Data Scraping: In HiQ V. LinkedIn, The Ninth Circuit Reaffirms Narrow Interpretation Of CFAA – Data Protection
On April 18, 2022, the Ninth Circuit reaffirmed its narrow
interpretation of the Computer Fraud and Abuse Act’s (CFAA)
“without authorization” prong in a data scraping dispute
between hiQ and LinkedIn. The opinion upheld a preliminary
injunction that barred LinkedIn from stopping hiQ from scraping
public data from the LinkedIn website and held that scraping such
public information likely does not constitute accessing a computer
“without authorization” under the
CFAA.1 The opinion is good news for companies
employing data scraping practices for publicly available
information. More broadly, the decision’s narrow interpretation
of the CFAA follows the Supreme Court’s narrow approach to the
statute in its Van Buren decision and clarifies (at least
in the Ninth Circuit) several questions that the Supreme
Court’s ruling in Van Buren left open.2
The CFAA and the Van Buren Decision
The CFAA prohibits, in relevant part, accessing computers
“without authorization” or “exceed[ing] authorized
access” and thereby obtaining information, and permits civil
recovery for victims suffering “damage or loss” as a
result of a violation.3 As a prior Jenner &
Block alert discussed, in Van Buren v. United States, the
Supreme Court resolved a Circuit split over the CFAA’s
“exceeds authorized access” prong, holding that the CFAA
does not apply to an individual who is authorized to access
information on a computer, even if they do so for an improper
purpose. Instead, the Court held, the CFAA creates a
“gates-up-or-down” inquiry: either an individual is
authorized to access a computer system or parts of that system, or
they are not; a person “exceeds authorized access” by
accessing a part of the computer system to which the authorization
does not extend.4
The Supreme Court’s decision suggested-but did not expressly
hold-that violating purpose-based limits on access to a computer
system, such as the terms of service of a public website, would
also not on its own violate the CFAA’s “without
authorization” prong.5 Instead, the Court
limited its holding to the scope of “exceeds authorized
access.”6 Enter the hiQ v. LinkedIn
dispute.
hiQ v. LinkedIn
Before the Van…