Alternative Data

Ninth Circuit Says It Again: Scraping of Public Websites Is Generally Not a CFAA Violation

Published: Apr. 20, 2022

Updated: Nov. 07, 2023

On remand from the Supreme Court, the Ninth Circuit again affirmed the preliminary injunction precluding LinkedIn from blocking access to public profiles on the professional networking platform (hiQ Labs, Inc. v. LinkedIn Corporation). This latest decision essentially makes clear that the Ninth Circuit will not apply the Computer Fraud and Abuse Act’s “without authorization” provision to publicly accessible websites.

hiQ is a data analytics company that scrapes information from public profiles of LinkedIn users to develop and sell analytics to business clients. After receiving a letter from LinkedIn demanding that it cease and desist from scraping the website, hiQ sued LinkedIn and moved for a preliminary injunction. The district court granted the injunction, ordering LinkedIn to stop blocking hiQ’s access to public portions of the site, and the Ninth Circuit affirmed.  LinkedIn then sought review from the Supreme Court which, somewhat surprisingly, it granted but just to vacate the Ninth Circuit’s judgment and remand the case for further consideration in light of the Court’s 2021 decision in Van Buren v. United States, the first Supreme Court case to address the applicability of the CFAA. For more details on those decisions see SCOTUS Rules CFAA Does Not Contain Purpose-Based Restrictions.

On remand, the Ninth Circuit reiterated its prior conclusion that the CFAA’s prohibition on accessing a computer “without authorization” does not extend to continued access to a public website even after receipt of a cease-and-desist letter without more.  Examining the statute’s plain language and legislative history, the court all but held access “without authorization” necessitates a baseline of restricted access. That is, the CFAA does not apply unless the computer owner has made access contingent on some permission or authentication requirement, like a password login. Given that the law originated as an anti-hacking statute, to apply the CFAA, the Ninth Circuit requires that culpable conduct to be akin to breaking and entering in circumstances where the offender gained access to private information.

Van Buren reinforces this conclusion, the Ninth Circuit observed, by comparing the “without authorization” inquiry to asking whether a gate is up or down, thereby presupposing that there first be the equivalent of a gate that restricts access in CFAA offenses.  Without any “gates” or technical limitations barring access, public websites like LinkedIn’s public profiles are outside the CFAA’s scope. Finally, the Ninth Circuit expressed an inclination to interpret the CFAA narrowly and emphasized that the statute does not in its view extend to misappropriation in general, such as through alleged violations of computer use policies or contracts.

The court left open other claims that LinkedIn could bring against hiQ, such as trespass to chattels, copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, and breach of privacy as alternative theories of liability. But as for the CFAA, courts in the Ninth Circuit are not going to bat for companies who don’t want to be scraped, but aren’t willing to limit their access to a subset of the general public.