The Computer Fraud and Abuse Act (CFAA) was originally intended as a computer hacking statute and are centrally concerned with prohibiting unauthorized intrusions into computers, rather than addressing other data protection issues such as the collection or use of data. Specifically, the CFAA imposes liability when a person “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” A “protected computer” is broadly defined as any computer used in or affecting interstate commerce or communications, functionally allowing the statute to apply to any computer that is connected to the internet.
Violations of the CFAA are subject to criminal prosecution and can result in fines and imprisonment. The CFAA also allows for a private right of action, allowing aggrieved individuals to seek actual damages and equitable relief, such as an injunction against the defendant. As with ECPA, internet users have attempted to use this private right of action to sue companies tracking their online activity, arguing that companies’ use of tracking devices constitutes unauthorized access to their computers. In this vein, CFAA is theoretically a more generous statute than ECPA for such claims because it requires authorization from the owner of the computer (i.e., the user), rather than allowing any party to communication (i.e., either the user or the website visited by the user) to give consent to the access. In practice, however, such claims have typically been dismissed due to plaintiffs’ failure to meet CFAA’s damages threshold. Specifically, as a threshold to bring a private right of action, a plaintiff must show damages in excess of $5,000 or another specific type of damages such as physical injury or impairment to medical care.