Recently, the Ninth Circuit reinstated a $460,000 jury verdict against print-on-demand site Zazzle, Inc. (“Zazzle”) for willful copyright infringement, putting a final stamp (perhaps) on a long-running dispute that explored important DMCA safe harbor issues for online print-on-demand services. (Greg Young Publishing, Inc. v. Zazzle, Inc., No. 18-55522 (9th Cir. Nov. 20, 2019) (unpublished). The appeals court found that Zazzle’s anti-infringement oversight mechanisms were insufficient during the period of infringement when a number of the plaintiff’s Greg Young Publishing, Inc.’s (“GYPI”) visual art works were uploaded by users onto Zazzle’s site without authorization. Continue Reading
With the online shopping season in full swing, the FTC decided that online retailers might benefit from a reminder as to the dos and don’ts for social media influencers. Thus, the FTC released a new guide, “Disclosures 101 for Social Media Influencers,” that reiterates its position about the responsibility of “influencers” to disclose “material” connections with brands when endorsing products in online posts. Beyond this new guide, which is written in an easy-to-read brochure format (with headings such a “How to Disclose” and “When to Disclose”), the FTC released related videos to convey the message that influencers should “stay on the right side of the law” and disclose when appropriate the relationship with a brand he or she is endorsing. This latest reminder to influencers comes on the heels of the FTC sending 90 letters to influencers in April 2017 notifying them of their responsibilities under the FTC”s Endorsement Guides, and the prior publishing of an Endorsement Guides FAQ. With the release of fresh guidance, now is a good time for brands with relationships with influencers to ensure endorsements are not deceptive and remain on the right side of the law. Indeed, advertisers should have reasonable programs in place to train and monitor members of their influencer network and influencers themselves should remain aware of requirements under the Endorsement Guides. Continue Reading
For the film and media distribution industries, this year has been action-packed. Production budgets are skyrocketing and new digital services have been announced or are launching with each passing month. The streaming wars are upon us. Moreover, the FCC recently voted to treat streaming services as “effective competition” to traditional cable providers (or MVPDs), thereby triggering basic cable rate de-regulation in parts of Hawaii and Massachusetts.
The distribution landscape took yet another unexpected legal twist this week. On November 18, Assistant Attorney General Makan Delrahim announced that the Antitrust Division of the Department of Justice would ask a federal court to terminate the “Paramount Consent Decrees” (the “Decrees”), which have prohibited movie studios from engaging in certain distribution practices with movie theaters since the 1940s. The DOJ filed a motion to terminate the Decrees in federal court in the Southern District of New York on November 22, 2019. Notably, the DOJ cites streaming services and new technology as a few of the many reasons that the Decrees may no longer be necessary in what the DOJ official sees as today’s highly competitive, consumer-driven content market. Given the volatility of the content licensing space, film licensors and licensees will have to carefully consider how the DOJ’s actions will affect their content rights and options going forward. Continue Reading
Last month, LinkedIn Corp. (“LinkedIn”) filed a petition for rehearing en banc of the Ninth Circuit’s blockbuster decision in hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 (9th Cir. Sept. 9, 2019). The crucial question before the original panel concerned the scope of Computer Fraud and Abuse Act (CFAA) liability to unwanted web scraping of publicly available social media profile data and whether once hiQ Labs, Inc. (“hiQ”), a data analytics firm, received LinkedIn’s cease-and-desist letter demanding it stop scraping public profiles, any further scraping of such data was “without authorization” within the meaning of the CFAA. The appeals court affirmed the lower court’s order granting a preliminary injunction barring LinkedIn from blocking hiQ from accessing and scraping publicly available LinkedIn member profiles to create competing business analytic products.
On November 8, 2019, the Ninth Circuit denied Linkedin’s petition for rehearing en banc.
