In a major David v. Goliath victory, the 9th Circuit Court of Appeal affirmed a lower court ruling enjoining LinkedIn from blocking hiQ from scraping data from its site. The key issue in the dispute was whether hiQ’s scraping of data from LinkedIn users’ public profiles violated the Computer Fraud and Abuse Act (“CFAA”) since it was without authorization (and indeed in spite of LinkedIn’s objections).
The court explained: “Our understanding that the CFAA is premised on a distinction between information presumptively accessible to the general public and information for which authorization is generally required.” This standard is identical to that applied for Stored Communications Act claims.
The court concluded that the CFAA’s
prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA.
Those who utilized data-scraping are not without some exposure, however, as the court noted that
entities that view themselves as victims of data scraping are not without resort, even if the CFAA does not apply: state law trespass to chattels claims may still be available. And other causes of action, such as copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy, may also lie.
hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 (9th Cir. Sept. 9, 2019)