Covering Data Scraping, Insider Access, Consumer Tracking, and the Evolving Judicial Landscape
I. Introduction: A Convergent Framework for Digital Privacy Enforcement
Few areas of civil litigation have grown more rapidly — or more unpredictably — than claims arising under computer access and data privacy statutes. In California-centered disputes, plaintiffs and their counsel frequently plead three overlapping statutory frameworks in tandem: the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030; California’s Computer Data Access and Fraud Act (CDAFA), Cal. Penal Code § 502; and the California Consumer Privacy Act (CCPA), Cal. Civil Code § 1798.100 et seq., as amended by the California Privacy Rights Act (CPRA). Each statute carries distinct elements, standing requirements, damages structures, and doctrinal fault lines — but together they form the primary arsenal through which privacy-related computer access disputes are litigated in federal and state courts.
This piece provides a litigation-focused doctrinal analysis of how these three frameworks operate individually and in combination, with attention to the most consequential case law developments, the recurring fact patterns that generate litigation, and the strategic considerations that shape how claims are pleaded, challenged, and resolved. Three contexts receive particular emphasis throughout: data scraping and unauthorized access by third parties, employee and insider access disputes, and consumer data tracking through pixels, cookies, and similar technologies.
II. The CFAA: Federal Framework, Narrow Scope, and the Van Buren Pivot
A. Statutory Architecture
The CFAA, enacted in 1986 and substantially amended in 1994 and 1996, is primarily a criminal statute that also creates a civil cause of action under § 1030(g). Civil plaintiffs must establish, among other things, that the defendant “intentionally accessed a computer without authorization or exceeded authorized access,” and that the conduct caused damage or loss exceeding $5,000 within a one-year period — a threshold that has long functioned as a meaningful barrier to small-value claims.
The statute defines two distinct theories of liability that have generated decades of litigation: (1) access “without authorization,” applicable when the defendant had no permission to access the system at all; and (2) access that “exceeds authorized access,” applicable when the defendant had some legitimate access but allegedly went beyond its permitted scope. The boundary between these theories — and the extent to which the “exceeds authorized access” prong can be used to convert contractual or terms-of-service violations into federal computer crimes — has been the central fault line in CFAA jurisprudence for the better part of two decades.
B. Van Buren v. United States (2021): The Supreme Court Narrows the Statute
The Supreme Court’s decision in Van Buren v. United States, 593 U.S. 374 (2021), resolved a longstanding circuit split and substantially curtailed the CFAA’s reach in both criminal and civil contexts. Van Buren, a Georgia police officer, had used his authorized access to a law enforcement database to look up a license plate in exchange for money — access that was technically permitted by his credentials but prohibited by department policy and the database’s terms of use.
The Court held, in an opinion by Justice Barrett, that the “exceeds authorized access” clause applies only to situations where a person accesses files, folders, or databases to which they lack permission to access at all — not to situations where someone with legitimate access uses that access for an improper purpose. The “gates-up-or-down” framework adopted by the Court means that if a user is authorized to access a particular area of a computer system, using that access for an unauthorized purpose does not constitute a CFAA violation. Only accessing areas of the system that are affirmatively off-limits — files the user has no permission to open regardless of purpose — triggers the “exceeds authorized access” theory.
The implications of Van Buren for civil CFAA litigation were immediate and substantial. Prior to the decision, some circuits — most notably the Ninth Circuit in its earlier employer-friendly precedents — had permitted CFAA claims based on employees who accessed company data for improper purposes despite having system-level authorization. Van Buren largely foreclosed that theory. It also significantly complicated data scraping claims premised on the idea that a scraper “exceeds authorized access” by violating a website’s terms of service.
C. Data Scraping and the hiQ Labs Saga
No line of CFAA litigation has received more sustained attention than the dispute between LinkedIn and hiQ Labs, which wound through the Ninth Circuit multiple times and generated some of the most important public-access precedent in the statute’s history.
hiQ Labs was a data analytics company that scraped publicly visible LinkedIn profile data — information that any unauthenticated user could view in a browser — to build workforce analytics products. LinkedIn sent a cease-and-desist letter and implemented technical blocking measures. hiQ filed suit seeking an injunction, and LinkedIn counterclaimed under the CFAA, arguing that hiQ’s continued scraping after receiving the cease-and-desist constituted access “without authorization.”
