We live in an acronym world: CIPA, VPPA, ECPA, CMIA, CCPA, ALPR, BIPA, etc.  But one acronym has gotten more use as of late: CDAFA.  CDAFA, which stands for California Comprehensive Data Access and Fraud Act, is slowly but surely becoming the next acronym to fill demand letters and complaints.  The questions are: what is it and why now?

What is CDAFA?

CDAFA, codified at California Penal Code § 502, makes it a “public offense” to, among other things:

(1)       Knowingly access[] and without permission alter[], damage[], delete[], destroy[], or otherwise use[] any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.

(2)       Knowingly access[] and without permission take[], cop[y], or make[] use of any data from a computer, computer system, or computer network, or take[] or cop[y] any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.

(3)       Knowingly and without permission use[] or cause[] to be used computer services.

(6)       Knowingly and without permission provide[] or assist[] in providing a means of accessing a computer, computer system, or computer network in violation of this section.

(7)       Knowingly and without permission access[] or cause[] to be accessed any computer, computer system, or computer network.

(8)       Knowingly introduce[] any computer contaminant into any computer, computer system, or computer network.[1]

If you read that and said to yourself, “I’m sorry, what?,” you are not alone.  I litigate daily cases at the intersection of technology, privacy, and advertising and still am uncertain what CDAFA actually regulates. 

What I do know is that plaintiffs claim that companies violate CDAFA by installing on their sites third-party scripts that collect information about website users. They do this a number of ways.  First, they claim that by “installing” on a site user’s browser a cookie and using that cookie to collect certain information about the user, the company is “knowingly access[ing] and without permission tak[ing]…data from a computer” in violation of Cal. Penal Code § 502(c)(2).  Second, they claim that by allowing a third-party cookie to be installed on the user’s browser, the company is “knowingly and without permission…caus[ing] to be accessed any computer” in violation of Cal. Penal Code § 502(c)(7).  And third, they claim that the cookie, in and of itself, is a “computer contaminant”[2] “knowingly introduce[d] [to] a computer” in violation of Cal. Penal Code § 502(c)(7). 

I also know that courts are not necessarily throwing these claims out.  For example, in Allison v. PHH Mortgage[3], the Northern District of California found that the plaintiff had adequately stated a claim “under Section 502(c)(1)(B), which prohibits ‘[k]nowingly access[ing] and without permission ... us[ing] any data, computer, computer system, or computer network in order to ... wrongfully control or obtain money, property, or data,’” because the plaintiff alleged “that PHH knowingly accessed [his] data.”[4] 

Admittedly, the majority of cases involving CDAFA claims focus less on the conduct giving rise to the claims and more on the damages alleged.  The reason: only individuals who have suffered an “economic harm or loss” can bring suit under CDAFA[5], and proving economic loss in tracking cases has, in the past, been difficult, if not impossible[6].  That may not, however, be the case moving forward, as more and more courts are allowing CDAFA claims to proceed on disgorgement theories of injury[7], a fact not lost on plaintiffs’ counsel.  

Why are CDAFA claims being asserted now?

You may be wondering why CDAFA—a statute enacted in 1989—has only recently grown in popularity among the plaintiffs’ bar.  There are two reasons—the Variety writ[8] and attorneys’ fees. 

Factually, there is not much difference between a claim under California Penal Code § 638.51 (pen register / trap and trace) and a claim under CDAFA.  Both usually involve cookies and third-party scripts, and neither requires confidential or sensitive information.  The reason why § 638.51 has been a favorite of the plaintiffs’ bar is that § 638.51 includes statute damages ($5,000 per violation) and CDAFA does not.  But, statutory damages really only come into play when the parties actually intend to litigate the case through judgment, which, in the class-action world, is a rare occurrence.  Instead, the leverage comes from the cost of litigating.  But, with the Variety writ pending, § 638.51 claims are not being litigated.  They are being stayed, and stayed cases do not cost money.  For that reason, Plaintiffs have turned to CDAFA.  CDAFA claims may not provide for statutory damages, but at least they are not being immediately stayed for months, if not longer. 

On top of that, CDAFA has something CIPA does not: an attorneys’ fees provision.[9]  In other words, CDAFA claims not only have the benefit of avoiding a prolonged stay, but they also include the possibility that the defendant will have to pay the plaintiff’s counsel’s fees. 

The end result: unless and until courts provide some clarity on what CDAFA actually regulates and how, CDAFA claims are here to stay.