Does the CFAA Apply to Website Scraping? The Ninth Circuit Says “Not So Fast”

Companies use a variety of causes of actions to protect their websites from competitors or others wanting to “scrape” data from their site using automated tools. Over the years, legal doctrines such as copyright infringement, misappropriation, unjust enrichment, breach of contract, and trespass to chattels have all been asserted, though many of them have limited applicability or are otherwise imperfect options for site owners. One of the most commonly used tools to protect against scraping has been a federal statute: the Computer Fraud and Abuse Act (CFAA). The CFAA is a cybersecurity law passed in 1986 as an amendment to the Comprehensive Crime Control Act of 1894. Originally drafted to address more traditional computer “hacking,” the CFAA prohibits intentional access to a computer without authorization, or in excess of authorization. Due to both the criminal and civil liability that it imposes, the CFAA has been an effective tool to discourage scraping, with website operators arguing that by simply stating on the site that automated scraping is prohibited, any such activity is unauthorized and gives rise to CFAA liability. An ongoing case between data analytics company hiQ Labs Inc. and LinkedIn questions the extent to which companies may invoke the CFAA as it pertains to scraping of this type of data.

Like many data analytics providers, hiQ has built a business that is largely dependent on publicly available third-party data. Using automated bots, hiQ scrapes LinkedIn user information from public profiles in order to develop analytics that assist companies with recruitment. In May 2017, LinkedIn sent hiQ a cease-and-desist letter, demanding that hiQ stop scraping data from LinkedIn servers, claiming it was against LinkedIn’s User Agreement and in violation of several laws, including the CFAA. In response, hiQ filed suit seeking injunctive relief and a declaratory judgement that LinkedIn could not lawfully invoke the CFAA. The district court granted a preliminary injunction in favor of hiQ, prohibiting LinkedIn from denying hiQ access to publicly available LinkedIn member profiles. LinkedIn appealed the decision, and the Ninth Circuit affirmed the district court’s grant.

While various internet law commentators have held up this ruling as a significant blow against the ability to use the CFAA to enforce against scraping, here are a few things to keep in mind: First, the Ninth Circuit’s ruling simply affirmed the appropriateness of a preliminary injunction in hiQ’s favor while the ultimate issue gets sorted out. The court did not make a final ruling on whether the CFAA was applicable or enforceable in this case. Instead, they ruled that hiQ raised “serious questions” about whether LinkedIn could invoke the CFAA, and on those grounds affirmed the district court’s decision. The court took steps to emphasize that these type of appeals generally provide limited guidance because of the narrow scope of review. It is also important to note that the Ninth Circuit made it clear that even if the CFAA is not applicable, there are other causes of actions that could effectively preclude hiQ from engaging in scraping.

Finally, the CFAA analysis in this decision focused on the phrase “without authorization”—which is a requirement to establish a CFAA violation—and what that means in today’s internet world. An important distinction was made between the information being scraped in this case, which was publicly available, and information that sits behind restricted pages (i.e., logins, or password-protected barriers). Companies that host proprietary information that is only accessible after login need not worry about how this one turns out, as it almost certainly will not change the analysis for their use case.

While the Ninth Circuit decision may provide limited guidance at this time, it bears watching because it does give some clues as to how the court may rule on the applicability of the CFAA. If, in fact, publicly accessible information is deemed to be out of the scope of CFAA protection, then website operators hoping to keep others from scraping their sites are going to have to look elsewhere for their legal remedy.