The Ninth Circuit, in hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019), affirmed a preliminary injunction in hiQ’s favor, holding that the CFAA’s “without authorization” language likely does not apply to publicly accessible data — data that any member of the public can view without a password or other credential. The panel drew a distinction between accessing information that is “selectively open to some members of the public” and information that is fully open to all. Where no technical barrier exists, the CFAA’s authorization framework — premised on circumventing access controls — is arguably inapplicable.
After the Supreme Court vacated and remanded in light of Van Buren, the Ninth Circuit reaffirmed its core holding in hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022), concluding that Van Buren actually reinforced rather than undermined its prior analysis. The “gates-up-or-down” framework suggests that publicly available data — where the gate is always up — cannot be “accessed without authorization” in any CFAA-cognizable sense. The case was ultimately settled, but the Ninth Circuit’s legal framework remains highly influential across data scraping disputes.
The implications for platforms are significant: the CFAA, as currently interpreted in the Ninth Circuit, offers limited protection against scraping of publicly accessible data. Platforms that wish to restrict scraping must rely primarily on contract law (terms of service enforcement), the Computer Fraud and Abuse Act’s more limited remaining provisions, and state law alternatives — including CDAFA.
D. Insider Access and the CFAA After Van Buren
The employee access context has been dramatically reshaped by Van Buren. Prior to the decision, employer-plaintiffs frequently used the CFAA to pursue employees who downloaded confidential data before departing for a competitor, accessed HR systems to gather salary information for litigation purposes, or exfiltrated trade secrets using credentials they held legitimately. The theory was that such access “exceeded authorized access” because company policy restricted what the credentials could be used for.
Van Buren’s “gates-up-or-down” rule largely forecloses this theory unless the employer can establish that the employee accessed a specific area of the system — a particular database, folder, or record set — to which their access was affirmatively restricted, regardless of purpose. Accessing files that are technically open to the employee’s role, but for an impermissible purpose, now falls outside the CFAA’s reach.
This does not mean employers are without recourse. Claims under the Defend Trade Secrets Act (DTSA), state trade secret law, breach of fiduciary duty, and CDAFA — which as discussed below has a somewhat different access framework — remain viable. But the CFAA’s role as an all-purpose employer tool for departing-employee disputes has been substantially curtailed.
Notably, in the pre-Van Buren era, United States v. Nosal generated two significant Ninth Circuit opinions. In Nosal I, 676 F.3d 854 (9th Cir. 2012) (en banc), the court rejected an expansive reading of “exceeds authorized access” to cover policy violations, anticipating what would become Van Buren’s holding. In Nosal II, 844 F.3d 1024 (9th Cir. 2016), the court held that a former employee who used a current employee’s credentials — after his own had been revoked — accessed the system “without authorization” under the first prong of the statute. The distinction between revoked access (§ 1030 violation) and misused access (not a violation post-Van Buren) is now the critical line in insider access cases.
III. California’s CDAFA: Broader Reach, Civil Enforcement, and State-Level Teeth
A. Statutory Structure and Key Distinctions from the CFAA
California Penal Code § 502, the Computer Data Access and Fraud Act, was enacted in 1987 and has been amended several times since. Like the CFAA, it prohibits unauthorized access to computer systems and data; unlike the CFAA, it is explicitly designed to be construed broadly to protect against a wide range of computer-related misconduct. Section 502(c) sets out thirteen distinct categories of prohibited conduct, ranging from knowingly accessing a computer system without permission to disrupting, damaging, or destroying data, and to using computer services without authorization.
The civil enforcement mechanism under § 502(e) is particularly significant for litigation purposes. Any person who suffers damage or loss by reason of a violation may bring a civil action against the violator. Importantly, § 502(e) allows recovery of compensatory damages, injunctive relief, and — critically — attorney’s fees in the court’s discretion. The attorney’s fees provision makes CDAFA claims more attractive to plaintiffs’ counsel than the CFAA’s equivalent provisions in many consumer and data scraping contexts.
CDAFA also does not carry the CFAA’s $5,000 minimum damage threshold for civil claims, making it considerably more accessible in lower-value disputes. This distinction has made CDAFA the preferred vehicle in many California-centered privacy and computer access cases, often pleaded alongside — rather than in place of — the CFAA.
B. The Authorization Standard Under CDAFA
A central doctrinal question in CDAFA litigation is whether California courts will follow Van Buren’s restrictive reading of “authorization” or develop an independent state-law standard. The answer, as yet, is unsettled — though several California appellate decisions and federal district court opinions applying California law offer important guideposts.
