Insights
Publications

What Recent Rulings in 'hiQ v. LinkedIn' and Other Cases Say About the Legality of Data Scraping

December 22, 2022 Articles
The Recorder

LinkedIn obtained a permanent injunction on Dec. 6 in its six-year-old lawsuit against data scraping company hiQ Labs, which LinkedIn quickly cheered as a “final, decisive victory” that established an “important legal precedent.” While the stipulated injunction does prevent hiQ Labs from scraping LinkedIn’s data, the outcome of the lawsuit notably does not affect previous rulings by the U.S. Court of Appeals for the Ninth Circuit in the case against LinkedIn and in favor of companies that wish to scrape (i.e., automatically collect) publicly available data.

In particular, neither the outcome in this case nor a similar recent victory by Meta Platforms against scraper BrandTotal impacts the principle that platforms may not wield the federal Computer Fraud and Abuse Act (CFAA, 18 U.S.C. §1030) to prohibit scraping publicly available data from their platforms.

The hiQ Labs case began when LinkedIn sent a cease and desist letter threatening hiQ with CFAA violations if it continued collecting publicly available data from the LinkedIn platform. In general terms, the CFAA is an anti-hacking statute that prohibits accessing protected computer systems “without authorization” or in excess of “authorized access.” 18 U.S.C. §1030(a)(2). For many years before this particular cease and desist, LinkedIn and other platform companies relied on the CFAA to crack down on collecting even the public-facing data on their websites.

After receiving the cease and desist, hiQ Labs sued and obtained a preliminary injunction that the Ninth Circuit later upheld. This important 2019 ruling (which the Ninth Circuit reaffirmed in April 2022 following a remand from the U.S. Supreme Court) narrowed the scope of the CFAA by finding that the law did not apply to the automatic collection of publicly accessible data. In other words, platforms such as LinkedIn and Meta could not designate portions of their public platforms as “off limits” to only certain individuals or companies.

Among other things, the Ninth Circuit found that interpreting the CFAA so broadly would allow “companies like LinkedIn free rein to decide, on any basis, who can collect and use” publicly available data, which would risk “possible creation of information monopolies that would disserve the public interest.”

Other high-profile cases decided since the Ninth Circuit’s ruling further narrowed the CFAA in other ways. For example, in Van Buren v. U.S., the Supreme Court refused to apply the “exceeds authorized access” prong of the CFAA to a police officer who accepted a bribe to access a state license plate registry for improper purposes in violation of police department policy.

Reading the CFAA so broadly would criminalize “every violation of a computer-use policy” with the likely consequences that “millions of otherwise law-abiding citizens are criminals.” Id. at 1661; see also Sandvig v. Barr, (“Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature.”)

Nothing in the recent hiQ Labs v. LinkedIn permanent injunction or the summary judgment ruling that preceded it affects these principles. The trend initiated by the Ninth Circuit’s hiQ ruling in favor of open access to public data remains intact. Instead, the recent proceedings in the hiQ Labs case focused primarily on contract-based theories rather than the CFAA. LinkedIn did not even seek summary judgment on any affirmative CFAA claim—it instead obtained summary judgment on its contract and unfair competition claims.

The court granted summary judgment only as to one aspect of hiQ’s data collection activity: hiring contractors to create fake LinkedIn accounts for the explicit purpose of collecting logged-in data (referred to by the court as the “turkers” conduct). In another important summary judgment ruling in the scraping space, Meta Platforms. v. BrandTotal Ltd., the court also refused to grant summary judgment to Meta Platforms on the CFAA as to two categories of data collection.

Like the recent hiQ Labs ruling, the court’s detailed summary judgment opinion focused largely on contract-based theories for prohibiting scraping. The court then held that scraping publicly available data did not violate the CFAA (citing hiQ Labs), nor did an “unauthorized person hiring an authorized agent to extract information from a computer system.” Meta Platforms v. BrandTotal Ltd., Case No. 20-cv-07182-JCS, Dkt. No. 344 at p. 57 (N.D. Cal. June 6, 2022).

