In a much-anticipated ruling this week addressing the confluence of website scraping and computer hacking law, the U.S. Court of Appeals for the Ninth Circuit became the latest federal court to limit the reach of the Computer Fraud and Abuse Act (CFAA). In hiQ Labs v. LinkedIn, the Ninth Circuit held, for a second time, that the automated capture of data from the publicly accessible pages of websites (that do not require the creation of an account for access) does not violate the CFAA’s prohibition on accessing a computer “without authorization.” The circuit court’s decision closely tracks the U.S. Supreme Court’s landmark ruling in Van Buren v. United States (2021), which narrowly interpreted the correlated “exceeds authorized access” provision of the CFAA.
HiQ, like Van Buren before it, reads the CFAA to create a bright-line “gates-up-or-down inquiry.” Liability turns on whether there was an intrusion into a protected system, not whether data access amounted to a technical violation of the data holder’s terms of service. The decision creates breathing room for companies that mine public data for commercial use, just as state and federal regulators are ramping up data privacy protections.
HiQ is a data analytics company that uses automated bots to extract or “scrape” employment data from public websites for use in its commercial “talent management” AI products. HiQ scraped LinkedIn users’ career profiles from pages that are viewable to all visitors to LinkedIn’s website, but did not scrape profiles visible only after one logs into a LinkedIn account. In May 2017, LinkedIn sent hiQ a cease-and-desist letter asserting that hiQ violated state law, the CFAA and the LinkedIn User Agreement by harvesting its users’ data, and further demanded that hiQ stop accessing and copying LinkedIn data. LinkedIn also implemented technical guards to restrict hiQ from further acquiring data from its website.
In response, hiQ sued LinkedIn in the Northern District of California, seeking injunctive relief to prevent LinkedIn from blocking its access to public member profiles and declaratory relief on the state and federal law claims. The district court granted hiQ’s motion, holding that LinkedIn was unlikely to prevail on its CFAA claim, and that it might be in violation of California’s Unfair Competition Law.
In 2019, on appeal, the Ninth Circuit upheld the injunction against LinkedIn, finding that hiQ raised serious questions on the merits of the factual and legal issues. The Supreme Court granted LinkedIn’s petition for writ of certiorari, but then vacated the judgment and remanded for further consideration based on its June 2021 decision in Van Buren. That case involved a police sergeant charged with violating the CFAA’s “exceeds authorized access” prohibition in Section 1030(a)(2) by running license plate searches on a database that he was authorized to use in exchange for money. In a 6-3 ruling, the Supreme Court held that the sergeant’s improper use of the license plate database did not “exceed” his authorized access because he did not access areas of his employer’s computer systems, such as files, folders or databases to which his authorized access did not extend. While Van Buren addressed the meaning of the “exceeds authorized access” clause and not the “without authorization” clause at issue in hiQ, the Supreme Court did observe that the “‘without authorization’ clause ... protects computers themselves by targeting so-called outside hackers—those who ‘acces[s] a computer without any permission at all.’”
On April 18, 2022, in its latest ruling on remand, the Ninth Circuit again upheld the injunctive relief.
HiQ marked the Ninth Circuit’s first opportunity to apply the limiting principles in Van Buren to a common set of facts: Did hiQ access data “without authorization” in violation of the CFAA after it received LinkedIn’s cease-and-desist letter advising hiQ that it breached LinkedIn’s User Agreement? The Ninth Circuit conducted several layers of analysis:
The Ninth Circuit’s decision illuminates what the future may hold for data analytic companies and websites with data accessible to the public, at least within the Ninth Circuit.
The decision comes as a win for data aggregators, archivists, academics, researchers and journalists who use tools to mass collect (or “scrape”) information that is publicly accessible on the internet and not otherwise protected behind a user login.
However, it should not be seen as a green light on all data harvesting activities. Mass copying of copyrightable content, such as photos or other protectable expression, may give rise to copyright infringement liability, and automated data collection practices that overwhelm and bog down servers can raise exposure for common law claims such as trespass to chattels. Additionally, if a scraper agrees to a website operator’s terms of service that prohibits automated scraping, as many do, the scraped site may enforce its contract to stop the scraping.
Thus, while the Ninth Circuit’s decision adds some clarity around risk for violating the CFAA, automated data collection programs should be conducted thoughtfully to navigate the legal minefield of scraping.