Facebook, Inc. v. Vachani, No. 13-17102 (9th Cir. 2016)
Annotate this CaseFacebook filed suit against Power over a promotional campaign where Power accessed Facebook users’ data and initiated form emails and other electronic messages promoting its website. The court concluded that Power did not violate the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), 15 U.S.C. 7706(g)(1), because neither e-mails nor internal messages sent through Power’s promotional campaign were materially misleading. Therefore, the court reversed the district court's judgment as to this claim and remanded for entry of judgment for defendants. The court held that a defendant can run afoul of the Computer Fraud and Abuse Act of 1986 (CFAA), 18 U.S.C. 1030(a)(2)(C), when he or she has no permission to access a computer or when such permission has been revoked explicitly. The court also held that a violation of the terms of use of a website - without more - cannot be the basis for liability under the CFAA. In this case, after receiving the cease and desist letter from Facebook, Power intentionally accessed Facebook’s computers knowing that it was not authorized to do so, making Power liable under the CFAA. Therefore, the court affirmed in part the holding of the district court with respect to the CFAA. The court also affirmed in part the district court’s holding that Power violated California Penal Code section 502 where Power knowingly accessed and without permission took, copied, and made use of Facebook’s data; affirmed the district court’s holding that Power's CEO, Steven Vachani, is personally liable for Power’s actions; and affirmed the discovery sanctions imposed against Power for non-compliance during a Rule 30(b)(6) deposition. However, the court vacated the injunction and the award of damages, remanding the case to the district court to reconsider appropriate remedies.
Court Description: CAN-SPAM Act / Computer Fraud. The panel affirmed in part and reversed and vacated in part the district court’s summary judgment in favor of Facebook, Inc., on its claims against Power Ventures, Inc., a social networking company that accessed Facebook users’ data and initiated form e-mails and other electronic messages promoting its website. Reversing in part, the panel held that Power’s actions did not violate the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, or CAN-SPAM Act, which grants a private right of action for a provider of Internet access service adversely affected by the transmission, to a protected computer, of a message that contains, or is accompanied by, header information that is materially false or materially misleading. The panel held that here, the transmitted messages were not materially misleading. Reversing in part and affirming in part, the panel held that Power violated the Computer Fraud and Abuse Act of 1986, or CFAA, which prohibits acts of computer trespass by those who are not authorized users or who exceed authorized use, and California Penal Code § 502, but only after it received a cease and desist letter from Facebook and nonetheless continued to access Facebook’s computers without permission. With regard to authorization, the panel stated that a defendant can run afoul of the CFAA when he or she has no 4 FACEBOOK V. VACHANI permission to access a computer or when such permission has been revoked explicitly. Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability. The panel also stated that a violation of the terms of use of a website, without more, cannot be the basis for liability under the CFAA. The panel vacated the district court’s awards of injunctive relief and damages and remanded for consideration of appropriate remedies under the CFAA and § 502.
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.