Which platforms does CFAA apply to?

ConductAtlas tracks CFAA-relevant provisions across 100 platforms. Visit the regulation page to see all affected platforms and their specific provisions.

How does ConductAtlas monitor CFAA compliance?

ConductAtlas captures policy documents daily, classifies provisions by regulatory framework, and flags changes that affect CFAA obligations. Every change is archived with cryptographic verification.

18 U.S.C. § 1030

Computer Fraud and Abuse Act

Statute — United States Federal

Effective: October 16, 1986 100 platforms tracked 1047 provisions indexed Enforced by: U.S. Department of Justice (DOJ), Federal Courts (private right of action), FBI Last reviewed May 9, 2026

Overview

The Computer Fraud and Abuse Act is the primary federal anti-hacking statute. For platform governance, CFAA is foundational because it provides the legal framework under which platforms define and enforce 'authorized access' through their terms of service.

The Supreme Court's 2021 decision in Van Buren v. United States narrowed 'exceeds authorized access' to mean accessing information a person is not entitled to, rather than using permitted access for impermissible purposes.

Platform terms of service routinely reference CFAA-adjacent concepts: prohibitions on scraping, automated access, reverse engineering, and accessing accounts without authorization.

Penalties

Criminal: up to 5-20 years imprisonment. Civil: compensatory damages and injunctive relief (requires $5,000 minimum loss).

Key Articles & Sections

§ 1030(a)(2) Unauthorized Access to Obtain Information

Prohibits intentionally accessing a computer without authorization to obtain information from any protected computer.
Read full text →
§ 1030(a)(5) Damage to Protected Computers

Prohibits knowingly causing damage to protected computers through transmission of programs, code, or commands.
Read full text →
§ 1030(g) Civil Action

Private right of action for compensatory damages and injunctive relief for violations causing loss of at least $5,000.
Read full text →

Platforms We Track Subject to CFAA

23andMe

8 relevant provisions

Acorns

3 relevant provisions

Activision

1 relevant provision

Adobe

4 relevant provisions

ADP

0 relevant provisions

Adyen

2 relevant provisions

Affirm

1 relevant provision

Afterpay

3 relevant provisions

AI21 Labs

3 relevant provisions

Airbnb

2 relevant provisions

Airtable

0 relevant provisions

Allstate

0 relevant provisions

Amazon

41 relevant provisions

Amazon Marketplace

0 relevant provisions

American Airlines

2 relevant provisions

Amplitude

3 relevant provisions

Ancestry

2 relevant provisions

Anthropic

32 relevant provisions

Anyscale

2 relevant provisions

Apple

5 relevant provisions

Apple App Store

3 relevant provisions

Apple Pay

6 relevant provisions

Arlo

0 relevant provisions

Asana

2 relevant provisions

Atlassian

4 relevant provisions

AT&T

2 relevant provisions

Audible

1 relevant provision

Auth0

3 relevant provisions

AWS

3 relevant provisions

AWS Bedrock

7 relevant provisions

Showing 30 of 100 platforms. View all platforms →

Recent Changes Related to CFAA

Jun 6, 2026 Dun & Bradstreet Low

Dun & Bradstreet removed 7 sentences from their privacy policy that previously explained cookie preferences, chat functionality, and links to their Cookie Policy. The removed language included option…
View change record →
Jun 6, 2026 Dun & Bradstreet Medium

Dun & Bradstreet removed seven sentences from their Terms of Use that described cookie preferences, chat functionality, and related data handling disclosures. The removed language explained how users…
View change record →
Jun 6, 2026 American Airlines Medium

American Airlines removed 12 sentences from its Terms of Use that previously disclosed how cookies and personal data are collected on its website. The removed language explained what cookies do, what…
View change record →
Jun 6, 2026 Ideogram Low

Ideogram's Terms of Service on June 6, 2026 underwent formatting and structural updates rather than substantive operational changes. The detected revisions involved 2 sentences added, 76 sentences re…
View change record →
Jun 6, 2026 Ideogram Medium

Ideogram's updated privacy policy replaces a general reference statement with a detailed table that specifies which categories of personal information are collected and which parties receive each cat…
View change record →
Jun 6, 2026 Writer Low

Writer removed 21 sentences from its Terms of Service that previously described cookie usage, consent mechanisms, and user opt-out rights for targeted advertising. The updated terms no longer include…
View change record →
Jun 6, 2026 Kindle Low

The detected change consists of navigation and header elements on the Kindle Store Terms of Use page, including removal of 'Amazon Fresh' and 'FoodMaxx' from the category list, addition of 'Same-Day …
View change record →
Jun 6, 2026 Medium Low

Medium's privacy policy was updated on June 6, 2026 to add engagement metrics (53K views, 13 responses) to the policy document header. The change is purely editorial and adds visible article engageme…
View change record →
Jun 6, 2026 Medium Low

Medium's Terms of Service display was updated on June 6, 2026 to include engagement metrics (46K views, 11 shares) alongside the document header. This is a formatting and display change to the webpag…
View change record →
Jun 6, 2026 Ancestry Medium

Ancestry removed a single sentence from their Terms and Conditions footer on June 6, 2026. The removed text contained a link or reference to 'Do Not Sell or Share My Personal Information,' a disclosu…
View change record →

ⓘ

ConductAtlas maps governance language to potentially relevant regulatory frameworks. Regulatory applicability and enforceability may vary by jurisdiction, enforcement context, and individual circumstances. This page is informational and does not constitute legal advice. Methodology