California courts have historically applied CDAFA more broadly than post-Van Buren CFAA doctrine. In Chrisman v. City of Los Angeles, 155 Cal. App. 4th 29 (2007), the California Court of Appeal held that a police officer who accessed a law enforcement database for personal purposes — not law enforcement ones — violated CDAFA, notwithstanding his credential-based authorization. This is precisely the fact pattern Van Buren held does not constitute a CFAA violation. Whether California courts, post-Van Buren, will maintain this broader reading of CDAFA or align with federal doctrine is a live and contested question in California state court litigation.
In the data scraping context, California federal courts have sometimes held CDAFA claims viable even where CFAA claims fail on Van Buren grounds, because § 502’s statutory text and California’s legislative history support a broader conception of what constitutes “without permission.” The distinction turns in part on how California courts read the phrase “without permission” in § 502(c)(1) versus the CFAA’s “without authorization” — a textual difference that may have meaningful doctrinal consequences.
C. CDAFA in the Data Scraping Context
In Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016), the Ninth Circuit held that Power Ventures — which had scraped Facebook user data to aggregate it in a third-party platform — violated both the CFAA and CDAFA once Facebook sent a cease-and-desist letter and implemented technical blocking measures. The court’s reasoning on the timing question is important: the defendant’s initial access, arguably authorized through user consent, became unauthorized upon receipt of the cease-and-desist and subsequent IP blocking. This “revocation of authorization” theory applies under both statutes and gives platform operators a practical tool: send a documented cease-and-desist, implement technical countermeasures, then sue. The sequence of events matters for both CFAA and CDAFA claims.
The hiQ litigation also generated significant CDAFA analysis. The Ninth Circuit’s holdings on public data accessibility — that scraping publicly available information may not constitute unauthorized access — apply with equal or greater force under CDAFA given the statute’s broad remedial purpose. Platforms attempting to use CDAFA against scrapers of public data face essentially the same doctrinal headwinds they face under the CFAA.
D. CDAFA in the Insider and Employee Context
As noted above, Van Buren substantially curtailed the CFAA’s utility in departing employee disputes. CDAFA potentially offers a broader alternative, given California courts’ historical willingness to find violations where an authorized user accesses data for an impermissible purpose. However, practitioners must exercise caution: California’s strong employee protections, including Labor Code provisions and the state’s robust whistleblower statutes, may complicate CDAFA claims against employees who access employer systems for protected purposes.
A recurring scenario involves employees who access company systems, download client lists or proprietary data, and transmit it to personal email accounts or external storage shortly before resignation. CDAFA § 502(c)(2) — which prohibits “taking, copying, or making use of” data from a computer without permission — is often the more targeted provision in these cases, distinct from the general access prohibition. Courts have found this provision applicable where an employee copies data to external drives or personal cloud accounts, even if the employee had full access to the data in situ.
In NovelPoster v. Javitch Canfield Group, 140 F. Supp. 3d 954 (N.D. Cal. 2014), the district court held that a business partner who accessed a company’s email account without authorization — using credentials that had been provisionally shared but then effectively revoked — stated viable claims under both CFAA and CDAFA. The case illustrates how business relationship disputes over shared system credentials frequently give rise to parallel federal and state computer access claims.
IV. The CCPA and CPRA: A Distinct but Overlapping Privacy Framework
A. Scope and the Limited Private Right of Action
The California Consumer Privacy Act, effective January 1, 2020, and substantially expanded by the California Privacy Rights Act (Proposition 24, effective January 1, 2023), creates a comprehensive regulatory framework for the collection, sale, and disclosure of personal information by covered businesses. For litigation purposes, however, CCPA’s private right of action is substantially narrower than its regulatory scope: § 1798.150 limits private suits to claims arising from data breaches resulting from a business’s failure to implement reasonable security measures.
This means that most CCPA violations — failure to honor opt-out requests, inadequate privacy notices, unlawful sale of personal information — are enforceable only by the California Privacy Protection Agency (CPPA) or, in some circumstances, the Attorney General. The private right of action does not extend to these violations. This structural limitation has channeled litigation toward the breach context and has prompted plaintiffs’ counsel to pair CCPA breach claims with common law negligence, invasion of privacy under the California Constitution, and statutory claims under related frameworks.
