If you’ve been sued under CDAFA or CCCDAFA for a Privacy Violation please reach out to us right away so we can get your site compliant and help get your case dismissed.

Understanding the CCCDAFA and CDAFA as a Single Statute

The California Comprehensive Computer Data Access and Fraud Act, universally abbreviated in litigation as the CDAFA and codified at California Penal Code § 502, is the cornerstone of computer access and digital privacy enforcement under California state law. When practitioners, courts, and researchers refer to CDAFA privacy lawsuits, they are referring to civil and criminal actions brought under this statute — the same law that carries the formal title California Comprehensive Computer Data Access and Fraud Act, or CCCDAFA, in its complete legislative designation. The two names are interchangeable, and both appear across court filings, legislative commentary, and academic literature. Understanding that CCCDAFA and CDAFA refer to the same statutory framework is the starting point for any analysis of California computer access litigation.

The CCCDAFA was enacted in 1987 and has been amended multiple times since, each amendment expanding its reach in response to the evolving landscape of digital misconduct. Unlike its federal counterparts, the California Comprehensive Computer Data Access and Fraud Act was explicitly designed by the California Legislature to be construed broadly, reflecting the legislature’s recognition that computer-related harm takes forms that no static statutory text can fully anticipate. That mandate for broad construction has shaped how California courts interpret CDAFA privacy lawsuits across every context in which the statute is invoked — from large-scale data scraping operations to individual employee misconduct to mass consumer tracking through third-party technology.

The Statutory Architecture of CDAFA: What Cal. Penal Code § 502 Actually Prohibits

Section 502(c) of the California Penal Code sets out thirteen distinct categories of prohibited conduct, making the CCCDAFA one of the most comprehensive computer access statutes in the country. The provisions most frequently invoked in CDAFA privacy lawsuits include § 502(c)(1), which prohibits knowingly accessing and without permission altering, damaging, deleting, destroying, or otherwise using data from a computer to devise or execute a scheme to defraud or deceive; § 502(c)(2), which prohibits knowingly and without permission taking, copying, or making use of any data from a computer system or network; and § 502(c)(7), which prohibits knowingly and without permission accessing or causing to be accessed any computer, computer system, or computer network.

That “caused to be accessed” language in § 502(c)(7) has become one of the most actively litigated provisions in modern CCCDAFA privacy lawsuits, particularly in cases involving third-party tracking technologies and pixel-based data transmission. Its breadth reflects the California Legislature’s intent that CDAFA reach not only direct unauthorized access but conduct that causes or enables access by others — a formulation that courts have applied with varying degrees of expansiveness depending on the factual context.

The civil enforcement mechanism under § 502(e) is what makes CDAFA privacy lawsuits practically viable at scale. Any person who suffers damage or loss by reason of a violation may bring a civil action for compensatory damages, injunctive relief, and — critically — attorney’s fees in the court’s discretion. Unlike federal computer access statutes, CDAFA carries no minimum damage threshold for civil claims. This combination of fee-shifting, no minimum damages, and broad prohibited conduct categories makes the CCCDAFA the most plaintiff-friendly computer access statute available in California litigation, and it explains why CDAFA claims appear as a matter of near-routine in California privacy lawsuits whether or not other statutory theories are also available.

The Authorization Standard in CDAFA Privacy Lawsuits

The central doctrinal question that runs through nearly every category of CCCDAFA and CDAFA litigation is what it means to act “without permission.” Unlike the federal standard — which the U.S. Supreme Court substantially narrowed in Van Buren v. United States, 593 U.S. 374 (2021) to require access to an affirmatively restricted area of a system regardless of purpose — California courts have historically applied a broader conception of permission that encompasses not only credential-based access restrictions but purpose-based limits on otherwise-accessible systems.

The foundational California appellate statement on this question is Chrisman v. City of Los Angeles, 155 Cal. App. 4th 29 (2007), in which the California Court of Appeal held that a police officer who accessed a law enforcement database for personal purposes — rather than legitimate law enforcement purposes — violated CDAFA despite holding valid system credentials. The court’s reasoning was unambiguous: authorization to access a system for defined purposes does not constitute permission to access that system for other purposes. This purpose-based theory of CDAFA liability is precisely what the Supreme Court held was insufficient under the federal standard in Van Buren, and the divergence between Chrisman and Van Buren has created a significant fault line in California privacy litigation.

