May 26, 2022

Volume XII, Number 146

Advertisement
Advertisement

May 25, 2022

Subscribe to Latest Legal News and Analysis

May 24, 2022

Subscribe to Latest Legal News and Analysis

May 23, 2022

Subscribe to Latest Legal News and Analysis

hiQ Labs v. LinkedIn

Earlier this week, the Ninth Circuit, yet again, concluded that data scraping public websites is not unlawful. In hiQ Labs, Inc. v. LinkedIn Corp., a case that has been ongoing for nearly five years, the Ninth Circuit affirmed its earlier decision that LinkedIn may not rely on the Computer Fraud and Abuse Act (“CFAA”) to enjoin hiQ from scraping member data from LinkedIn’s websites. This decision comes in the wake of the Supreme Court’s decision in Van Buren v. United States.

As a reminder, data scraping is a mechanism of extracting data from websites (including both public websites and websites not available to the public and accessible only to individuals with user accounts). There is no federal law that expressly prohibits the practice. As such, parties seeking to challenge the practice rely on statutes that predate the prevalence of data scraping. One such statute is the CFAA, which forbids individuals from intentionally accessing a protected computer without authorization or “exceed[ing] authorized access.”

The applicability of this statute is the central issue in the hiQ v. LinkedIn data-scraping saga that we have covered previously. To recap, hiQ is a data analytics company that filed its initial complaint against LinkedIn in 2017, alleging LinkedIn’s cease-and-desist letters to hiQ, followed by LinkedIn restricting hiQ’s access to its website, was anticompetitive and violated state and federal laws. The crux of hiQ’s complaint was that LinkedIn did not have monopoly rights to personal data made publicly available by its users, and that by scraping its website, hiQ did not violate users’ privacy rights (what LinkedIn alleges). LinkedIn, on the other hand, argued that hiQ was not entitled to a preliminary injunction, as its claims would be preempted by CFAA as a result of its unauthorized use of LinkedIn’s website.

The district court granted hiQ’s request for a preliminary injunction, forbidding LinkedIn from denying hiQ access to publicly available LinkedIn member profiles. In September 2019, the Ninth Circuit affirmed the lower court’s decision, reasoning that scraping publicly available information from LinkedIn is not a violation of the CFAA because the LinkedIn computers are publicly available, and thus, hiQ did not access the computers “without authorization” under the CFAA. LinkedIn filed a petition for writ of certiorari in March 2020, which the Supreme Court granted in June 2021. The Court issued a summary disposition, vacating the Ninth Circuit’s previous judgment, and remanding the case for additional consideration in light of the Court’s ruling in Van Buren.

As we explained here and here, the Supreme Court held in Van Buren that an individual who has legitimate access to a computer network but accesses it for an improper or unauthorized purpose does not violate the CFAA. Prior to Van Buren, several Circuits held that terms of service violations could implicate the CFAA. In rejecting this broad interpretation of the CFAA, the Court in Van Buren noted that such an interpretation “would attach criminal penalties to a breath taking amount of commonplace computer activity.” We predicted that the Van Buren Court’s holding would make it challenging to assert claims under the CFAA for terms of service violations, including for misuse of data or information contained on a company’s website that likely would have been deemed to have “exceed[ed] authorized access” under prior precedent.

The Ninth Circuit’s recent opinion confirmed our predictions. The prevailing issue that the Ninth Circuit addressed was whether hiQ’s continued scraping and use of LinkedIn member data following receipt of LinkedIn’s cease-and-desist letter constituted “without authorization” under the CFAA. In other words, the court considered whether “without authorization” encompasses situations in which prior authorization is not generally required, but a person—or bot—is refused access. Unsurprisingly, the Ninth Circuit held that the Supreme Court’s decision in Van Buren reinforced its prior holding, relying on the Court’s “gates-up-or-down” inquiry (i.e., if authorization is required and has been given, the dates are up; if authorization is required and has not been given, the gates are down). According to the Ninth Circuit, where information is on a publicly available website, “that computer has erected no gates to lift or lower in the first place.” Based on its reasoning, the court in hiQ v. LinkedIn articulated the following rule for CFAA liability:

[T]he CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA.

In other words, only information that requires some prior authorization is encompassed under the CFAA. Publicly available information is generally not.

What does this mean for the future of data scraping litigation? Companies that maintain publicly available information on their websites cannot rely on the CFAA to prohibit others from scraping that data, even if the companies subsequently revoke access to the information, or if data scraping is a violation of the websites’ terms of use. Companies must require prior authorization, such as a username and password, to access the data in the first instance in order for scraping of that data to be actionable under the CFAA.

That is not to say that companies that maintain publicly available information are without any remedy. As the Ninth Circuit emphasized, victims of data scraping may potentially assert a state common law for trespass to chattels. Moreover, a breach of contract claim may also be viable, depending on whether the website’s terms may be deemed a browsewrap or clickwrap agreement and the relevant jurisdiction.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 109
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Shing Tse Litigation Attorney Squire Patton Boggs Law Firm
Associate

Shing Tse is an associate in our Litigation Practice, based in the Houston office. Shing has experience representing clients in a variety of complex litigation matters in state and federal courts.

713 546 3336
Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

216-479-8070
Advertisement
Advertisement
Advertisement