2022 provided companies with further clarity and insight regarding legal claims that might be viable to stop data (or web) scraping and those that likely won’t work. Data scraping continues to become an increasingly popular method for obtaining structured data that is intentionally made public on websites (as opposed to data that inadvertently may be made public or made public through hacking or other illegal means). Many companies have employed the use of automatic tools to obtain large amounts of structured data in an efficient manner. On the other hand, many website owners are continuing to seek legal tools to prevent or limit this practice. This has resulted in a fair amount of litigation activity in the United States over recent years, typically involving two primary causes of action for website owners: (1) a violation of the Computer Fraud and Abuse Act, a federal law that prohibits intentionally accessing a computer without authorization or in excess of authorization; and (2) breaches of contract claiming violations of website terms and conditions of use that prohibit data scraping. Looking back on this past year’s developments, CFAA claims based on data scraping no longer appear to be viable. Thus, the legal evolution in this area is now likely to shift to breach of contract claims, which remain available at least in some circumstances but with questions surrounding what type of remedies might aid website owners going forward.
CFAA claims
The question of the applicability of CFAA claims against data scraping has now largely been resolved by the long-running litigation between LinkedIn and hiQ. Historically, many courts had interpreted the CFAA’s “without authorization” and “exceeds authorized access” language broadly to encompass violations of terms and conditions or other contractual restraints put in place by the data owner. However, in LinkedIn’s case against hiQ, the U.S. Court of Appeals for the Ninth Circuit took a narrower approach to interpreting the CFAA, viewing it as an “anti-intrusion statute” rather than a “misappropriation statute.” hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019). In 2019, the Ninth Circuit affirmed the District Court’s holding that the CFAA cannot prevent a party from accessing and using publicly available data simply by revoking its permission via a demand letter. In affirming the District Court’s decision, the Ninth Circuit made a key distinction between publicly available information and private information, reasoning that use of public information was unlikely to cause damage or violate any reasonable expectation of privacy held by LinkedIn users. The court also expressly stated that the CFAA should apply only to conduct analogous to breaking and entering rather than to violations of terms of use or other corporate use restrictions.
In March 2020, LinkedIn appealed the Ninth Circuit’s ruling to the Supreme Court. In June 2021, the Court vacated the opinion and remanded the case to the Ninth Circuit for further consideration in light of the Court’s decision in Van Buren v. United States. In Van Buren, the Supreme Court adopted a narrow interpretation of what it means to “exceed unauthorized access” under the CFAA, holding that a person “exceeds authorized access” when they access a computer with authorization but then obtain information located in particular areas of the computer such as files, folders or databases that are off limits to them. Van Buren v. United States, 593 U.S. __ (2021).
On remand in April 2022, the Ninth Circuit upheld hiQ’s ability to scrape publicly available data from the LinkedIn website, holding that scraping such public information likely does not constitute accessing a computer “without authorization” under the CFAA and that a violation exists only if authorization is required and has not been given. On a publicly available website, the Ninth Circuit ruled, there are no rules or access permissions to prevent access and, therefore, accessing that publicly available data cannot violate the CFAA. Accordingly, CFAA claims based on scraping publicly available data no longer appear to be viable.
Breach of contract claims
Although CFAA claims have now been removed as a tool to prevent data scraping, website owners can likely bring and successfully pursue claims for breach of website terms of use that expressly prohibit data scraping. Recent developments in the hiQ case have been a potential silver lining to website owners on this point. Indeed, on Nov. 4, 2022, the U.S. District Court for the Northern District of California ruled on LinkedIn’s motion for summary judgment on its breach of terms claim. While the court ultimately denied the motion due to factual issues surrounding hiQ’s affirmative defenses, it strongly signaled in its opinion that the claim is likely to succeed at trial. Thus, it appears this type of claim remains at least nominally useful to a website owner seeking to prevent data scraping.
However, there are still material questions for LinkedIn (and other website owners) regarding what its remedies will be if it does prevail on a breach of terms claim. Injunctive remedies such as specific performance are generally disfavored in breach of contract claims because it may be difficult to show irreparable harm under typical data scraping fact patterns. Moreover, it may be challenging to show or quantify a significant damages award that would create a disincentive to data scrapers given that most scraped data is not particularly proprietary in nature. Courts may also be hesitant to unintentionally create strong protections for data that does not otherwise fall into already enumerated categories of intellectual property protection under U.S. law. As LinkedIn’s claim proceeds to trial, website owners will need to watch and see what LinkedIn is ultimately able to recover.
Conclusion
In sum, this past year’s developments in the hiQ case effectively barred potential CFAA claims based on scraping publicly available data. While website owners still hope to maintain a claim for breach of contract, a key question remains about what remedies are available to them. Of course, there are other potential claims website owners could theoretically bring against data scrapers, including copyright infringement, misappropriation or conversion, but these claims would appear to require the website owner to have some proprietary interest in the data or not have the data be publicly available. That said, creative website owners may find ways to breathe new life into these or other claims as they continue to battle against data scraping. This space will continue to be one to watch in 2023 and the future.