These rulings suggest that courts are much more comfortable restricting scraping activity where the parties have agreed by contract (whether directly or through agents) not to scrape. But courts remain wary of applying the CFAA and the potential criminal consequences it carries to scraping. The apparent exception is when a company engages in a pattern of intentionally creating fake accounts to collect logged-in data.

What does all this mean for scraping? The case law is still unsettled, but some rules of thumb are starting to emerge. First, collecting only public data where the scraper has not agreed by contract to refrain from doing so is very unlikely to be a CFAA violation.

Second, intentionally creating fake accounts to collect logged-in data exposes scrapers to contract-based liability and potentially CFAA liability, too (though the Sandvig case arguably says the CFAA does not prohibit this conduct). Platforms have recently begun attacking this conduct by alleging anti-circumvention claims under the Digital Millennium Copyright Act as well.

Third, there’s a broad range of activities in a legal gray area in the middle, such as collecting data for a user with the user’s access credentials and explicit permission. We’ll have to wait for future cases to determine the CFAA’s potential application to that activity.

Reprinted with permission from the 12/22/22 issue of The Recorder. © 2022 ALM Media Properties, LLC. Further duplication without permission is prohibited.  All rights reserved.

Firm Highlights

Publication

It Wasn’t Me, It Was the AI: Intellectual Property and Data Privacy Concerns With Nonprofits’ Use of Artificial Intelligence Systems

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

Major Decision Affects Law of Scraping and Online Data Collection, Meta Platforms v. Bright Data

On January 23, 2024, the court in Meta Platforms Inc. v. Bright Data Ltd. , Case No. 3:23-cv-00077-EMC (N.D. Cal.), issued a summary judgment ruling with potentially wide-ranging ramifications for the law of scraping and...

Read More
News

Winston Liaw Named a Leadership Council on Legal Diversity Fellow

Northern California legal powerhouse Farella Braun + Martel is proud to announce that Winston Liaw has been named a Leadership Council on Legal Diversity (LCLD) Fellow for 2024. Winston joins a select group of...

Read More
Publication

A Summary of New Laws Coming for California Employers in 2024

In 2023, California has adopted several new employment laws either introducing new employee protections or codifying existing practices into state law. With these changes, employers will need to examine and adjust some of their...

Read More
Publication

Court Reinstates CPPA Enforcement Authority and Confirms No Delay Necessary for Enforcement of Future CCPA Regulations

A recent appellate decision has made clear that the regulations promulgated under California’s groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA, as amended by the California Privacy Rights Act (CPRA)), are ripe...

Read More
Publication

Is the Copyright Threat to Generative AI Overhyped? Implications of Kadrey v. Meta

In November 2023, Meta successfully had nearly all of the claims against it dismissed in the Kadrey v. Meta Platforms, Inc. suit, a victory with potential implications for other technology companies with generative AI tools...

Read More
News

Farella 2024 Partner Elevations: Cynthia Castillo and Greg LeSaint

Northern California legal powerhouse Farella Braun + Martel is pleased to announce the election of two lawyers to partnership effective Jan. 1: Cynthia Castillo and Greg LeSaint. “We are thrilled to elevate Cynthia and...

Read More
News

Farella Wins Complete Defense Ruling at Trial for Smart Meter Technology Company

Northern California legal powerhouse Farella Braun + Martel secured a complete defense victory for a smart meter technology company following a two-week bench trial in the U.S. Bankruptcy Court for the Southern District of California...

Read More
News

Scraping Battles: Meta Loses Legal Effort to Halt Harvesting of Personal Profiles

Alex Reese spoke to Matt Fleischer-Black of  Cybersecurity Law Report about the Meta v. Bright Data decision and its impact on U.S. scraping case law. Read the article here (paywall or trial).

Read More
Publication

California Proposes New AI & Automated Decision-Making Technology Regulations

The California Privacy Protection Agency (CPPA) released its draft  regulatory framework for automated decision-making technology (ADMT) on November 27. These regulations are a preview of what new requirements may look like for companies currently...

Read More