The Ninth Circuit Court of Appeals has, yet again, held that data scraping public websites is not unlawful.
hiQ Labs, Inc. v. LinkedIn Corp., decided on April 18, affirms the court’s previous decision that plaintiffs may not rely on the Computer Fraud and Abuse Act (“CFAA”) to enjoin third parties from scraping data from their websites. Data scraping refers to the extraction of data from websites, whether public facing or not. Because that practice is not per se illegal, parties must rely on statutes like the CFAA to protect that data.
That is precisely what LinkedIn did, serving multiple cease and desist letters on hiQ for scraping its members’ data, and restricting hiQ’s access to its website. In response, hiQ filed a complaint against LinkedIn, alleging LinkedIn’s behavior was anticompetitive and violated state and federal laws. Among other things, hiQ alleged that LinkedIn was improperly attempting to exercise monopoly rights over personal data made publicly available by its users, and that hiQ did not violate users’ privacy rights when it scraped that data. In response, LinkedIn argued that hiQ’s claims should be preempted by the CFAA.
The district court granted hiQ’s request for a preliminary injunction, and in September 2019, the Ninth Circuit affirmed the lower court’s ruling. In that decision, the Ninth Circuit found that LinkedIn computers are publicly available and therefore there was no access “without authorization” in violation of the CFAA. LinkedIn filed a petition for writ of certiorari to the Supreme Court, which was granted in June 2021. The Supreme Court issued a summary disposition, vacating the Ninth Circuit’s previous judgment and remanding the case for additional consideration in light of the Court’s ruling in Van Buren v. United States, which held that an individual who has legitimate access to a computer network but accesses it for an improper or unauthorized purpose (in that case, a police officer retrieving information about a license plate in exchange for money) does not violate the CFAA.
The Ninth Circuit held that the decision in Van Buren reinforced its prior holding, referring to the Court’s finding that there is a potential violation only if authorization is required and has not been given. On a publicly available website, the Ninth Circuit found, there are no rules or access permissions to prevent access, and therefore accessing that publicly available data can not violate the CFAA.
These rulings call into question the future of all data scraping litigation, and companies that maintain publicly available information on their websites must be advised that they likely cannot use the CFAA to prevent third parties from scraping that data, regardless of what is or is not allowed in their terms of use.
It would now appear that the only way to assert CFAA claims to prevent scraping is to require prior authorization or credentials to access the data. In the wake of hiQ and Van Buren, victims of data scraping must rely on state common law claims to protect that data.
This article was first published on the California Lawyers Association website.