Thus, for now, the Ninth Circuit’s decision interpreting the scope of CFAA liability in the context of scraping public websites will stand (barring Supreme Court review). This development is certainly favorable to entities engaged in such data scraping. However, as we’ve stated in a prior post on the appeals court opinion, while the Ninth Circuit’s decision suggests that the CFAA is not an available remedy to protect against unwanted scraping of public website data that is “presumptively open to all,” entities engaged in scraping should remain careful. Moreover, this dispute is not over (as the litigation is only in the preliminary stages), and the case has been remanded to the lower court for further proceedings. We will watch carefully how LinkedIn proceeds from here, and whether it presses its remaining state law claims (e.g., breach of contract, trespass) or else reaches a settlement with hiQ.
The Georgia Supreme Court ruled that the retrieval of electronic automobile data from an electronic data recording device (e.g., airbag control modules) without a warrant at the scene of a fatal collision was a search and seizure that implicates the Fourth Amendment, regardless of any reasonable expectations of privacy. (Mobley v. State, No. S18G1546 (Ga. Oct. 21, 2019)). The Court went on to hold that such retrieval of data was an unreasonable search and seizure forbidden by the Fourth Amendment, and that because the State failed to identify any recognized exception to the warrant requirement applicable to the facts, the trial court should have granted the motion to suppress. As such, the judgment of the Court of Appeals affirming the conviction of the defendant for vehicular homicide was reversed.
As described in an earlier post, the defendant was convicted of vehicular homicide based on evidence retrieved from his vehicle’s electronic data that showed that he was travelling at a high rate of speed prior to the accident. The defendant appealed the decision of the trial court (which was affirmed by the appellate court) that denied his motion to suppress evidence of the data that law enforcement officers retrieved without a warrant from an electronic data recording device on his vehicle (note: a search warrant was obtained for the physical device the next day).
Putting aside the state criminal procedural issues and the sufficiency of the evidence against the particular defendant in this case, the decision is an important follow-up to the Supreme Court’s guidance in the area of digital privacy that it set out in recent years in the Riley and Carpenter decisions. With cars becoming more like computers and sensors on four wheels, automated automobile data may potentially be viewed as sensitive as certain types of private data collected by mobile devices. With the advent of autonomous cars, the Mobley court recognized how one’s private sphere can extend beyond the home and, depending on the factual circumstances and the nature of the search, may include automated data collected by one’s devices (both small, like a mobile phone, and large, as an automobile). With new technologies like digital personal assistants and the coming of 5G and the supposed Internet of Things (IoT) revolution of connectedness, we imagine these issues will coming up more and more in the coming years.
On October 11, 2019, LinkedIn Corp. (“LinkedIn”) filed a petition for rehearing en banc of the Ninth Circuit’s blockbuster decision in hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 (9th Cir. Sept. 9, 2019). The crucial question before the original panel concerned the scope of Computer Fraud and Abuse Act (CFAA) liability to unwanted web scraping of publicly available social media profile data and whether once hiQ Labs, Inc. (“hiQ”), a data analytics firm, received LinkedIn’s cease-and-desist letter demanding it stop scraping public profiles, any further scraping of such data was “without authorization” within the meaning of the CFAA. The appeals court affirmed the lower court’s order granting a preliminary injunction barring LinkedIn from blocking hiQ from accessing and scraping publicly available LinkedIn member profiles to create competing business analytic products. Most notably, the Ninth Circuit held that hiQ had shown a likelihood of success on the merits in its claim that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access “without authorization” under the CFAA.
In its petition for en banc rehearing, LinkedIn advanced several arguments, including:
- The hiQ decision conflicts with the Ninth Circuit Power Ventures precedent, where the appeals court held that a commercial entity that accesses a website after permission has been explicitly revoked can, under certain circumstances, be civilly liable under the CFAA. Power Ventures involved Facebook user data protected by password (that users initially allowed a data aggregator permission to access). LinkedIn argued that the hiQ court’s logic in distinguishing Power Ventures was flawed and that the manner in which a user classifies his or her profile data should have no bearing on a website owner’s right to protect its physical servers from trespass.
“Power Ventures thus holds that computer owners can deny authorization to access their physical servers within the meaning of the CFAA, even when users have authorized access to data stored on the owner’s servers.”