B. The § 1798.150 Breach Action: Elements and Damages
To state a claim under § 1798.150, a plaintiff must allege that: (1) their nonencrypted or nonredacted personal information was subject to unauthorized access and exfiltration, theft, or disclosure; (2) as a result of the business’s failure to implement and maintain reasonable security procedures and practices appropriate to the nature of the information; and (3) they suffered damages. The statute creates a damages range of $100 to $750 per consumer per incident (or actual damages, whichever is greater), and allows injunctive relief.
The per-incident statutory damages structure, combined with class action mechanics, creates significant exposure for large-scale breaches even at the minimum statutory rate. A breach affecting one million California consumers could generate class exposure of $100 million to $750 million in statutory damages before actual damages or litigation costs. This exposure has been a significant driver of the substantial data breach class action docket in California federal courts.
Several threshold questions in § 1798.150 litigation remain actively litigated. Courts have divided on whether actual injury beyond the statutory violation itself is required for Article III standing, particularly after TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), which held that every class member must have suffered a concrete injury in fact to recover damages in federal court. The interaction between TransUnion’s concreteness requirement and CCPA’s statutory damages has produced inconsistent outcomes at the class certification stage, with some courts holding that mere exposure of personal information is insufficient to confer standing absent additional harm, and others treating the statutory violation itself as sufficiently concrete.
C. Pixel Tracking and Third-Party Data Sharing: A Rapidly Expanding Litigation Frontier
The most dynamic area of California privacy litigation at present involves the deployment of third-party tracking technologies — Meta Pixel, Google Analytics tags, session replay scripts, and similar tools — on websites operated by covered businesses. These technologies transmit user data to third-party platforms in ways that may constitute “sale” or “sharing” of personal information under CCPA, particularly following CPRA’s expansion of the defined categories.
Healthcare and financial services contexts have generated particularly intense litigation. Several federal district courts have permitted CDAFA, CCPA, and California Invasion of Privacy Act (CIPA) claims to proceed against healthcare providers that deployed Meta Pixel on patient portals, transmitting protected health information to Facebook’s advertising infrastructure. In Doe v. Meta Platforms, Inc., Case No. 3:22-cv-03580 (N.D. Cal.), a consolidated class action alleged that hospitals’ use of Meta Pixel on patient-facing web portals transmitted sensitive medical information to Meta without patient authorization, giving rise to claims under CDAFA, CIPA, the federal Electronic Communications Privacy Act (ECPA), and CCPA.
The legal theory in pixel litigation typically runs as follows: when a user visits a healthcare portal and the Meta Pixel fires, it sends event data — including URL strings that may encode diagnosis codes, appointment types, or search terms — to Meta’s servers. This transmission occurs without the user’s knowledge or consent, and the data is used to target advertising. Plaintiffs argue that the healthcare provider “aided and abetted” Meta’s unauthorized receipt of their data, that the transmission constitutes an interception of electronic communications under CIPA § 631, and that the provider’s failure to disclose this sharing violated CCPA’s notice requirements.
CDAFA’s role in pixel litigation is typically predicated on § 502(c)(7), which prohibits “knowingly and without permission accessing or causing to be accessed any computer, computer system, or computer network.” The theory is that by deploying pixel code that causes the user’s browser to send data to Meta’s servers, the defendant “caused” access to the user’s device without permission. This is a novel application of CDAFA that courts have approached cautiously, with outcomes varying significantly depending on how courts construe the “caused to be accessed” language.
D. CPRA Amendments and the Expanded Regulatory Landscape
The CPRA, effective January 1, 2023, made several amendments relevant to litigation. It created a new category of “sensitive personal information” — including precise geolocation, racial or ethnic origin, religious beliefs, biometric data, health information, and the contents of messages — that carries heightened restrictions on use and sharing. Businesses must provide consumers with a right to limit the use of sensitive personal information, distinct from the right to opt out of sale.
The CPRA also created the California Privacy Protection Agency, an independent regulatory body with rulemaking and enforcement authority, effectively transferring primary enforcement responsibility from the Attorney General. The CPPA has begun issuing enforcement actions and has initiated rulemaking on automated decision-making technology, risk assessments, and cybersecurity audits — all of which have implications for the litigation landscape as regulatory standards become more defined.
