In a recent lawsuit that is getting a lot of business owners scared as it relates to privacy violations is PowerSchool Holdings, Inc., an educational software provider, faces accusations of collecting and misusing student data without proper consent. The U.S. District Court for the Northern District of California allowed several privacy claims to proceed, ruling on March 17, 2025, in Cherkin et al. v. PowerSchool Holdings, Inc. (Case No. 24-cv-02706-JD). This case serves as a warning to businesses about the importance of handling personal data, especially from minors, with care to avoid legal consequences.
Implications for Businesses Who Violate CDAFA
This ruling underscores the growing legal scrutiny on data privacy, particularly under California laws like the Comprehensive Data Access and Fraud Act (CDAFA). Businesses risk costly lawsuits and brand damage if they fail to obtain consent or misuse data. An unexpected detail is how the court recognized privacy loss as a form of damage under CDAFA, which could set a precedent for future cases, expanding the definition of harm beyond economic loss. If you follow the other CIPA and VPPA lawsuits you will start to notice a pattern that the claims are similar but there are different law firms filing in most cases and that it underlines the importance of having good privacy hygiene as any privacy related law no matter how old can be used against your business to sue and cost you millions if you’re not using privacy software along with proper data governance measures.
Why Privacy Software From CaptainCompliance.com Matters
Given these risks, privacy software is crucial for businesses. It helps manage consent, map data usage, automate compliance with laws, control tracking, and maintain audit trails. For example, tools like our consent management platform can ensure explicit user consent, potentially preventing issues like those faced by PowerSchool. This is not just a safeguard but a strategic necessity in today’s data-driven world.
Comprehensive Analysis: CDAFA and Privacy Lawsuits, Including Notable Cases
The California Comprehensive Data Access and Fraud Act (CDAFA), codified in California Penal Code section 502, has become a cornerstone in privacy litigation, particularly in cases involving unauthorized access to personal data. Enacted to combat computer-related crimes, CDAFA provides a civil cause of action for individuals suffering “damage or loss,” which courts have increasingly interpreted to include privacy violations. This report, as of March 29, 2025, explores CDAFA’s role in privacy law, its application in notable lawsuits like Cherkin et al. v. PowerSchool Holdings, Inc., and why business owners should leverage privacy software to mitigate legal risks. Given the current date, this analysis reflects recent judicial trends and regulatory developments.
Understanding CDAFA and Its Privacy Implications
CDAFA, part of California Penal Code section 502, prohibits various actions, including unauthorized access, use, or modification of computer data, systems, or networks, when done “knowingly and without permission” (California Penal Code § 502(c)). Its legislative intent, as noted, is to protect the privacy of individuals by safeguarding lawfully created computers, systems, and data. While primarily a criminal statute, section 502(e)(1) allows civil lawsuits for those suffering “damage or loss,” a term courts have expanded to include non-economic harms like privacy loss.
This broad interpretation makes CDAFA a vital tool in privacy law. Unlike economic injury-focused statutes, CDAFA’s recognition of privacy harms aligns with the growing emphasis on data protection, especially under laws like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). Courts have cited cases like Frasco v. Flo Health, Inc. (No. 20-cv-05113, N.D. Cal. Oct. 28, 2021) to affirm that privacy violations, such as unauthorized data collection, meet the “damage or loss” threshold, reinforcing CDAFA’s role in privacy enforcement.
Notable CDAFA Privacy Lawsuits
Several cases illustrate CDAFA’s application in privacy litigation, with Cherkin et al. v. PowerSchool Holdings, Inc. being a recent and prominent example.
Cherkin et al. v. PowerSchool Holdings, Inc.
Filed in the U.S. District Court for the Northern District of California (Case No. 24-cv-02706-JD), this lawsuit involves parents and their minor children accusing PowerSchool, an educational software provider, of collecting and misusing student data without consent. The complaint alleged PowerSchool accessed data like grades, demographics, and browsing habits, using it for commercial purposes and embedding tracking technologies on students’ devices. Among eight privacy claims under California law, the CDAFA claim was significant, asserting unauthorized data access caused privacy loss.