“The panel sought to distinguish Power Ventures on the basis that while Power ‘was gathering user data that was protected by Facebook’s username and password authentication system, the data hiQ was scraping was available to anyone with a web browser.’ But Power Ventures did not turn on how a data owner decided to make her data available to third parties—by expressly sharing a password (in Power Ventures) or by making it viewable to members of the public (here). Nothing about a data owner’s decision to place her data on a website changes LinkedIn’s independent right to regulate who can access its website servers. To the contrary, Power Ventures acknowledged that ‘permission’ to access websites that are ‘presumptively open to all comers’ could be ‘revoked expressly’ by the website owner.”
- The language of the CFAA should not be read to allow for “authorization” to be assumed (and unable to be revoked) for publicly available website data, either under Ninth Circuit precedent or under the CFAA-related case law of other circuits.
“Nothing in the CFAA’s text or the definition of ‘authorization’ that the panel employed—“[o]fficial permission to do something; sanction or warrant,” suggests that enabling websites to be publicly viewable is not ‘authorization’ that can be revoked.”
- The privacy interests enunciated by LinkedIn on behalf of its users is “of exceptional importance,” and the court discounted the fact that hiQ is “unaccountable” and has no contractual relationship with LinkedIn users, such that hiQ could conceivably share the scraped data or aggregate it with other data.
“Instead of recognizing that LinkedIn members share their information on LinkedIn with the expectation that it will be viewed by a particular audience (human beings) in a particular way (by visiting their pages)—and that it will be subject to LinkedIn’s sophisticated technical measures designed to block automated requests—the panel assumed that LinkedIn members expect that their data will be ‘accessed by others, including for commercial purposes,’ even purposes antithetical to their privacy setting selections. That conclusion is fundamentally wrong.
Both website operators and open internet advocates will be watching closely to see if the full Ninth Circuit decides to rehear the appeal, given the importance of the CFAA issue and the prevalence of data scraping of publicly available website content. We will keep a close watch on developments.
UPDATE: On October 14, 2019, the parties entered into a Joint Stipulation dismissing the case, with prejudice. It appears from some reports that Stackla’s access to Facebook has been reinstated as part of the settlement.
UPDATE: On September 27, 2019, the California district court issued its written order denying Stackla’s request for a TRO. In short, the court found that, at this early stage, Stackla only demonstrated “speculative harm” and its “vague statements” did not sufficiently show that restoration of access to Facebook’s API would cure the alleged impending reality of Stackla losing customers and being driven out of business (“The extraordinary relief of a pre-adjudicatory injunction demands more precision with respect to when irreparable harm will occur than ‘soon.’”). As for weighing whether a TRO would be in the public interest, the court, while understanding Stackla’s predicament, found that issuing a TRO could hamper Facebook’s ability to “decisively police its social-media platforms” and that there was a public interest in allowing a company to police the integrity of its platforms (“Facebook’s enforcement activities would be compromised if judicial review were expected to precede rather than follow its enforcement actions”). [emphasis in original]. This ruling leaves the issue for another day, perhaps during a preliminary injunction hearing, after some additional briefing of the issues.
The ink is barely dry on the landmark Ninth Circuit hiQ Labs decision. Yet, a new dispute has already cropped up testing the bounds of the CFAA and the ability of a platform to enforce terms restricting unauthorized scraping of social media content. (See Stackla, Inc. v. Facebook, Inc., No. 19-5849 (N.D. Cal. filed Sept. 19, 2019)). This dispute involves Facebook and a social media sentiment tracking company, Stackla, Inc., which, as part of its business, accesses Facebook and Instagram content. This past Wednesday, September 25th, the judge in the case denied Stackla, Inc.’s request for emergency relief restoring its access to Facebook’s platform. While the judge has yet to issue a written ruling, the initial pleadings and memoranda filed in the case are noteworthy and bring up important issues surrounding the hot issue of scraping.
