Ninth Circuit Again Holds Data Scraping From Public Websites Not Barred by CFAA

In 2017, the federal district court for the Northern District of California enjoined LinkedIn from blocking workplace analytics company hiQ from its site, finding that data scraping from public-facing websites did not violate the Computer Fraud and Abuse Act (“CFAA”).

LinkedIn appealed and in 2020 the Ninth Circuit affirmed:

[The CFAA’s] prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing  that publicly available data will not constitute access without authorization under the CFAA.

9th Circuit Affirms hiQ Data Scraping Ruling, In Victory Over LinkedIn

LinkedIn appealed to the Supreme Court who remanded the decision back to the Ninth Circuit after its decision in Van Buren v. United States, 141 S. Ct. 1648 (2021). In that case, the court held that the CFAA

covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.

Van Buren v. United States, 141 S. Ct. 1648, 1652 (2021).

On remand, the Ninth Circuit upheld hiQ’s injunction.

For all these reasons, it appears that the CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim.

HiQ Labs v. LinkedIn at 40.

The Ninth Circuit distinguished this case from cases such as Facebook, Inc. v. Power Ventures, Inc., 844 F. Supp. 2d 1025, 1028 (N.D. Cal. 2012), since in Facebook the information required a user name and password to retrieve and was not publicly accessible like LinkedIn.

The Ninth Circuit also found protecting that hiQ was in the public interest since:

We agree with the district court that giving companies like LinkedIn free rein
to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest.

HiQ Labs v. LinkedIn at 43.

The Ninth Circuit stressed, however, that hiQ was not immune and could still be held liable for trespass to chattels, copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, and breach of privacy. None of those causes of action, however, have attorneys’ fees provisions like the CFAA.

2 thoughts on “Ninth Circuit Again Holds Data Scraping From Public Websites Not Barred by CFAA

  1. Pingback: American Airlines Data Scraping Case Survives Motion to Dismiss | Cyber Report

  2. Pingback: American Airlines Data Scraping Case Survives Motion to Dismiss - Data Privacy

Comments are closed.