No California Supreme Court decision has definitively resolved whether CCCDAFA’s “without permission” standard tracks the narrower federal interpretation or retains its broader independent scope. That unresolved question shapes litigation strategy in every insider access and purpose-based misuse case brought under CDAFA. Plaintiffs’ counsel should affirmatively argue that CCCDAFA and CDAFA interpret “without permission” independently under California law and that Chrisman remains controlling in California state court proceedings. Defense counsel, particularly in federal proceedings where uniformity between federal and state standards has intuitive appeal, should press for alignment with the narrower federal framework. Until the California Supreme Court speaks definitively, both arguments remain available and courts have accepted each in different procedural contexts.

CDAFA Privacy Lawsuits in the Data Scraping Context

Data scraping litigation has produced some of the most consequential CCCDAFA and CDAFA case law in the statute’s history, driven in large part by the proliferation of automated data collection across social media platforms, professional networks, real estate databases, and e-commerce infrastructure. The core legal question in scraping-based CDAFA privacy lawsuits is whether automated collection of data from a website or platform constitutes access “without permission” within the meaning of Cal. Penal Code § 502 — and the answer turns on the nature of the data, the technical barriers in place, and critically, whether the platform has taken steps to revoke whatever permission may have existed.

The revocation theory, established in Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016), is the most reliable litigation tool available to platform operators pursuing scraping defendants under CDAFA. Power Ventures had aggregated Facebook user data for a competing third-party platform. The Ninth Circuit held that once Facebook issued a cease-and-desist letter and implemented technical blocking measures, Power Ventures’ continued access was “without permission” under CDAFA as well as the federal statute. The legal significance of the decision for CCCDAFA and CDAFA litigation is the temporal framing it establishes: the letter and the technical countermeasures together revoked whatever permission had previously existed, and continued scraping thereafter was actionable. Practitioners advising platform clients should treat documented cease-and-desist correspondence and contemporaneous implementation of IP blocks, CAPTCHA measures, or other technical countermeasures as a necessary predicate to any CDAFA scraping claim, because the revocation sequence is what transforms technically accessible data collection into conduct actionable under § 502.

The publicly accessible data question has generated significant CDAFA litigation in the wake of the Ninth Circuit’s decisions in the hiQ Labs and LinkedIn dispute, hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022). While that litigation focused heavily on the federal standard, the underlying question of whether scraping publicly available data — data accessible to any unauthenticated user without credentials or technical barriers — constitutes access “without permission” under CDAFA remains consequential. California federal courts applying CDAFA have sometimes sustained scraping claims even on public data theories, reasoning that § 502’s broader remedial purpose and the California Legislature’s expansive construction mandate support treating a platform’s terms of service, combined with a documented cease-and-desist, as conferring actionable “without permission” status. The divergence between CDAFA’s potentially broader reach and the federal framework’s requirement of a genuine technical access barrier is one of the reasons platforms operating in California routinely plead CDAFA claims alongside federal theories in scraping disputes.

The emergence of AI training data collection as a scraping-adjacent litigation context has begun generating CCCDAFA and CDAFA privacy lawsuits in which the scale and purpose of automated data collection are qualitatively different from traditional scraping scenarios. AI developers collecting training datasets through automated web crawling raise the same authorization questions addressed in Power Ventures and hiQ, with the added dimension that AI training collection may extract and store data in ways that differ structurally from conventional scraping. Several early cases working through California federal courts will test whether CDAFA’s framework applies to large-scale AI training data collection in the same way it applies to commercial data aggregation scraping, and the outcomes will have significant implications for how the CCCDAFA is understood in the context of generative AI development.

CDAFA Privacy Lawsuits Involving Employee and Insider Access

Employee and insider access disputes constitute one of the most active categories of CCCDAFA and CDAFA privacy lawsuits in California, driven by the frequency with which departing employees, disgruntled insiders, and business partners misuse system access in ways that cause cognizable harm to employers, clients, and third parties. The CDAFA’s broad prohibited conduct categories — and particularly the § 502(c)(2) prohibition on “taking, copying, or making use of” data without permission — make it a more versatile tool in insider access cases than narrower statutory frameworks, and its fee-shifting provision makes it attractive to employer-plaintiffs in cases where the damages calculus alone might not justify litigation.

