On remand from the U.S. Supreme Court, the Ninth Circuit earlier this week again affirmed the lower court’s order preliminarily enjoining LinkedIn Corp. (“LinkedIn”) from blocking data analytics company hiQ Labs, Inc.’s (“hiQ”) access to publicly available LinkedIn member profiles. (hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 (9th Cir. Apr. 18, 2022)) (“hiQ II”). In what might be considered an emphatic, pro-scraping decision (even more so than its first, now-vacated 2019 decision), the appeals court found that hiQ “raised at least serious questions” that its scraping of public LinkedIn member profile data, even after having had its access revoked and blocked by LinkedIn, is lawful under the federal Computer Fraud and Abuse Act (CFAA).
The panel concluded that the reasoning of last year’s Supreme Court decision in Van Buren v. U.S., which interpreted the “exceeds authorized access” provision of the CFAA, reinforced the Ninth Circuit’s interpretation that the concept of “without authorization” under the CFAA does not apply to public websites. Thus, while the law relating to screen scraping remains unclear in many respects – particularly as scraping technology and the applied uses of public website data continue to evolve – this important new decision by the Ninth Circuit carries the reasoning forward from Van Buren and limits the applicability of the CFAA as a tool against the scraping of publicly available website data.
Last June, following Van Buren and the Supreme Court’s separate ruling vacating and remanding the Ninth Circuit’s prior decision in the hiQ case, we had a few questions about how the appeals court would interpret the CFAA’s “without authorization” provision on remand in light of the so-called “gates up or down” approach to the CFAA espoused by the Supreme Court in Van Buren. In particular, we were waiting to see whether the appeals court would consider a website owner’s technical measures to selectively block a specific entity’s access to public website data as effectively bringing crashing down the “gates” of authorized access (and, with it, potential CFAA liability). The long wait is over and the Ninth Circuit has answered these questions with its pro-scraping, open web interpretation of the CFAA (with respect to public websites). While some additional legal questions remain unanswered in this case, it appears the CFAA “without authorization” issue has been firmly resolved, at least as far as the Ninth Circuit is concerned.
However, though one issue may has been resolved, others remain. As stated in our 2017 Client Alert about the lower court’s hiQ decision, entities engaged in scraping should still tread carefully. As the Ninth Circuit itself says in hiQ II: “Entities that view themselves as victims of data scraping are not without resort, even if the CFAA does not apply.”
Also, of course, this litigation does not involve the also-controversial practice of scraping mobile applications. Because the methodology involved in that type of scraping is significantly different, it is possible that a court could come to a different conclusion with respect to the CFAA in that circumstance.