CDAFA Tracking Lawsuits: What Section 502 Means

In short: CDAFA, the California Comprehensive Computer Data Access and Fraud Act (California Penal Code § 502), is the state's anti-hacking statute, which plaintiffs are now using against website tracking tools. The CDAFA bars knowingly accessing a computer and, without permission, taking, copying, or using its data. In cookie and pixel cases, plaintiffs argue that loading third-party trackers "causes to be accessed" a visitor's data without consent. Unlike the federal CFAA, CDAFA sets no minimum-damages threshold and allows attorney's fees.

At a glance

• Statute: California Penal Code § 502, the CDAFA (sometimes written CCCDAFA)
• Federal analog: Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (CFAA)
• Tracking-case hooks: § 502(c)(7) ("knowingly and without permission ... causes to be accessed") and § 502(c)(2) ("takes, copies, or makes use of any data")
• Why plaintiffs like it: no $5,000 loss floor (the CFAA has one), compensatory damages, attorney's fees, and punitive damages for willful violations
• Travels with: CIPA (§ 631), CCPA/CPRA, intrusion upon seclusion
• Jury instructions: CACI Nos. 1812 to 1814

This article is general information, not legal advice. California's tracking-litigation law is moving quickly, and outcomes vary by court. Talk to qualified counsel about your specific situation.

If you run a website with California visitors, you already know the CIPA story. Plaintiffs' firms send demand letters and file class actions arguing that cookies, pixels, and session-replay scripts are a kind of wiretap.

Now a second statute is showing up in those same complaints: CDAFA. This guide covers what CDAFA is, why it is being used against website tracking, how it differs from CIPA, and the practical steps that reduce your exposure.

What is CDAFA (California Penal Code § 502)?

CDAFA is California's computer-access statute, the state counterpart to the federal Computer Fraud and Abuse Act. Congress passed the CFAA in 1986 as an anti-hacking law focused on interstate activity and national security. CDAFA, enacted in the late 1980s and amended several times since, focuses only on conduct within California.

CDAFA section 502(c) lists more than a dozen categories of prohibited conduct. Broadly, the statute penalizes knowingly accessing a computer without permission to alter or damage data, wrongfully acquiring or retaining access to take or use data, and related conduct. Like the CFAA, it creates a private right of action for any "owner or lessee of a computer or computer system" who "suffers damage or loss by reason of a violation."

The most important difference between CDADA vs CFAA  is what they actually target. In United States v. Christensen (9th Cir. 2015), the court explained that the CFAA criminalizes unauthorized access, while CDAFA criminalizes the unauthorized taking or use of data.

As the court put it, CDAFA "does not require unauthorized access. It merely requires knowing access. What makes that access unlawful is that the person 'without permission takes, copies, or makes use of' data on the computer." That focus on taking and using, rather than on breaking in, is exactly why plaintiffs think CDAFA applies to website tracking.

"Access" itself is defined broadly. Under § 502(b)(1), it means to gain entry to, cause input to or output from, cause data processing with, or communicate with a computer system or network. You do not have to sit down at a keyboard to "access" a computer under this definition.

Why is CDAFA showing up in website tracking lawsuits?

Plaintiffs allege that when a website loads third-party tracking technologies, those tools collect information about visitors and send it to third parties without consent. Because the visitor never agreed to that collection or use, the argument is that this is the kind of unauthorized use that violates CDAFA.

The provision doing most of the work is § 502(c)(7), which covers "without permission accessing or causing to be accessed any computer, computer system, or computer network." The fact that a third-party tool did the data collection does not get the host website off the hook. If the site owner caused a third-party application to output a user's data, that can count as knowing access and use.

A doctrinal shift has made these claims easier to bring. Historically, courts read "without permission" to require that a defendant overcame a technical or code-based barrier, like a password wall. After the landmark Christensen case, some courts have taken a broader view.

