Insights
Publications

What Recent Rulings in 'hiQ v. LinkedIn' and Other Cases Say About the Legality of Data Scraping

December 22, 2022 Articles
The Recorder

LinkedIn obtained a permanent injunction on Dec. 6 in its six-year-old lawsuit against data scraping company hiQ Labs, which LinkedIn quickly cheered as a “final, decisive victory” that established an “important legal precedent.” While the stipulated injunction does prevent hiQ Labs from scraping LinkedIn’s data, the outcome of the lawsuit notably does not affect previous rulings by the U.S. Court of Appeals for the Ninth Circuit in the case against LinkedIn and in favor of companies that wish to scrape (i.e., automatically collect) publicly available data.

In particular, neither the outcome in this case nor a similar recent victory by Meta Platforms against scraper BrandTotal impacts the principle that platforms may not wield the federal Computer Fraud and Abuse Act (CFAA, 18 U.S.C. §1030) to prohibit scraping publicly available data from their platforms.

The hiQ Labs case began when LinkedIn sent a cease and desist letter threatening hiQ with CFAA violations if it continued collecting publicly available data from the LinkedIn platform. In general terms, the CFAA is an anti-hacking statute that prohibits accessing protected computer systems “without authorization” or in excess of “authorized access.” 18 U.S.C. §1030(a)(2). For many years before this particular cease and desist, LinkedIn and other platform companies relied on the CFAA to crack down on collecting even the public-facing data on their websites.

After receiving the cease and desist, hiQ Labs sued and obtained a preliminary injunction that the Ninth Circuit later upheld. This important 2019 ruling (which the Ninth Circuit reaffirmed in April 2022 following a remand from the U.S. Supreme Court) narrowed the scope of the CFAA by finding that the law did not apply to the automatic collection of publicly accessible data. In other words, platforms such as LinkedIn and Meta could not designate portions of their public platforms as “off limits” to only certain individuals or companies.

Among other things, the Ninth Circuit found that interpreting the CFAA so broadly would allow “companies like LinkedIn free rein to decide, on any basis, who can collect and use” publicly available data, which would risk “possible creation of information monopolies that would disserve the public interest.”

Other high-profile cases decided since the Ninth Circuit’s ruling further narrowed the CFAA in other ways. For example, in Van Buren v. U.S., the Supreme Court refused to apply the “exceeds authorized access” prong of the CFAA to a police officer who accepted a bribe to access a state license plate registry for improper purposes in violation of police department policy.

Reading the CFAA so broadly would criminalize “every violation of a computer-use policy” with the likely consequences that “millions of otherwise law-abiding citizens are criminals.” Id. at 1661; see also Sandvig v. Barr, (“Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature.”)

Nothing in the recent hiQ Labs v. LinkedIn permanent injunction or the summary judgment ruling that preceded it affects these principles. The trend initiated by the Ninth Circuit’s hiQ ruling in favor of open access to public data remains intact. Instead, the recent proceedings in the hiQ Labs case focused primarily on contract-based theories rather than the CFAA. LinkedIn did not even seek summary judgment on any affirmative CFAA claim—it instead obtained summary judgment on its contract and unfair competition claims.

The court granted summary judgment only as to one aspect of hiQ’s data collection activity: hiring contractors to create fake LinkedIn accounts for the explicit purpose of collecting logged-in data (referred to by the court as the “turkers” conduct). In another important summary judgment ruling in the scraping space, Meta Platforms. v. BrandTotal Ltd., the court also refused to grant summary judgment to Meta Platforms on the CFAA as to two categories of data collection.

Like the recent hiQ Labs ruling, the court’s detailed summary judgment opinion focused largely on contract-based theories for prohibiting scraping. The court then held that scraping publicly available data did not violate the CFAA (citing hiQ Labs), nor did an “unauthorized person hiring an authorized agent to extract information from a computer system.” Meta Platforms v. BrandTotal Ltd., Case No. 20-cv-07182-JCS, Dkt. No. 344 at p. 57 (N.D. Cal. June 6, 2022).