PowerSchool moved to dismiss, arguing the complaint lacked economic injury and that their actions were not “without permission.” On March 17, 2025, the court partially denied the motion, allowing the CDAFA claim to proceed. The court rejected PowerSchool’s narrow interpretation, citing Ninth Circuit precedent in United States v. Christensen (976 F.3d 1053, 9th Cir. 2020) that improper use of data, even with valid access, violates CDAFA. It also clarified that privacy loss qualifies as “damage or loss,” referencing Frasco v. Flo Health, Inc.. This ruling underscores CDAFA’s role in protecting student privacy, especially under laws like FERPA, and highlights the legal risks for businesses in educational sectors.
Other Notable Cases
- Frasco v. Flo Health, Inc. (2021): In this case, plaintiffs sued a health app for unauthorized data collection, with CDAFA claims proceeding based on privacy loss as “damage or loss.” The court’s decision set a precedent for non-economic harms, influencing later cases like PowerSchool.
- In re Vizio, Inc., Consumer Privacy Litigation (2017): CDAFA claims were part of a class action against Vizio for collecting viewing data without consent, with settlements highlighting the financial risks of non-compliance.
These cases demonstrate CDAFA’s versatility in addressing privacy violations across industries, from education to health and consumer electronics.
Legal and Business Implications
CDAFA’s application in privacy lawsuits has significant implications for businesses. The PowerSchool case, for instance, shows courts are willing to recognize privacy loss as a valid harm, potentially leading to damages, injunctive relief, and attorney’s fees under CDAFA. For businesses, this means:
- Increased Scrutiny: Handling sensitive data, especially from minors or vulnerable groups, invites legal challenges.
- Reputational Risk: Privacy breaches can erode trust, particularly in sectors like education where trust is paramount.
- Financial Exposure: CDAFA lawsuits can result in substantial costs, with penalties potentially reaching millions, as seen in settlements like Vizio’s.
The controversy around CDAFA lies in its interpretation. Some argue its “damage or loss” threshold is too broad, potentially leading to frivolous lawsuits, while others see it as essential for protecting privacy in a data-driven world. Courts’ evolving stance, as in PowerSchool, leans toward broader protection, but businesses must navigate this uncertainty.
Why Business Owners Should Use Privacy Software
Given these risks, privacy software is not just a safeguard but a strategic necessity. It helps businesses manage data practices proactively, reducing the likelihood of CDAFA violations. Key benefits include:
| Function | Benefit |
|---|---|
| Consent Management | Ensures explicit, informed consent, preventing unauthorized data collection. |
| Data Mapping | Inventories data usage, identifying vulnerabilities before they escalate. |
| Compliance Automation | Aligns operations with CDAFA, FERPA, CCPA, and GDPR, reducing legal exposure. |
| Tracking Control | Detects and manages embedded trackers or APIs, avoiding unauthorized sharing. |
| Audit Trails | Maintains logs to prove compliance, offering a defense in legal disputes. |
For example, in the PowerSchool case, robust consent management could have ensured parental consent, while data mapping might have prevented alleged misuse by clarifying data flows. Compliance automation would align practices with FERPA and California privacy laws, mitigating CDAFA risks. By investing in such tools, businesses can build trust, stay ahead of regulatory requirements, and avoid the legal and financial pitfalls seen in recent lawsuits.
CDAFA Privacy Compliance Software Solution
CDAFA is a critical tool in privacy law and Captain Compliance can provide software and tooling to automate your privacy requirements to avoid a CDAFA lawsuit and fine. Your goal with a privacy tech tool for CDAFA is protecting against unauthorized data access and not enabling lawsuits for privacy harms. Notable cases like Cherkin v. PowerSchool and Frasco v. Flo Health cases highlight its significance, with courts increasingly recognizing non-economic damages. For business owners, the message is clear: prioritize privacy compliance with software solutions to navigate this complex landscape and safeguard against legal risks.