The most common fact pattern in insider CDAFA privacy lawsuits involves an employee who, prior to resignation or termination, downloads confidential data — client lists, pricing information, proprietary methodologies, or personnel records — to personal devices, external drives, or cloud accounts. Under the purpose-based authorization theory preserved in Chrisman, such conduct may constitute a CDAFA violation even where the employee held valid credentials to access the underlying data in situ, because the act of copying and exfiltrating for an impermissible purpose exceeds the scope of permission that credential access confers. The § 502(c)(2) “taking, copying, or making use of” theory is particularly well-suited to this scenario because it focuses on the exfiltration act rather than the access act, and courts have found it applicable where employees transferred data to personal accounts regardless of whether their system access itself was authorized.

In NovelPoster v. Javitch Canfield Group, 140 F. Supp. 3d 954 (N.D. Cal. 2014), the district court found viable CDAFA claims where a business partner accessed a company’s email account using credentials that had been provisionally shared in the context of the commercial relationship but had not been formally revoked at the time of the access. The case illustrates how CCCDAFA and CDAFA liability can arise in commercial relationship disputes over shared system credentials — a scenario increasingly common as cloud-based business tools, shared project management platforms, and collaborative software environments create informal credential-sharing practices that become legally contested when business relationships deteriorate.

Former employee access using still-active credentials presents a distinct theory under CDAFA that does not depend on the purpose-based authorization debate. Where an employer has terminated an employee’s access — either by deactivating credentials, removing system permissions, or communicating an unambiguous revocation — any subsequent access using cached credentials, a colleague’s login, or other means constitutes access “without permission” in the straightforward technical sense, and CDAFA liability attaches without the need to invoke the broader purpose-based theory. This aligns with the principle the Ninth Circuit established in the context of the federal statute in United States v. Nosal, 844 F.3d 1024 (9th Cir. 2016) — that a defendant whose access has been affirmatively revoked and who continues to access the system does so without authorization — and the same logic applies with full force under CDAFA’s “without permission” language.

CDAFA insider access privacy lawsuits frequently appear alongside claims under the California Uniform Trade Secrets Act (CUTSA), breach of fiduciary duty, breach of the duty of loyalty, conversion, and common law unfair competition. The interaction between CUTSA and CDAFA requires careful attention: California courts have held that CUTSA preempts some common law claims arising from trade secret misappropriation, but CDAFA claims — which are premised on computer access rather than on trade secret status — generally survive CUTSA preemption and provide an independent basis for liability and attorney’s fees recovery even where the misappropriated information does not qualify as a trade secret.

CDAFA Privacy Lawsuits and Third-Party Tracking Technologies

The deployment of third-party tracking technologies on consumer-facing websites and applications has generated the most rapidly expanding category of CCCDAFA and CDAFA privacy lawsuits in recent years. Pixel-based tracking tools, session replay scripts, behavioral analytics tags, and similar technologies transmit user data to third-party platforms — most prominently Meta and Google — in ways that plaintiffs allege constitute unauthorized access to or use of user devices and data within the meaning of Cal. Penal Code § 502. The legal theory is novel, the factual patterns are common across entire industries, and the potential exposure is substantial enough that CDAFA pixel litigation has become one of the most significant areas of California privacy class action practice.

The operative legal mechanism in pixel-based CDAFA privacy lawsuits typically runs through § 502(c)(7)’s prohibition on “causing to be accessed” any computer, computer system, or computer network without permission. When a user visits a website on which Meta Pixel has been deployed and the pixel fires, it causes the user’s browser to send event data — including URL strings that may encode sensitive information such as medical appointment types, financial account activity, or health-related search queries — to Meta’s servers without the user’s meaningful knowledge or consent. Plaintiffs argue that by deploying pixel code that operates in this manner, the defendant website operator “caused to be accessed” the user’s device and transmitted user data to a third party without permission, satisfying § 502(c)(7)’s elements.

