There was a sense among many that websites whose data was being scraped may have lost a claim against data scrapers last year—specifically, violation of the Computer Fraud and Abuse Act (CFAA)—when the Northern District of California, and then the United States Court of Appeals for the Ninth Circuit, sided with data scraper, hiQ, in a case brought by LinkedIn in 2017. However, now that is not so clear, as the Supreme Court has indicated an interest in possibly hearing the case. [Notably, there are numerous other causes of action available to websites whose data is being scraped other than the CFAA, such as breach of contract, copyright infringement, common law misappropriation, unfair competition, trespass and conversion, DMCA anti-circumvention provisions, violation of FTC, Section 5, and violation of state UDAP laws. Indeed, the availability of other claims – beyond CFAA – was expressly acknowledged by the Ninth Circuit Court of Appeals in its decision, hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir 2019).]
In the case at issue, hiQ sought a preliminary injunction against LinkedIn, preventing LinkedIn from blocking hiQ’s bots which gather data from LinkedIn’s publicly available information (and then analyze the information, determine which employees are at risk of being poached, and sell the findings to employers). The district court granted hiQ’s motion and the Ninth Circuit affirmed on grounds that, inter alia, hiQ’s business could suffer irreparable harm if precluded from accessing LinkedIn’s information, and LinkedIn was unlikely to prevail on its CFAA claim because LinkedIn’s website is publicly accessible, i.e., no password is required, and thus, there was no “authorization” that was required or could be revoked. The CFAA expressly requires access without authorization. See 18 U.S. Code § 1030(a) (providing for access without authorization, or the exceeding of authorized access).
In March, LinkedIn filed a petition for certiorari in the Supreme Court, arguing, inter alia: “The decision below has extraordinary and adverse consequences for the privacy interests of the hundreds of millions of users of websites that make at least some user data publicly accessible.” “The decision below casts aside the interests of LinkedIn members in controlling who has access to their data, the privacy of that data, and the desire to protect personal information from abuse by third parties, and it has done so in the service of hiQ’s narrow business interests.” “The decision below wrongly requires websites to choose between allowing free riders to abuse their users’ data and slamming the door on the benefits to their users of the Internet’s public forum.”
hiQ did not respond.
However, now the Supreme Court has expressly requested hiQ to respond, and has given it until May 26 to do so. This has been seen by many as a signal of the Supreme Court’s potential interest in hearing the case.
A Supreme Court decision in this area could be extremely helpful because, despite many seeing the Ninth Circuit’s decision as a possible “death” of the CFAA, other circuits, such as the First Circuit, have held that publicly available websites can rely on the CFAA to go after data scrapers, particularly where the website expressly bans data scraping. See EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003) (“If EF wants to ban scrapers, let it say so on the webpage or a link clearly marked as containing restrictions.”). Thus, public website providers and the people who use them – as well as those who wish to scrape those sites – would benefit from the Supreme Court weighing in.