Data Scraping: In HiQ V. LinkedIn, The Ninth Circuit Reaffirms Narrow Interpretation Of CFAA

• Published date: 06 May 2022
• Subject Matter: Litigation, Mediation & Arbitration, Privacy, Data Protection, Trials & Appeals & Compensation
• Law Firm: Jenner & Block
• Author: Sara M. Crook, Aaron R. Cooper and Madeleine Findley

On April 18, 2022, the Ninth Circuit reaffirmed its narrow interpretation of the Computer Fraud and Abuse Act's (CFAA) "without authorization" prong in a data scraping dispute between hiQ and LinkedIn. The opinion upheld a preliminary injunction that barred LinkedIn from stopping hiQ from scraping public data from the LinkedIn website and held that scraping such public information likely does not constitute accessing a computer "without authorization" under the CFAA.¹ The opinion is good news for companies employing data scraping practices for publicly available information. More broadly, the decision's narrow interpretation of the CFAA follows the Supreme Court's narrow approach to the statute in its Van Buren decision and clarifies (at least in the Ninth Circuit) several questions that the Supreme Court's ruling in Van Buren left open.²

The CFAA and the Van Buren Decision

The CFAA prohibits, in relevant part, accessing computers "without authorization" or "exceed[ing] authorized access" and thereby obtaining information, and permits civil recovery for victims suffering "damage or loss" as a result of a violation.³ As a prior Jenner & Block alert discussed, in Van Buren v. United States, the Supreme Court resolved a Circuit split over the CFAA's "exceeds authorized access" prong, holding that the CFAA does not apply to an individual who is authorized to access information on a computer, even if they do so for an improper purpose. Instead, the Court held, the CFAA creates a "gates-up-or-down" inquiry: either an individual is authorized to access a computer system or parts of that system, or they are not; a person "exceeds authorized access" by accessing a part of the computer system to which the authorization does not extend.⁴

The Supreme Court's decision suggested-but did not expressly hold-that violating purpose-based limits on access to a computer system, such as the terms of service of a public website, would also not on its own violate the CFAA's "without authorization" prong.⁵ Instead, the Court limited its holding to the scope of "exceeds authorized access."⁶ Enter the hiQ v. LinkedIn dispute.

hiQ v. LinkedIn

Before the Van Buren decision, LinkedIn Corporation (LinkedIn) and data science company hiQ Labs, Inc. (hiQ) were litigating in the Ninth Circuit about whether hiQ's data scraping practices violate the CFAA. Data scraping, for purposes of the litigation, was defined as an information gathering and analysis tactic whereby a robot or individual "extract[s] data from a website and cop[ies] it into a structured format, allowing for data manipulation or analysis."⁷ At issue in this litigation, hiQ scraped information from public profiles on LinkedIn and then sold the resulting "people analytics"-such as whether a person was likely to leave a job-to its clients.⁸ LinkedIn sent a cease-and-desist letter demanding hiQ stop scraping data from its website and implemented technical barriers specifically to "prevent hiQ from accessing, and assisting others to access, LinkedIn's site, through systems that detect, monitor, and block scraping activity."⁹ In the cease-and-desist...