On October 24, 2022, a Delaware district court held that certain claims under the Computer Fraud and Abuse Act (CFAA) relating to the controversial practice of web scraping were sufficient to survive the defendant’s motion to dismiss. (Ryanair DAC v. Booking Holdings Inc., No. 20-01191 (D. Del. Oct. 24, 2022)). The opinion potentially breathes life into the use of the CFAA to combat unwanted scraping.

In the case, Ryanair DAC (“Ryanair”), a European low-fare airline, brought various claims against Booking Holdings Inc. (and its well-known suite of online travel and hotel booking websites) (collectively, “Defendants”) for allegedly scraping the ticketing portion of the Ryanair site. Ryanair asserted that the ticketing portion of the site is only accessible to logged-in users and therefore the data on the site is not public data.

The decision is important as it offers answers (at least from one district court) to several unsettled legal issues about the scope of CFAA liability related to screen scraping. In particular, the decision addresses:

  • the potential for vicarious liability under the CFAA (which is important as many entities retain third party service providers to perform scraping)
  • how a data scraper’s use of evasive measures (e.g., spoofed email addresses, rotating IP addresses) may be considered under a CFAA claim centered on an “intent to defraud”
  • clarification as to the potential role of technical website-access limitations in analyzing CFAA “unauthorized access” liability

To find answers to these questions, the court’s opinion distills the holdings of two important CFAA rulings from this year – the Supreme Court’s holding in Van Buren that adopted a narrow interpretation of “exceeds unauthorized access” under the CFAA and the Ninth Circuit’s holding in the screen scraping hiQ case where that court found that the concept of “without authorization” under the CFAA does not apply to “public” websites.

A recent dispute between an advertiser AXTS Inc. (“AXTS”) and a video production company GY6vids (“GY6”) produced an interesting issue involving the federal Computer Fraud and Abuse Act (CFAA) – that is, whether an entity that allegedly overloaded another company’s YouTube channel content with a flood of “dislikes” following a contractual dispute is liable under the CFAA for accessing a protected computer “without authorization.”  (AXTS Inc. v. GY6vids LLC, No. 18-00821 (D. Ore. Oct. 24, 2018)).

We have been closely monitoring the evolving state of the law regarding CFAA liability for certain commercial web scraping and related practices.  The instant case between AXTS and GY6 is a little different in that the claim did not arise from AXTS’s alleged access to video content stored on GY6’s network, but publically-accessible videos stored on a third-party’s (e.g., YouTube) servers.