986 when computer hacking was a growing problem. The statute provided only criminal penalties until 1994, when it was amended to add a private right of action, and then amended further throughout the 1990s and 2000s, most notably following 9/11. As a federal statute, CFAA focuses on interstate issues and activity that jeopardizes national security. CDAFA focuses only on conduct within California.

CDAFA was enacted in 1989 and prohibits 13 categories of activity. Broadly speaking, it penalizes knowingly accessing computers without permission to alter or damage data, wrongfully acquiring or retaining unauthorized access to computers to take or make use of data, and related conduct. Like its federal analog, it creates a private right of action for any “owner or lessee of a computer or computer system” that “suffers damage or loss by reason of a violation of [the CDAFA].”[1] CDAFA does not define “damage or loss,” but expressly allows compensatory damages for “any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, damaged, or deleted by the access.”[2] Unlike the CFAA, which imposes a $5,000 loss threshold for civil claims, CDAFA contains no comparable minimum.

Despite the overlap in purpose between the CFAA and CDAFA, courts have recognized important differences between the two statutes. Notably, in United States v. Christensen, the Ninth Circuit explained that the CFAA criminalizes unauthorized access to data, while CDAFA criminalizes the unauthorized taking or use of data. 828 F.3d 763, 789 (9th Cir. 2015). In other words, CFAA focuses on whether permission was given for any access, whereas CDAFA focuses on knowing access (whether authorized or not) that becomes unlawful as a result of taking or using data without authorization. An example of the former is someone logging into another person’s computer using a password they stole. Even if no data was taken or used, such access could lead to CFAA liability. An example of the latter is a website owner knowingly obtaining access to a user’s geolocation data that the user permitted them to access, but then sharing that data with third parties without permission. Even though the collection was permissible, the distribution was not, potentially leading to CDAFA liability.

Under CDAFA, “access,” broadly speaking, means gaining entry to, causing input to or output from, or communicating with a computer system or network.[3] The fact that a third-party technology was the one that actually collected the data does not mean that the website where the collection occurred cannot be held liable. If the website owner caused a third-party application to output user data, that constitutes knowing access and use.

In the recent wave of CDAFA tracking technology litigation, plaintiffs are asserting that defendants violate CDAFA by placing third-party tracking technologies on their websites, which obtain information about website users without their consent. Because plaintiffs have not consented to the collection or use of their data by these third parties, plaintiffs claim this is the type of unauthorized taking or use that CDAFA makes unlawful.

The “Without Authorization” Requirement

To state a CDAFA claim, plaintiffs must plead that the defendant “either acted without authorization or exceeded its authorization.”[4] To have “authorization” means to be “specially recognized or admitted” to have access to that data.[5]

Historically, courts have interpreted acting “without permission” under CDAFA to require that the defendant accessed a computer, network, or website in a manner that overcame technical or code-based barriers.[6] Under this interpretation, a website does not act “without permission” merely by sharing information about users with third parties where no technical barriers prevented the website or third-party tracking technology from accessing that information.

After Christensen, however, some courts have taken a broader approach, holding that overcoming technical or code-based barriers is sufficient to show that someone acted without permission, but not necessary.[8]

These recent interpretations make it easier for CDAFA claims to survive the pleading stage and have led to a growing number of CDAFA suits because there is no need to show a plausible circumvention of a technical barrier; a plaintiff must simply allege that data was plausibly taken or used without permission.

Consent

As with other privacy statutes, consent of the user to the data collection is an important consideration. Some courts have applied the defense narrowly in the CDAFA context. To rely on the consent defense, these courts have held that the website must “explicitly notify users of the practice at issue.”[9] Accordingly, consent has been limited to the specific disclosures provided, which courts have held should have only one plausible interpretation. In other words, if the disclosure “does not specifically and unambiguously inform the user of the data collection practices,” the consent defense may fail.[10]

At the same time, some courts have found general consent to be viable, recognizing the limits on how far CDAFA can be stretched. Under this reasoning, website owners do not have a duty “to disclose how permissions will be exercised,” especially in light of the Supreme Court’s decision in Van Buren v. United States, 593 U.S. 374 (2021), where the Court clarified that the CFAA does not attach to authorized uses of computer databases even when a defendant had “obtained information from the database for an improper purpose.”[11] Since CFAA authorization is a “gates-up-or-down inquiry,” meaning that “one either can or cannot access a computer,”[12] companies can argue that by extension, under CDAFA, if a plaintiff has given a website permission to collect their data, they cannot then argue that the subsequent use of that data for particular purposes exceeds the authorization originally granted.[13]

Ownership Interest

CDAFA also requires the plaintiff to have the required ownership or possessory interest in the computer or data at issue.[14] “[O]wnership is often linked to the entity who created the property at issue. For instance, where a plaintiff drafts emails or technical documents that are stored in a third-party’s servers and then accessed by a defendant without authorization, a CDAFA claim is cognizable because the plaintiff author retains some ownership interest in the data at issue.”[15]

That ownership theory becomes more difficult where the plaintiff asserts an interest in data collected or generated by someone else. As one court explained, “where a plaintiff’s personal data (e.g., financial information, health data) is collected or generated by a third-party, and stored by a third-party, the plaintiff may retain some form of interest—for example, a privacy interest, but cannot necessarily claim an ownership interest in that data under the CDAFA.”[16] So, under this theory, website owners that collect and store third-party information can argue that any plaintiffs suing under CDAFA do not have the type of ownership interest in such data that permits recovery under the statute.