These rulings suggest that courts are much more comfortable restricting scraping activity where the parties have agreed by contract (whether directly or through agents) not to scrape. But courts remain wary of applying the CFAA and the potential criminal consequences it carries to scraping. The apparent exception is when a company engages in a pattern of intentionally creating fake accounts to collect logged-in data.

What does all this mean for scraping? The case law is still unsettled, but some rules of thumb are starting to emerge. First, collecting only public data where the scraper has not agreed by contract to refrain from doing so is very unlikely to be a CFAA violation.

Second, intentionally creating fake accounts to collect logged-in data exposes scrapers to contract-based liability and potentially CFAA liability, too (though the Sandvig case arguably says the CFAA does not prohibit this conduct). Platforms have recently begun attacking this conduct by alleging anti-circumvention claims under the Digital Millennium Copyright Act as well.

Third, there’s a broad range of activities in a legal gray area in the middle, such as collecting data for a user with the user’s access credentials and explicit permission. We’ll have to wait for future cases to determine the CFAA’s potential application to that activity.

Reprinted with permission from the 12/22/22 issue of The Recorder. © 2022 ALM Media Properties, LLC. Further duplication without permission is prohibited.  All rights reserved.

Firm Highlights

Publication

Under FTC’s New Proposed Rule, Employers Will No Longer Be Able to Rely on Noncompete Agreements

The Federal Trade Commission (FTC) has proposed a rule that would prohibit the use of noncompete agreements in employment contracts. Noncompete agreements prevent employees and independent contractors from pursuing certain forms of employment &ndash...

Read More
Publication

hiQ’s Groundbreaking Injunction Against LinkedIn Reaffirmed: Scraping of Publicly Available Data Likely Does Not Violate CFAA

The U.S. Court of Appeals for the Ninth Circuit has affirmed its prior decision , holding that LinkedIn could not block hiQ, a scraping entity, from scraping public LinkedIn profiles. The court found it was...

Read More
Publication

Platform Ecosystems: Computer Fraud and Abuse Act and Other Scraping Law Developments (Webinar)

Erik Olson and Stephanie Skaff discuss "Platform Ecosystems: Computer Fraud and Abuse Act and Other Scraping Law Developments." Web scraping has existed as long as the World Wide Web has, and as data has...

Read More
Publication

New Laws and Compliance Updates for California Employers in 2023

California has passed several new or amended employment laws covering topics ranging from off-duty marijuana use, reproductive rights, California Family Rights Act, COVID-19, criminal law and the workplace, new avenues of enforcement against employers...

Read More
News

Farella Braun + Martel Announces 2023 New Partner Class

Read More
News

Jaya Bajaj Named to Lawyers of Color Hot List 2022

Read More
Publication

How Companies Can Stop Trade Secret Disclosure in California

When an executive, founder, or employee with access to trade secrets or confidential information leaves a company to work elsewhere, employer trade secrets might be used by a competitor. Under two laws, California’s Uniform...

Read More
Publication

California Extends Presumption of COVID-19 as Workers’ Compensation Injury and Modifies Notice Requirements for Potential Exposure

In addition to AB 152 extending COVID-19 leave through December 31, 2022 , Governor Gavin Newsom has also signed into law two other COVID-related bills—AB 1751 and AB 2693—affecting employers’ policies regarding employees who...

Read More
Publication

Platform Ecosystems – The Landscape of US and EU Legislation (Webinar)

Stephanie Skaff and Nate Garhart discuss "Platform Ecosystems – The Landscape of US and EU Legislation." Several new bills targeting online platform companies are making their way through state and federal legislative bodies in the...

Read More
News

Tim Horgan-Kobelski Named a Rising Star in IP by Managing IP

Headshot of Tim Horgan-Kobelski
Read More