Earlier this week, the Ninth Circuit, yet again, concluded that data scraping public websites is not unlawful. In hiQ Labs, Inc. v. LinkedIn Corp., a case that has been ongoing for nearly five years, the Ninth Circuit affirmed its earlier decision that LinkedIn may not rely on the Computer Fraud and Abuse Act (“CFAA”) to enjoin hiQ from scraping member data from LinkedIn’s websites. This decision comes in the wake of the Supreme Court’s decision in Van Buren v. United States.
As a reminder, data scraping is a mechanism of extracting data from websites (including both public websites and websites not available to the public and accessible only to individuals with user accounts). There is no federal law that expressly prohibits the practice. As such, parties seeking to challenge the practice rely on statutes that predate the prevalence of data scraping. One such statute is the CFAA, which forbids individuals from intentionally accessing a protected computer without authorization or “exceed[ing] authorized access.”
The applicability of this statute is the central issue in the hiQ v. LinkedIn data-scraping saga that we have covered previously. To recap, hiQ is a data analytics company that filed its initial complaint against LinkedIn in 2017, alleging LinkedIn’s cease-and-desist letters to hiQ, followed by LinkedIn restricting hiQ’s access to its website, was anticompetitive and violated state and federal laws. The crux of hiQ’s complaint was that LinkedIn did not have monopoly rights to personal data made publicly available by its users, and that by scraping its website, hiQ did not violate users’ privacy rights (what LinkedIn alleges). LinkedIn, on the other hand, argued that hiQ was not entitled to a preliminary injunction, as its claims would be preempted by CFAA as a result of its unauthorized use of LinkedIn’s website.
The district court granted hiQ’s request for a preliminary injunction, forbidding LinkedIn from denying hiQ access to publicly available LinkedIn member profiles. In September 2019, the Ninth Circuit affirmed the lower court’s decision, reasoning that scraping publicly available information from LinkedIn is not a violation of the CFAA because the LinkedIn computers are publicly available, and thus, hiQ did not access the computers “without authorization” under the CFAA. LinkedIn filed a petition for writ of certiorari in March 2020, which the Supreme Court granted in June 2021. The Court issued a summary disposition, vacating the Ninth Circuit’s previous judgment, and remanding the case for additional consideration in light of the Court’s ruling in Van Buren.
As we explained here and here, the Supreme Court held in Van Buren that an individual who has legitimate access to a computer network but accesses it for an improper or unauthorized purpose does not violate the CFAA. Prior to Van Buren, several Circuits held that terms of service violations could implicate the CFAA. In rejecting this broad interpretation of the CFAA, the Court in Van Buren noted that such an interpretation “would attach criminal penalties to a breath taking amount of commonplace computer activity.” We predicted that the Van Buren Court’s holding would make it challenging to assert claims under the CFAA for terms of service violations, including for misuse of data or information contained on a company’s website that likely would have been deemed to have “exceed[ed] authorized access” under prior precedent.
The Ninth Circuit’s recent opinion confirmed our predictions. The prevailing issue that the Ninth Circuit addressed was whether hiQ’s continued scraping and use of LinkedIn member data following receipt of LinkedIn’s cease-and-desist letter constituted “without authorization” under the CFAA. In other words, the court considered whether “without authorization” encompasses situations in which prior authorization is not generally required, but a person—or bot—is refused access. Unsurprisingly, the Ninth Circuit held that the Supreme Court’s decision in Van Buren reinforced its prior holding, relying on the Court’s “gates-up-or-down” inquiry (i.e., if authorization is required and has been given, the dates are up; if authorization is required and has not been given, the gates are down). According to the Ninth Circuit, where information is on a publicly available website, “that computer has erected no gates to lift or lower in the first place.” Based on its reasoning, the court in hiQ v. LinkedIn articulated the following rule for CFAA liability:
[T]he CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA.
In other words, only information that requires some prior authorization is encompassed under the CFAA. Publicly available information is generally not.
What does this mean for the future of data scraping litigation? Companies that maintain publicly available information on their websites cannot rely on the CFAA to prohibit others from scraping that data, even if the companies subsequently revoke access to the information, or if data scraping is a violation of the websites’ terms of use. Companies must require prior authorization, such as a username and password, to access the data in the first instance in order for scraping of that data to be actionable under the CFAA.
That is not to say that companies that maintain publicly available information are without any remedy. As the Ninth Circuit emphasized, victims of data scraping may potentially assert a state common law for trespass to chattels. Moreover, a breach of contract claim may also be viable, depending on whether the website’s terms may be deemed a browsewrap or clickwrap agreement and the relevant jurisdiction.
Stay tuned for how data scrape litigation will progress. CPW will keep you in the loop.