For litigation purposes, the CPRA’s expanded definition of “sharing” — which now includes disclosure of personal information to third parties for cross-context behavioral advertising, regardless of monetary consideration — significantly broadens the scope of potentially actionable data practices. The original CCPA’s focus on the “sale” of personal information allowed some businesses to argue that data passed to advertising partners under data-sharing arrangements (rather than for direct monetary payment) did not trigger CCPA obligations. CPRA closes that gap.
V. Strategic Pleading: How CFAA, CDAFA, and CCPA Interact in Litigation
A. The Complementary Pleading Structure
In California privacy litigation, experienced plaintiffs’ counsel routinely plead CFAA, CDAFA, and CCPA claims together alongside related California statutory and common law claims. The strategic logic is straightforward: each statute addresses doctrinal gaps in the others, and the combined framework maximizes the probability that at least some claims survive a motion to dismiss.
CFAA provides a federal hook for jurisdiction and the benefit of federal discovery procedures, but its post-Van Buren authorization standard and $5,000 minimum damage threshold impose meaningful constraints. CDAFA plugs some of those gaps — particularly in the employee misconduct context and in cases where California’s potentially broader authorization standard matters — while the attorney’s fees provision under § 502(e) creates additional incentives. CCPA’s breach cause of action adds per-incident statutory damages and injunctive relief in the data security context. Together, they create a layered framework that is difficult to entirely dismiss at the pleading stage.
Common co-claims include: California Invasion of Privacy Act (CIPA) § 631 and § 632.7 violations, particularly in wiretapping and interception contexts; invasion of privacy under the California Constitution, Article I, § 1; common law intrusion upon seclusion; negligence; and, in appropriate cases, the federal Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq.
B. Motion to Dismiss Battlegrounds
Several recurring issues dominate CFAA/CDAFA/CCPA motions to dismiss:
The authorization question under CFAA post-Van Buren is the most frequently litigated. Defendants in scraping and insider cases routinely argue that Van Buren forecloses the “exceeds authorized access” theory and that “without authorization” requires circumvention of a genuine access barrier. Plaintiffs counter, in scraping cases, that cease-and-desist letters and technical blocking measures revoke authorization prospectively, and in insider cases, that specific file-level or database-level access restrictions — not just policy restrictions — satisfy Van Buren’s “gates-up-or-down” test.
CDAFA’s independent authorization standard is an increasingly important battleground where defendants argue California courts should follow Van Buren for uniformity and plaintiffs argue the statutes are independent and California’s legislative history supports a broader reading. There is no definitive California Supreme Court ruling on this question.
Standing under CCPA § 1798.150 post-TransUnion requires plaintiffs to plead concrete injury beyond the bare statutory violation. Courts have found standing where plaintiffs allege their data was actually accessed by unauthorized parties, where they suffered identity theft or fraud, or where there is a sufficiently substantial risk of future harm. Allegations of unauthorized access to health, financial, or biometric data — categories that courts recognize as carrying inherently greater risk of harm — have generally fared better at the pleading stage than claims involving less sensitive information categories.
Damages adequacy under the $100–$750 CCPA statutory range requires courts to determine whether class-wide statutory damages would be “so severe and oppressive as to be wholly disproportioned to the offense.” Several district courts have declined to certify CCPA damages classes on this basis in smaller-scale breach cases, while large-scale breaches involving millions of consumers have generally survived this challenge.
C. Class Certification Dynamics
CCPA § 1798.150 claims are particularly well-suited to class treatment because the underlying theory — a business’s failure to implement reasonable security practices — is typically based on common conduct affecting all class members uniformly. Plaintiffs’ counsel have successfully certified CCPA data breach classes in several cases, though defendants continue to press commonality and typicality challenges, particularly where the alleged breach affected multiple data categories affecting different subsets of the putative class.
CDAFA class actions face additional challenges. The statute’s “damage or loss” requirement implies individualized injury, and courts have sometimes found that CDAFA’s civil cause of action does not map cleanly onto Rule 23’s predominance requirement where different class members were affected differently by the defendant’s conduct. In insider cases, class treatment is generally unavailable by definition; in scraping and pixel cases, courts have been more willing to find common questions predominate.
VI. Key Emerging Issues and Litigation Trends
A. AI and Automated Data Collection
The rapid proliferation of AI training datasets has generated a new wave of CFAA and CDAFA claims centered on unauthorized web scraping at scale. AI developers’ training data collection — often involving the automated download of billions of web pages, social media posts, and database records — raises the same authorization questions addressed in hiQ and Power Ventures, with the added dimension that training data collection may not resemble traditional scraping in how it accesses and stores data. Several early cases in this space are working through federal courts, and the legal frameworks developed in earlier scraping litigation will be central to their resolution.
