Web scraping, website terms and the CFAA: hiQ’s preliminary injunction affirmed again under Van Buren
3 min read
As we have previously discussed, claims under the Computer Fraud and Abuse Act (CFAA) are often asserted as a means of protecting online data from unwanted data scraping activity. The scope and application of the CFAA, however, have been subject to significant, and sometimes conflicting, judicial consideration. This update focuses on a Ninth Circuit decision that was delivered on Monday, April 18, 2022.
On remand from the Supreme Court of the United States, the Ninth Circuit again affirmed the district court’s preliminary injunction enjoining LinkedIn Corp. (LinkedIn) from preventing hiQ Labs, Inc. from accessing publicly available data on LinkedIn’s website.1 The Supreme Court had remanded the case to the Ninth Circuit for reconsideration in light of the Supreme Court’s interpretation of the CFAA, § 1030(a)(2) in Van Buren v. United States, 141 S. Ct. 1648 (2021).2 The Ninth Circuit determined that Van Buren supported its previous holding and "[i]t is likely that when a computer network generally permits public access to its data, a user's accessing that publicly available data will not constitute access without authorization under the CFAA."3 The decision closely tracks the Ninth Circuit’s previous opinion in the case (discussed here).
The relevant provisions of the CFAA state that "[w]hoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer . . . shall be punished" by fine or imprisonment and may be the subject of a civil action.4 In Van Buren, the Supreme Court considered a case where a police officer accessed data in violation of applicable departmental policies. The Court held that such access was not "without authorization” and did not "exceed authorized access" for purposes of the CFAA because those phrases refer to barriers to access (notably, barriers that were not established in Van Buren).5 The Court explained that "liability under both clauses stems from a gates-up-or-down inquiry."6
In hiQ Labs, the Ninth Circuit supplemented its previous examination of the language and legislative history of the CFAA with an analysis of Van Buren.7 Applying Van Buren’s "gates-up-or-down" analogy, the Court noted that public websites have "no gates to lift or lower in the first place" because "a defining feature of public websites is that . . . [they] are open to anyone with a web browser" (i.e., they lack systems of authentication). Accordingly, the Court found that the "without authorization" clause does not apply to public websites.8 Further, the Court echoed Van Buren’s concerns that a broader interpretation of the CFAA would transform the statute into a "sweeping Internet-policing mandate."9
Based on this finding, accessing publicly available website data in violation of terms of service or a cease-and-desist notice is unlikely to constitute a violation of the CFAA. However, the Court emphasized that its analysis was limited in scope to the CFAA and did not apply to potential claims against web scrapers under other theories, including trespass to chattels, copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract or breach of privacy claims.10 Considerations that are important to this analysis include (i) the nature of the data; (ii) where it is being collected from; and (iii) how it is being collected.
1 hiQ Labs, Inc. v. LinkedIn Corp., 2022 U.S. App. LEXIS 10349 (9th Cir. 2022).
2 See Van Buren, 141 S. Ct. at 1648 (holding that the CFAA was not violated when a police officer accessed a computer he was authorized to access, but in a manner that violated police department policy).
3 hiQ Labs, 2022 U.S. App. LEXIS 10349, at *44.
4 18 U.S.C. § 1030(a)(2) (emphasis added).
5 See Van Buren, 141 S. Ct. at 1657-58 (defining "access," in the computing context, as "the act of entering a computer ‘system itself’ or a particular ‘part of a computer system’"); see also id. at 1659 n.9 (explaining that the CFAA contemplates authorization as an authentication process – where users input credentials to proceed past a "gate" that grants or denies access).
6 Id. at 1650.
7 See generally hiQ Labs, 2022 U.S. App. Lexis 10349, at *29-45.
8 Id. at *39.
9 Id. at *44 (quoting United States v. Nosal, 676 F.3d 854, 858 (9th Cir. 2012)).
10 Id. at *44-45.
Jordan Hill (White & Case, Law Clerk, New York) contributed to the development of this publication.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2022 White & Case LLP