For years, companies seeking to block web scrapers from collecting the information on their website would invoke the Computer Fraud and Abuse Act (CFAA), a U.S. law that criminalizes accessing a computer “without authorization.” But the U.S. Court of Appeals for the Ninth Circuit has now ruled that merely instructing scrapers that they are not welcome on a public website, either through a restrictive terms of use or a cease-and-desist letter, is probably not enough to render their access “unauthorized” under the CFAA. This decision is encouraging news for the many hedge funds, academic researchers and other data aggregators that use software bots to compile information online.
The Ninth Circuit’s decision arose from a dispute between LinkedIn and a company called hiQ Labs. hiQ Labs is a data analytics company that scrapes publicly accessible LinkedIn user profiles and analyzes that information for its customers, either by summarizing their workforce’s skill set or identifying those employees most likely to leave.
LinkedIn.com has a user agreement that forbids scraping. In 2017, LinkedIn sent hiQ a cease-and-desist letter demanding that hiQ stop copying data from the site. Claiming the survival of its business was under threat, hiQ filed suit in the District Court for the Northern District of California seeking a declaratory judgment that its conduct was lawful and a temporary restraining order preventing LinkedIn from blocking its access.
Judge Edward Chen sided with hiQ and granted an injunction against LinkedIn. HiQ Labs, Inc. v. LinkedIn Corp., 273 F. Supp. 3d 1099 (N.D. Cal. 2017). His analysis focused on an interpretation of the phrase “without authorization” in the CFAA. According to Judge Chen, when Congress passed the statute in 1984, it was seeking to prevent “hackers” from accessing “private” information stored on computers. He concluded that “application of the CFAA to the accessing of websites open to the public would have sweeping consequences well beyond anything Congress could have contemplated.” Id. at 1110. He also expressed “deep[] concern[]” about allowing website operators to pick and choose who is allowed to visit their public site, suggesting that such an interpretation of the CFAA would, for example, allow companies to prevent competitors from visiting their site to learn about products or pricing. Id.
On September 9, a unanimous panel of the Ninth Circuit affirmed Judge Chen’s interpretation of the CFAA. According to the panel, it is inaccurate to call a scraper’s “access” to a website “unauthorized” simply because the scraper was told by the website operator not to visit: “Where the default is free access without authorization, in ordinary parlance one would characterize selective denial of access as a ban, not as a lack of ‘authorization.’" hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783, slip op. at 26 (9th Cir. Sept. 9, 2019).
The Ninth Circuit found that the legislative history of the CFAA supported its interpretation of the text. Id. at 26-29. The 1984 House report, for example, noted that the passage of the CFAA would prohibit conduct akin to “breaking and entering,” and the panel took the view that visiting a public site, even when explicitly prohibited by its owner, was not analogous to entering a building to commit a burglary. Id. at 28-29.
This dispute arose on a request for a preliminary injunction, so the court was merely required to decide whether hiQ had raised a “serious question” as to the strength of LinkedIn’s CFAA claim. But the Ninth Circuit’s statutory interpretation, in which it identified each factor as supporting its conclusion, leaves little doubt about its view that the CFAA has no application to public websites. A site operator seeking to protect information with the CFAA will likely need to shield it behind some technical barrier, such as a password authentication.
Website operators still have legal tools to deploy against web scrapers, as the Ninth Circuit noted, including a claim for trespass to chattels, breach of contract and copyright infringement. These claims may have their own challenges in the web scraping context, however. For example, damages may be difficult to establish on a trespass or breach of contract claim. See, for example, Intel v. Hamidi, 30 Cal. 4th 1342 (Cal. 2003). And the information that scrapers often compile may not be subject to copyright protection. Ticketmaster v. Tickets.com, No. CV997654, 2003 WL 21406289 (C.D. Cal. March 7, 2003).
Another potential alternative to the CFAA may be California’s state-law corollary, the California Comprehensive Computer Data Access and Fraud Act (CDAFA), codified at California Penal Code § 502. Like the CFAA, the CDAFA has long been invoked against web scrapers, and the Ninth Circuit has previously said that it sweeps more broadly than the CFAA in ways that may have yielded a different result under the Ninth Circuit’s analysis in hiQ. See, for example, United States v. Christensen, 828 F.3d 763, 789 (9th Cir. 2016). However, Judge Chen indicated that he would have reached the same conclusion under the CDAFA, and other courts have said that it too requires a visitor to a public website to overcome some technical barrier. See, for example, Enki Corp. v. Freedman, No. 13–cv–2201–PSG, 2014 WL 261798, at *3 (N.D. Cal. Jan. 23, 2014).
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.