Decisions such as Greenley v. Kochava (S.D. Cal. 2023) and Esparza v. Kohl's (S.D. Cal. 2024) reflect that reading. The practical effect is that a plaintiff no longer has to allege any circumvention. They only have to allege that data was plausibly taken or used without permission, which is easier to survive a motion to dismiss and helps explain the growing number of filings.

CDAFA vs CIPA: what's the difference?

CIPA and CDAFA are different statutes that often appear in the same complaint. CIPA (Penal Code § 631) is a wiretapping law: the question is whether a third party intercepted a communication in transit. CDAFA (Penal Code § 502) is a computer-access law: the question is whether someone knowingly accessed a computer and, without permission, took or used its data. Plaintiffs plead both because each one covers gaps in the other.

One more contrast matters for budgeting risk. The CFAA imposes a $5,000 loss threshold before a civil claim can proceed. CDAFA has no comparable minimum, and it lets a prevailing plaintiff seek attorney's fees and, for willful violations, punitive damages. That combination is what makes the statute attractive to the plaintiffs' bar even when the per-person harm looks small.

Receive a CDAFA demand letter? Enzuzo helps you get compliant quick, and cover all bases for any future claims. Speak with a compliance expert to understand your options.

What plaintiffs must prove (and where CDAFA claims fail)

California's pattern jury instruction for a CDAFA claim, CACI No. 1812, lays out the elements a plaintiff has to prove: that they own or lease the computer or data at issue; that the defendant knowingly committed one of the prohibited acts under § 502(c); for most of those acts, that the defendant acted without permission; that the plaintiff was harmed; and that the defendant's conduct was a substantial factor in causing that harm.

Each of those elements is a place where tracking claims can fall apart. Four battlegrounds come up again and again.

The "without permission" requirement

To state a claim, a plaintiff has to plead that the defendant acted without authorization or exceeded its authorization. As the Ninth Circuit framed it in hiQ Labs v. LinkedIn (2022), having authorization means being "specially recognized or admitted" to access the data.

The defense has a strong counterargument from the federal side. In Van Buren v. United States (2021), the Supreme Court held that the CFAA does not attach to authorized uses of a database, even when the person had an improper purpose. Authorization, the Court said, is a "gates-up-or-down" question: you either can or cannot access a computer. Defendants argue that the same logic carries over to CDAFA, so if a visitor gave a site permission to collect data, the later use of that data cannot "exceed" the authorization that was granted. 

California courts are not uniform on this point. Some have read the state statute more broadly than the federal one, finding that misuse for an unpermitted purpose can violate § 502 even where access was authorized. This is an evolving and contested area, and where your case lands can depend on the judge and the district.

Consent

Consent is the defense that matters most for everyday website operators, and it is also the one most within your control. Some courts apply it narrowly. In Greenley, the court indicated that to rely on consent, a website must "explicitly notify users of the practice at issue," and that the disclosure should have only one plausible interpretation. If a disclosure does not specifically and unambiguously inform the user about the data collection happening, the consent defense can fail.

Other courts have been more forgiving, recognizing limits on how far the statute can stretch and accepting more general consent. The throughline is simple: vague, buried, or boilerplate disclosures are the weak point, and clear, specific ones are the strength. That is good news, because it is fixable.

Ownership interest

A plaintiff also has to have the required ownership or possessory interest in the computer or data. Courts have noted that ownership often tracks who created the data. Someone who drafts emails or documents stored on a third party's server generally keeps an ownership interest in them. But where a plaintiff's personal data is collected and stored by someone else, courts have suggested the plaintiff may hold a privacy interest without holding the kind of ownership interest CDAFA requires. And as a California appellate court reminded everyone in Garrabrants v. Erhart (2023), whether the plaintiff owned the data is a question of fact for the jury, not something a court can assume.

Damage or loss

Finally, the plaintiff has to show cognizable damage or loss, and this is where many tracking claims have struggled. Courts have read "damage or loss" to mean harm to the computer system or the data on it, not the data a person generates while browsing someone else's site.

