In Blockbuster Ruling, Ninth Circuit Affirms hiQ Injunction — CFAA Claim Likely Not Available for Scraping Publicly Available Website Data

In a ruling that is being hailed as a victory for web scrapers and the open nature of publicly available website data, the Ninth Circuit today issued its long-awaited opinion in hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 (9^th Cir. Sept. 9, 2019). The crucial question before the court was whether once hiQ Labs, Inc. (“hiQ”) received LinkedIn Corp.’s (“LinkedIn”) cease-and-desist letter demanding it stop scraping public LinkedIn profiles, any further scraping of such data was “without authorization” within the meaning of the federal Computer Fraud and Abuse Act (CFAA). The appeals court affirmed the lower court’s order granting a preliminary injunction barring the professional networking platform LinkedIn from blocking hiQ, a data analytics company, from accessing and scraping publicly available LinkedIn member profiles to create competing business analytic products. Most notably, the Ninth Circuit held that hiQ had shown a likelihood of success on the merits in its claim that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access “without authorization” under the CFAA.

In light of this ruling, data scrapers, content aggregators and advocates of a more open internet will certainly be emboldened, but we reiterate something we advised back in our 2017 Client Alert about the lower court’s hiQ decision: while the Ninth Circuit’s decision suggests that the CFAA is not an available remedy to protect against unwanted scraping of public website data that is “presumptively open to all,” entities engaged in scraping should remain careful. The road ahead, while perhaps less bumpy than before, still contains rough patches. Indeed, the Ninth Circuit cautioned that its opinion was issued only at the preliminary injunction stage and that the court did not “resolve the companies’ legal dispute definitively, nor do we address all the claims and defenses they have pleaded in the district court.” Continue Reading

Tags: CFAA liability, PUBLICLY AVAILABLE data, screen scraping, unauthorized access, web scraping

Ninth Circuit Releases Another Important CDA Section 230 Opinion With Broad Application – Automated Content Recommendation and Notification Tools Do Not Make Social Site the Developer of User Posts

By Jeffrey Neuburger on August 28, 2019 Posted in Internet, Online Content, Social Media

In the swirl of scrutiny surrounding the big Silicon Valley tech companies and with some in Congress declaiming that Section 230 of the Communications Decency Act (CDA) should be curtailed, 2019 has quietly been an important year for CDA jurisprudence with a number of opinions enunciating robust immunity under CDA Section 230. In particular, there has been a trio of noteworthy circuit court-level opinions rejecting plaintiffs’ attempt to make an “end run” around the CDA based on the assertion that online service providers lose immunity if they algorithmically recommend or recast content in another form to other users of the site.

In Herrick, the Second Circuit found that the CDA barred claims that sought to ascribe liability to a mobile dating service for the design of its platform, finding it within the purview of protected “traditional editorial functions.”
In Marshall’s Lockmsith, the D.C. Circuit affirmed dismissal of claims brought by multiple locksmith companies against the operators of the major search engines for allegedly publishing the content of fraudulent locksmiths’ websites and translating street-address and area-code information on those websites into map pinpoints that were displayed in response to user search requests.
In the Force case, the Second Circuit found that claims related to supplying a communication forum and failing to completely block or eliminate hateful terrorist content necessarily treated the platform as the publisher of such content and were therefore barred under the CDA.

This week, in a case with an unsettling fact pattern, the Ninth Circuit made it a quartet – ruling that a now-shuttered social networking site was immune from liability under the CDA for connecting a user with a dealer who sold him narcotics that culminated in an overdose. The court found such immunity because the site’s functions, which included content recommendations and notifications to members of discussion groups, were “content-neutral tools” used to facilitate communications. (Dyroff v. The Ultimate Software Group, Inc., No. 18-15175 (9^th Cir. Aug. 20, 2019)). Continue Reading

Tags: automated functions, automated processes, CDA immunity, neutral tools, social media

Recent Rulings Highlight Limits of CDA Immunity in Products Liability Cases against E-Commerce Platforms

By Jeffrey Neuburger on August 15, 2019 Posted in Internet, Online Commerce, Online Content

UPDATE: On August 23, 2019, the Third Circuit granted Amazon’s petition for rehearing en banc in the Oberdorf case. As per the order, the opinion dated July 3, 2019 is vacated.

In early July, an appeals court ruled that Amazon should be considered a “seller” of goods under Pennsylvania products liability law and subject to strict liability for consumer injuries caused by the defective goods sold on its site by third-party vendors. (Oberdorf v. Amazon.com, No. 18-1041 (3^rd Cir. July 3, 2019)). While the decision involved interpretation of Pennsylvania law – and Amazon has previously prevailed on the “seller” issue in various courts around the country in recent years – the ruling is still noteworthy as it was based upon § 402A Restatement (Second) of Torts (which other states may follow), and the ruling may signal a willingness to reinterpret the definition of “seller” in the modern era of online platforms. The decision also highlights the limits of immunity under Section 230 of the Communications Decency Act (CDA) for online marketplaces when it comes to products liability claims based on a site’s sales activity, as opposed to editorial decisions related to third-party product listings. Continue Reading

Personal Email Management Service Settles FTC Charges over Allegedly Deceptive Statements to Consumers over Its Access and Use of Subscribers’ Email Accounts

By Jeffrey Neuburger on August 9, 2019 Posted in E-mail, Online Commerce, Privacy, Regulatory

This week, the FTC entered into a proposed settlement with Unrollme Inc. (“Unrollme”), a free personal email management service that offers to assist consumers in managing the flood of subscription emails in their inboxes. The FTC alleged that Unrollme made certain deceptive statements to consumers, who may have had privacy concerns, to persuade them to grant the company access to their email accounts. (In re Unrolllme Inc., File No 172 3139 (FTC proposed settlement announced Aug. 8, 2019).