The most significant CCCDAFA and CDAFA privacy lawsuits arising from pixel tracking have emerged from the healthcare sector. In Doe v. Meta Platforms, Inc., Case No. 3:22-cv-03580 (N.D. Cal.), a consolidated class action, plaintiffs alleged that hospitals and healthcare providers deployed Meta Pixel on patient portals and appointment scheduling pages in ways that transmitted protected health information to Meta’s advertising infrastructure. The CDAFA claims in that litigation advanced the “caused to be accessed” theory against both the healthcare providers that deployed the pixel and Meta as the recipient of the transmitted data. The case has proceeded through significant procedural litigation, and its ultimate resolution on the CDAFA theories will be a landmark in the statute’s application to pixel tracking conduct.

Courts have approached the “caused to be accessed” theory with varying degrees of receptivity. Those that have permitted CDAFA pixel claims to proceed generally reason that the user did not knowingly or voluntarily authorize the transmission of their behavioral, health, or financial data to a third-party advertising platform, and that the website operator’s role in causing that transmission — by deliberately deploying the pixel code — is sufficient to satisfy § 502(c)(7). Those that have limited or rejected the theory tend to emphasize that the user’s browser, rather than the defendant, technically initiates the data transmission, and that CDAFA was not designed to regulate conduct of this type. The absence of a definitive California appellate ruling on the “caused to be accessed” theory in the pixel context means that outcomes continue to vary significantly by judge and district, making the theory viable but uncertain in any given case.

CCCDAFA and CDAFA tracking privacy lawsuits are routinely paired with claims under the California Invasion of Privacy Act, Cal. Penal Code § 630 et seq. — particularly § 631, which prohibits aiding and abetting the interception of wire communications. The CIPA § 631 theory in tracking cases — that pixel deployments constitute facilitating the interception of electronic communications in transit — has generated thousands of individual and class filings in California state and federal courts and is now the most volumetrically significant area of California privacy litigation. CDAFA claims add a complementary layer of liability in these cases, particularly where the CIPA interception theory faces the contested question of whether contemporaneous collection constitutes “interception” under the statute. Together, CCCDAFA and CIPA claims create a layered framework in pixel litigation that is difficult to entirely dismiss at the pleading stage.

Strategic Pleading in CCCDAFA and CDAFA Privacy Lawsuits

Experienced plaintiffs’ counsel in California privacy litigation plead CDAFA claims alongside CIPA, the California Consumer Privacy Act (CCPA and its CPRA amendments), common law invasion of privacy under the California Constitution Article I § 1, intrusion upon seclusion, negligence, and in federal proceedings, the federal Stored Communications Act, 18 U.S.C. § 2701 et seq. The strategic logic is that each theory addresses doctrinal gaps in the others, and the CCCDAFA’s combination of broad prohibited conduct categories, no minimum damage threshold, and attorney’s fees provision makes it one of the most durable claims in the portfolio — frequently surviving motions to dismiss even when other theories are narrowed or dismissed.

On the defense side, the most productive early strategies in CDAFA privacy lawsuits involve challenging the “without permission” element through the Van Buren alignment argument in federal proceedings, attacking the “damage or loss” element where the plaintiff has not pleaded cognizable economic harm or system impairment, and — in pixel and tracking cases — pressing the theory that the user’s browser’s autonomous transmission of data does not constitute the defendant “causing” access within the meaning of § 502(c)(7). The attorney’s fees provision under § 502(e) creates meaningful settlement pressure even in cases where liability is genuinely contested, and defense counsel should factor the fee-shifting risk into early case assessment in any CDAFA matter.

Motions to dismiss in CCCDAFA and CDAFA privacy lawsuits most commonly contest three elements: whether the access was truly “without permission” given the defendant’s credentials or the platform’s public accessibility; whether the plaintiff has adequately pleaded “damage or loss” as distinct from the mere occurrence of access; and in class actions, whether individualized issues regarding permission and harm predominate over common questions in ways that make class treatment inappropriate. Each of these challenges has succeeded in some cases and failed in others, and the outcomes tend to turn heavily on the specificity of the factual allegations and the particular judge’s approach to the CDAFA’s broadly remedial scope.

Class Certification Dynamics in CCCDAFA and CDAFA Privacy Lawsuits

Class certification presents the most consequential procedural battleground in CCCDAFA and CDAFA privacy lawsuits, and the suitability of any given case for class treatment varies substantially depending on the litigation context. The structural fit between Cal. Penal Code § 502 claims and Rule 23’s requirements for commonality, typicality, and predominance is strongest in cases involving uniform conduct directed at a defined population — mass scraping, platform-wide pixel deployment, systematic insider data collection — and weakest in cases where the nature of the access, the data affected, and the harm suffered vary materially across putative class members.