Decisions like Doe v. Meta Platforms (N.D. Cal. 2023) and Cottle v. Plaid (N.D. Cal. 2021) rejected theories framed as loss of control over data or loss of the data's value. Plaintiffs have had some success arguing that a company was unjustly enriched by profiting from their data, but even that path is contested: some courts have rejected disgorgement where it would contradict the privacy claims pleaded alongside it.

How to reduce your CDAFA exposure

No tool makes a lawsuit impossible, and anyone who promises otherwise is overselling. What you can do is make the defenses above easier to actually run, by getting consent right and keeping good records. The Coblentz analysis lands on the same practical advice that good privacy hygiene has always pointed to.

1. Get clear, specific consent. Generic banners are the part of the consent defense that breaks. Tell visitors what is being collected and by whom, in language with one plausible reading.
2. Don't fire non-essential trackers before consent. If your pixels and analytics tags load before a visitor agrees, you have arguably already done the thing the complaint is about. Block non-essential tags until consent.
3. Keep your disclosures accurate. Your privacy and cookie policies should match the technologies actually running on the site, and stay current as you add or remove tools.
4. Keep a record. Be able to show who consented, to what, and when.

This is the work Enzuzo's consent management platform is built to do. It blocks non-essential cookies and tags until a visitor consents, is Google Consent Mode v2 certified, generates privacy and cookie policies that reflect what is actually running on your site, scans your site to surface the trackers present, and keeps a record of consent you can produce later. Most teams are live in one to three days. It will not make a demand letter impossible, but it puts the consent, disclosure, and recordkeeping pieces of your defense on solid ground.

If you want to see what that looks like on your own site, book a demo.

Frequently asked questions about the CDAFA

What is CDAFA?

CDAFA is the California Comprehensive Computer Data Access and Fraud Act, codified at California Penal Code § 502. It is California's anti-hacking statute and the state counterpart to the federal Computer Fraud and Abuse Act. It penalizes knowingly accessing a computer and, without permission, taking, copying, or using its data.

Is CDAFA the same as CIPA?

No. They are separate California statutes. CIPA (§ 631) is a wiretapping law about intercepting communications. CDAFA (§ 502) is a computer-access law about taking or using data without permission. Plaintiffs in website-tracking cases often plead both in the same complaint.

Does CDAFA apply to cookies and tracking pixels?

Plaintiffs argue it does. The theory is that loading third-party trackers "causes to be accessed" a visitor's data under § 502(c)(7) and takes or uses it without consent. Courts are split on whether this works, and outcomes depend heavily on the facts and the court.

What are the penalties under California Penal Code 502?

A successful plaintiff can recover compensatory damages, including the cost of investigating the unauthorized access, plus attorney's fees at the court's discretion, and punitive damages for willful violations. Unlike the federal CFAA, CDAFA has no minimum-damages threshold.

Is consent a defense to a CDAFA claim?

Yes, and it is often the most important one. Some courts require a site to explicitly and unambiguously notify users of the specific practice at issue. Clear, specific consent is a strength; vague or buried disclosures are the weak point.

How is CDAFA different from the federal CFAA?

The CFAA targets unauthorized access; CDAFA targets the unauthorized taking or use of data, even when the initial access was permitted (United States v. Christensen, 9th Cir. 2015). CDAFA also covers only conduct within California and has no $5,000 loss threshold.

Who can sue under CDAFA?

The statute gives a private right of action to any owner or lessee of a computer or computer system who suffers damage or loss because of a violation. Whether a plaintiff has the required ownership interest in the data is a question of fact.

How do I reduce the risk of a CDAFA lawsuit?

Get specific consent before non-essential trackers load, keep your privacy and cookie disclosures accurate to the tools you actually run, and keep a record of consent. A consent management platform handles those pieces in one place.