Facebook, Inc. v. Power Ventures, Inc., 828 F.3d 1068

Power Ventures operated Power.com, which aggregated users’ social networking data; users could click a “Yes, I do!” button to share a Power promotion via their Facebook account.
When a Power user shared an event, Facebook generated form messages: internal Facebook messages or external e‑mails that bore “Facebook” in the from line and were signed “The Facebook Team.”
Facebook sent Power a written cease-and-desist letter on December 1, 2008, and imposed IP blocks; Power admitted it knowingly continued the campaign and employed new IP addresses to evade blocks.
Facebook sued Power (and CEO Steven Vachani) under the CAN‑SPAM Act, the CFAA, and California Penal Code § 502; the district court granted summary judgment to Facebook on all claims and assessed damages and injunctive relief.
The Ninth Circuit reversed the CAN‑SPAM judgment, affirmed CFAA and § 502 liability only for conduct after Facebook revoked access, affirmed Vachani’s personal liability, affirmed discovery sanctions, vacated injunction and earlier damages awards, and remanded for recalculation of remedies limited to the post‑revocation period.

Issue	Facebook's Argument	Power's Argument	Held
Whether messages violated CAN‑SPAM by having materially false or misleading headers	Messages were misleading because they appeared to originate from Facebook and concealed Power’s role	Messages were not materially misleading because Facebook (and users) participated in initiating them and headers accurately reflected that	Reversed: messages were not materially misleading; no CAN‑SPAM liability
Whether Power violated the CFAA by accessing Facebook computers without authorization	Power accessed Facebook after notice and IP blocks; Facebook suffered >$5,000 in losses	Power had user consent and thus authorization; IP circumvention was not actionable	Affirmed in part: CFAA liability only after Facebook’s cease‑and‑desist and blocks; Facebook showed >$5,000 loss
Whether Power violated Cal. Penal Code § 502 (computer data theft)	Power knowingly accessed and used Facebook data after being told to stop	Initial user consent meant access was authorized; statutory liability requires knowing lack of permission	Affirmed in part: § 502 liability for access after Facebook revoked permission
Whether Vachani is personally liable for corporate actions	Vachani directed and conceived the promotion and participated in decisions to continue despite notice	Power is the corporate actor; Vachani argues no personal wrongdoing	Affirmed: Vachani was the guiding spirit and thus personally liable

Gordon v. Virtumundo, Inc., 575 F.3d 1040 (9th Cir. 2009) (CAN‑SPAM framework and materially misleading standard)
LVRC Holdings LCC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) (authorization revoked by employer bars CFAA defense)
United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) (limits on using website terms‑of‑service violations to impose CFAA liability)
United States v. Christensen, 801 F.3d 970 (9th Cir. 2015) (distinguishing California § 502 from federal CFAA; § 502 requires knowing access)
Johnson v. Poway Unified Sch. Dist., 658 F.3d 954 (9th Cir. 2011) (de novo review of summary judgment)
Venetian Casino Resort L.L.C. v. Local Joint Exec. Bd., 257 F.3d 937 (9th Cir. 2001) (appellate affirmation on any ground supported by the record)