In data scraping class actions brought under CDAFA, predominance under Rule 23(b)(3) is typically the strongest argument for certification because the defendant’s conduct — deploying a scraper, continuing access after revocation, accessing a platform’s data at scale — is uniform across the class. The central legal questions of whether the access was “without permission” and whether the statutory elements are satisfied do not vary by individual class member, which means that a single adjudication resolves liability as to the entire class. Courts have certified scraping classes under CCCDAFA and related theories where the platform itself brings suit on behalf of its users or where a user class can establish uniform harm from the unauthorized collection of their data. Damages individualization remains a recurring challenge even in well-certified scraping classes, and defendants routinely press the argument that calculating each class member’s share of damages requires individualized inquiry that defeats predominance on the damages side even where liability is common.

CDAFA class actions arising from pixel and tracking technology deployment represent the most actively litigated class certification context under the CCCDAFA at present. The conduct at issue — deploying a pixel across a website — is uniform and common to all users who visited the affected pages, which supports commonality and typicality. The predominant challenge in pixel class certification is whether the data transmitted for each class member was sufficiently similar in nature and sensitivity to allow damages to be calculated on a class-wide basis. Courts have generally been willing to certify damages classes in CDAFA pixel cases where all class members visited the same categories of sensitive pages — patient portal login pages, appointment scheduling systems, financial account management interfaces — and the same categories of data were transmitted for each. Certification has faced greater resistance where the allegedly transmitted data varied significantly across the class, with some class members having accessed highly sensitive information and others having visited only general informational pages, because that variation raises individualized questions about both the nature of the harm and the appropriate measure of damages for each subgroup.

In insider access cases, class treatment under CCCDAFA and CDAFA is almost universally unavailable by the nature of the claims. Insider privacy lawsuits under Cal. Penal Code § 502 involve inherently individualized facts about what specific employees or business partners accessed, when the access occurred, what permission framework governed their credentials, and what cognizable harm resulted from the particular access. Even where multiple plaintiffs were harmed by the same insider — for example, clients whose data was exfiltrated by a departing employee — the individualized nature of the data affected and the harm suffered typically defeats the commonality showing that class certification requires. Multi-plaintiff coordination in insider cases is more effectively pursued through joinder or consolidated individual actions than through class certification.

The attorney’s fees provision under § 502(e) interacts with class certification dynamics in ways that are strategically important for both sides. In a certified CDAFA class, a prevailing plaintiff class is positioned to seek attorney’s fees on a class-wide basis, which can generate fee awards that dwarf the underlying damages recovery in cases involving modest per-class-member harm but significant litigation complexity. That prospect intensifies settlement pressure and has contributed to the frequency with which CCCDAFA and CDAFA privacy lawsuits in the pixel and tracking context resolve through substantial class settlements rather than proceeding to judgment. Defense counsel in CDAFA class actions should factor the fee-shifting exposure into settlement authority calculations at every stage of litigation, because the fees tail can be as significant as the damages exposure in well-pleaded class cases.

The interaction between CDAFA class actions and CCPA § 1798.150 data breach claims in cases involving both computer access and data security failures creates an additional certification dynamic worth noting. Where a single course of conduct gives rise to both CDAFA claims — for unauthorized access — and CCPA claims — for failure to implement reasonable security practices — the class definition and damages theory for each statutory claim may not be fully coextensive. CCPA’s per-incident statutory damages of $100 to $750 per consumer provide a defined floor that can anchor class-wide damages calculations, while CDAFA’s “damage or loss” element may require a different showing depending on whether economic harm or system impairment can be established class-wide. Practitioners building multi-theory California privacy class actions should carefully consider whether to pursue a unified class definition covering both theories or separate subclasses tailored to each statutory framework, as the certification analysis for each may diverge in ways that affect the overall class structure.

If you enjoyed our litigation-focused analysis of Cal. Penal Code § 502 detailing claims across data scraping, insider access, and consumer tracking then please book a demo with one of our privacy & compliance experts today.