B. The CIPA § 631 “Wiretapping” Theory
Perhaps the most aggressively expanding area of California privacy litigation is the use of CIPA § 631 as a quasi-wiretapping statute applicable to third-party session replay and chat monitoring technologies. Plaintiffs allege that when businesses deploy third-party chat tools or session replay scripts that transmit real-time user communications or behavioral data to third-party vendors, they have “aided and abetted” the interception of electronic communications in violation of CIPA. Thousands of individual and class complaints have been filed under this theory, often paired with CDAFA and CCPA claims. Courts have divided on whether CIPA § 631 applies to contemporaneous rather than post-transmission collection, and the California Supreme Court may ultimately need to resolve the split.
C. CPPA Enforcement and the Regulatory-Litigation Interface
As the California Privacy Protection Agency matures its enforcement program, the relationship between regulatory findings and civil litigation will become increasingly significant. CPPA enforcement actions — even those that result in administrative settlements rather than litigation — may establish factual records and interpretive positions relevant to private § 1798.150 cases. Defense counsel in civil litigation should monitor CPPA rulemaking and enforcement closely, as agency interpretations of key CCPA/CPRA terms will carry persuasive weight in civil proceedings.
D. Federal Privacy Legislation and Preemption Risk
The long-discussed federal comprehensive privacy legislation — which has repeatedly stalled in Congress but continues to be periodically revived — presents a potential preemption risk for California’s statutory framework. Any federal statute that expressly preempts state data privacy laws could displace CCPA and CPRA, though the scope and terms of preemption in any enacted legislation would be the central battleground. CDAFA, as a computer access and fraud statute rather than a purely data privacy law, would likely have a stronger argument for survival under most preemption theories.
VII. Conclusion: A Practitioner and Research Agenda
The CFAA, CDAFA, and CCPA constitute a layered and imperfectly integrated framework for digital privacy enforcement. Several doctrinal questions remain genuinely open and will shape the litigation landscape in the coming years:
Whether California’s independent CDAFA authorization standard will diverge from Van Buren is perhaps the most consequential unresolved issue in California computer access law. A California Supreme Court decision on point would bring clarity that lower courts and federal courts applying California law currently lack.
The scope of § 502(c)(7)’s “caused to be accessed” language — and whether it reaches pixel and tracking technology deployments — will determine whether CDAFA becomes a primary vehicle for consumer-facing tracking litigation or is limited to more traditional access scenarios.
The CCPA’s standing requirements in federal court post-TransUnion will continue to evolve as data breach class actions work through the appellate pipeline, and the Ninth Circuit will likely need to provide clearer guidance on what factual allegations are sufficient to survive dismissal.
The intersection of AI training data collection with existing computer access and privacy frameworks represents a genuinely novel doctrinal territory where the existing statutory frameworks were not designed with these use cases in mind, and where legislative or judicial innovation will be necessary.
For practitioners, the central strategic reality is that no single statute provides complete coverage for the full range of digital privacy harms. Building a durable claim requires careful attention to the specific authorization, damage, and standing requirements of each framework, an understanding of how post-Van Buren doctrine has altered the CFAA landscape, and a facility with California’s increasingly complex and actively enforced state-law privacy regime.
Principal statutes discussed: 18 U.S.C. § 1030 (CFAA); Cal. Penal Code § 502 (CDAFA); Cal. Civil Code § 1798.100 et seq. (CCPA/CPRA); Cal. Penal Code § 631 (CIPA); 18 U.S.C. § 2701 et seq. (SCA).
Key cases discussed: Van Buren v. United States, 593 U.S. 374 (2021); hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022); United States v. Nosal, 676 F.3d 854 (9th Cir. 2012); United States v. Nosal, 844 F.3d 1024 (9th Cir. 2016); Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016); TransUnion LLC v. Ramirez, 594 U.S. 413 (2021); Chrisman v. City of Los Angeles, 155 Cal. App. 4th 29 (2007); NovelPoster v. Javitch Canfield Group, 140 F. Supp. 3d 954 (N.D. Cal. 2014); Doe v. Meta Platforms, Inc., Case No. 3:22-cv-03580 (N.D. Cal.).