Damage or Loss

Courts have also dismissed CDAFA claims where the alleged website tracking does not amount to the kind of access or use that CDAFA prohibits, meaning plaintiffs suffered no cognizable damage or loss. For example, courts may find that the installation of web tracking technologies on a website does not equate to trackers being installed on a user’s own device or that the alleged data collection occurred on the user’s own device rather than on the website the plaintiff was browsing (thus defeating any claim that there was unauthorized access of the plaintiff’s computer).[17]

Plaintiffs have tried to frame their injury as the loss of the ability to control their data, the loss of the value of their data because it has been disseminated to third parties, and the loss of the ability to protect their data. Courts have rejected these damages theories, finding that damages or loss under CDAFA should be understood as damages to the underlying computer system or data on that computer, rather than the data that a plaintiff generates when on a defendant’s website.[18] Plaintiffs have had some success by alleging that the company unjustly profited from the use of their data by selling it to third parties or using it for targeted advertising.[19] That said, other courts have rejected this theory as well, explaining that disgorgement could be viable if plaintiffs alleged an intent to personally sell their data, but that such an allegation would contradict related invasion of privacy claims that are often asserted in conjunction with CDAFA.[20]

Takeaways

CDAFA claims are likely to become a more common companion to CIPA and pen-register theories in website tracking litigation. Plaintiffs will try to frame pixels, cookies, session-replay tools, and other commonplace tracking technologies as code that knowingly accesses their data and takes or uses it without authorization. They will assert that they have suffered damages either because the value of their data has been diminished, they lost control of their data, or the defendant has been unjustly enriched by accessing and profiting from their data.

As these new privacy liability theories play out, businesses should be proactive about protecting themselves from becoming the target of one of these lawsuits. Consent remains important: companies should use clear and specific consent banners, avoid placing non-essential cookies and tracking technologies before authorization, and ensure that their privacy policies and related disclosures accurately describe the technologies in use and the types of tracking occurring. If sued, businesses should consider whether the plaintiff consented to the collection or use of their data, the alleged tracking actually accessed the plaintiff’s computer, the plaintiff maintained the required ownership interest in the data, and the alleged injury is a cognizable damage or loss under CDAFA.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.

[1] Cal. Pen. Code § 502(e)(1).
[2] Id.
[3] Cal. Pen. Code § 502(b)(1).
[4] Wendover Prods., LLC v. Paypal Inc., 2025 WL 3251667, at *4 (N.D. Cal. Nov. 21, 2025).
[5] See hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1195–96 (9th Cir. 2022).
[6] See, e.g., In re Facebook Priv. Litig., 791 F. Supp. 2d 705, 715 (N.D. Cal. 2011), aff’d, 572 F. App’x 494 (9th Cir. 2014); Sunbelt Rentals, Inc. v. Victor, 2014 WL 4274313 (N.D. Cal. Aug. 28, 2014).
[7] See In re Facebook Priv. Litig., 791 F. Supp. 2d at 715.
[8] See, e.g., Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024, 1049 (S.D. Cal. 2023); Esparza v. Kohl’s Inc., 723 F. Supp. 3d 934, 945 (S.D. Cal. 2024).
[9] Greenley, 684 F. Supp. 3d at 1048 (citing Brown v. Google LLC, 525 F. Supp. 3d 1024, 1063).
[10] Id.
[11] Wendover Prods. LLC v. Paypal Inc., 2025 WL 3251667, at *5 (N.D. Cal. Nov. 21, 2025) (citing Van Buren, 593 U.S. at 396).
[12] Van Buren, 593 U.S. at 390.
[13] Wendover Prods. LLC, 2025 WL 3251667, at *5 (plaintiffs admit “that PayPal uses the very same permissions it was granted to carry out the challenged conduct”—since neither CFAA nor CDAFA impose any duty “to disclose how permissions will be exercised,” plaintiffs fail to demonstrate PayPal has acted without authorization).
[14] Cal. Penal Code § 502(e)(1).
[15] In re Cap. One Fin. Corp., 2025 WL 1570973, at *14 (E.D. Va. June 2, 2025).
[16] Id. (cleaned up).
[17] See, e.g., Allison v. PHH Mortg., 2026 WL 899438, at *7 (N.D. Cal. Mar. 27, 2026).
[18] See, e.g., Doe v. Cnty. of Santa Clara, 2024 WL 3346257, at *9 (N.D. Cal. July 8, 2024); Doe v. Meta Platforms, Inc., 690 F. Supp. 3d 1064, 1082 (N.D. Cal. 2023); Cottle v. Plaid Inc., 536 F. Supp. 3d at 461, 487-88 (N.D. Cal. 2021).
[19] See, e.g., Tsering v. Meta Platforms, Inc., 2026 WL 89320, at *5 (N.D. Cal. Jan. 12, 2026) (citing Smith v. Rack Room Shoes, Inc., 2025 WL 2210002, at *3 (N.D. Cal. Aug. 4, 2025)).
[20] See, e.g., Dellasala et al. v. Samba TV, Inc., 2026 WL 1138358, at *8-9 (N.D. Cal. Apr. 21, 2026); Doe v. Tenet Healthcare Corp., 789 F. Supp. 3d 814, 844-45 (E.D. Cal. 2025).