In a ruling that is being hailed as a victory for web scrapers and the open nature of publicly available website data, the Ninth Circuit today issued its long-awaited opinion in hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 (9th Cir. Sept. 9, 2019). The crucial question before the court was whether once hiQ Labs, Inc. (“hiQ”) received LinkedIn Corp.’s (“LinkedIn”) cease-and-desist letter demanding it stop scraping public LinkedIn profiles, any further scraping of such data was “without authorization” within the meaning of the federal Computer Fraud and Abuse Act (CFAA). The appeals court affirmed the lower court’s order granting a preliminary injunction barring the professional networking platform LinkedIn from blocking hiQ, a data analytics company, from accessing and scraping publicly available LinkedIn member profiles to create competing business analytic products. Most notably, the Ninth Circuit held that hiQ had shown a likelihood of success on the merits in its claim that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access “without authorization” under the CFAA.
In light of this ruling, data scrapers, content aggregators and advocates of a more open internet will certainly be emboldened, but we reiterate something we advised back in our 2017 Client Alert about the lower court’s hiQ decision: while the Ninth Circuit’s decision suggests that the CFAA is not an available remedy to protect against unwanted scraping of public website data that is “presumptively open to all,” entities engaged in scraping should remain careful. The road ahead, while perhaps less bumpy than before, still contains rough patches. Indeed, the Ninth Circuit cautioned that its opinion was issued only at the preliminary injunction stage and that the court did not “resolve the companies’ legal dispute definitively, nor do we address all the claims and defenses they have pleaded in the district court.” Continue Reading
In the swirl of scrutiny surrounding the big Silicon Valley tech companies and with some in Congress declaiming that Section 230 of the Communications Decency Act (CDA) should be curtailed, 2019 has quietly been an important year for CDA jurisprudence with a number of opinions enunciating robust immunity under CDA Section 230. In particular, there has been a trio of noteworthy circuit court-level opinions rejecting plaintiffs’ attempt to make an “end run” around the CDA based on the assertion that online service providers lose immunity if they algorithmically recommend or recast content in another form to other users of the site.
- In Herrick, the Second Circuit found that the CDA barred claims that sought to ascribe liability to a mobile dating service for the design of its platform, finding it within the purview of protected “traditional editorial functions.”
- In Marshall’s Lockmsith, the D.C. Circuit affirmed dismissal of claims brought by multiple locksmith companies against the operators of the major search engines for allegedly publishing the content of fraudulent locksmiths’ websites and translating street-address and area-code information on those websites into map pinpoints that were displayed in response to user search requests.
- In the Force case, the Second Circuit found that claims related to supplying a communication forum and failing to completely block or eliminate hateful terrorist content necessarily treated the platform as the publisher of such content and were therefore barred under the CDA.
This week, in a case with an unsettling fact pattern, the Ninth Circuit made it a quartet – ruling that a now-shuttered social networking site was immune from liability under the CDA for connecting a user with a dealer who sold him narcotics that culminated in an overdose. The court found such immunity because the site’s functions, which included content recommendations and notifications to members of discussion groups, were “content-neutral tools” used to facilitate communications. (Dyroff v. The Ultimate Software Group, Inc., No. 18-15175 (9th Cir. Aug. 20, 2019)). Continue Reading
UPDATE: On August 23, 2019, the Third Circuit granted Amazon’s petition for rehearing en banc in the Oberdorf case. As per the order, the opinion dated July 3, 2019 is vacated.
In early July, an appeals court ruled that Amazon should be considered a “seller” of goods under Pennsylvania products liability law and subject to strict liability for consumer injuries caused by the defective goods sold on its site by third-party vendors. (Oberdorf v. Amazon.com, No. 18-1041 (3rd Cir. July 3, 2019)). While the decision involved interpretation of Pennsylvania law – and Amazon has previously prevailed on the “seller” issue in various courts around the country in recent years – the ruling is still noteworthy as it was based upon § 402A Restatement (Second) of Torts (which other states may follow), and the ruling may signal a willingness to reinterpret the definition of “seller” in the modern era of online platforms. The decision also highlights the limits of immunity under Section 230 of the Communications Decency Act (CDA) for online marketplaces when it comes to products liability claims based on a site’s sales activity, as opposed to editorial decisions related to third-party product listings. Continue Reading