This settlement touches many relevant issues, including the delicate nature of online providers’ privacy practices relating to consumer data collection, the importance for consumers to comprehend the extent of data collection when signing up for and consenting to a new online service or app, and the need for downstream recipients of anonymized market data to understand how such data is collected and processed. (See also our prior post covering an enforcement action involving user geolocation data collected from a mobile weather app). Continue Reading

Tags: anonymized user data, consents, email receipts, FTC enforcement

Finding Article III Standing, Ninth Circuit Declines to Do an About-Face in Illinois Biometric Privacy Class Action against Facebook

By Jeffrey Neuburger on August 9, 2019 Posted in Biometrics, Mobile, Privacy, Social Media

In an important opinion, the Ninth Circuit affirmed a lower court’s ruling that plaintiffs in the ongoing Facebook biometric privacy class action have alleged a concrete injury-in-fact to confer Article III standing and that the class was properly certified. (Patel v. Facebook, Inc., No. 18-15982 (9^th Cir. Aug. 8, 2019)). Given the California district court’s prior rulings which denied Facebook’s numerous motions to dismiss on procedural and substantive grounds, and the Illinois Supreme Court’s January 2019 blockbuster ruling in Rosenbach, which held that a person “aggrieved” by a violation of the Illinois Biometric Information Privacy Act (“BIPA”) need not allege some actual injury or harm beyond a procedural violation to have standing to bring an action under the statute, the Ninth Circuit’s decision was not entirely surprising. Still, the ruling is significant as a federal appeals court has ruled on important procedural issues in a BIPA action and found standing. The case will be sent back to the lower court with the prospect of a trial looming, and given BIPA’s statutory damage provisions, Facebook may be looking at a potential staggering damage award or substantial settlement. Continue Reading

Tags: biometric privacy, BIPA, class action, federal standing, photo tagging

Ticketmaster Reaches Settlement with Ticket Broker over Unauthorized Use of Automated Bots

By Jeffrey Neuburger on July 24, 2019 Posted in Copyright, Online Commerce, Screen Scraping

In early July, Ticketmaster reached a favorable settlement in its action against a ticket broker that was alleged to have used automated bots to purchase tickets in bulk, thus ending a dispute that produced notable court decisions examining the potential liabilities for unwanted scraping and website access. (Ticketmaster L.L.C. v. Prestige Entertainment West Inc., No. 17-07232 (C.D. Cal. Final Judgment July 8, 2019)).

In the litigation, Ticketmaster alleged that the defendant-ticket broker, Prestige, used bots and dummy accounts to navigate Ticketmaster’s website and mobile app to purchase large quantities of tickets to popular events to resell for higher prices on the secondary market. Under the terms of the settlement, Prestige is permanently enjoined from using ticket bot software to search for, reserve or purchase tickets on Ticketmaster’s site or app (at rates faster than human users can do using standard web browsers or mobile apps) or circumventing any CAPTCHA or other access control measure on Ticketmaster’s sites that enforce ticket purchasing limits and purchasing order rules. Prestige is also barred from violating Ticketmaster’s terms of use or conspiring with anyone else to violate the terms, or engage in any other prohibited activity. Continue Reading

Tags: copyright infringement, screen scraping, settlement, ticket bots, unauthorized access, web scraping, website code

New York Court Finds Warhol Series to be Fair Use of Prince Photograph

By Oludolapo Akinkugbe on July 22, 2019 Posted in Copyright, Licensing

Earlier this month, in The Andy Warhol Foundation for the Visual Arts, Inc. v. Goldsmith, No. 17-cv-2532 (S.D.N.Y. July 1, 2019), a New York district court granted the Andy Warhol Foundation for the Visual Arts’ (“AWF”) motion for summary judgment that Warhol’s series of screen prints and silkscreen paintings (the “Prince Series”) did not infringe Lynn Goldsmith’s (“Goldsmith”) original 1981 photograph of the musician Prince, ruling that the Warhol works were transformative and qualified as fair use. Continue Reading

Tags: appropriation art, fair use, photography

Web Scraping Decisions Consider Contract Cause of Action

By Jeffrey Neuburger on July 9, 2019 Posted in Contracts, Internet, Screen Scraping

Two recent web scraping disputes highlight some important issues regarding whether a website owner may successfully allege a breach of contract action against a commercial party that has scraped website content contrary to “clickwrap” and “browsewrap” website terms of use.

In Southwest Airlines Co. v. Roundpipe, LLC, No. 18-0033 (N.D. Tex. Mar. 22, 2019), a Texas district court declined to dismiss Southwest Airlines Co.’s (“Southwest”) breach of contract claim against an entity that scraped airfare data from Southwest’s site in violation of the website terms of use. Southwest brought multiple claims against Roundpipe, LLC (“Roundpipe”) after it discovered that Roundpipe had created a website, SWMonkey.com, that, using scraping, sent consumers notifications if their Southwest ticket prices decreased after purchase (which would presumably allow them to exchange the original ticket for a lower-priced ticket).

Southwest’s website terms prohibited scraping or the use of any automated tools to access its fares or other content. Soon after the launch of SWMonkey, Southwest sent a cease and desist letter stating that Roundpipe was obtaining Southwest’s data in violation of the website terms, among other reasons, and demanded that the site be taken down. After negotiations and additional correspondence from Southwest, Roundpipe shut down the website and disabled its scraping and fare tracking functionality. Continue Reading

Tags: breach of contract, browsewrap, commercial party, web scraping, website registration