Supreme Court Vacates Ninth Circuit’s LinkedIn Data-Scraping Decision, Raising Questions Regarding Access to Information Publicly Available Online
On June 14, 2021, the U.S. Supreme Court granted certiorari by summary disposition in hiQ Labs, Inc. v. LinkedIn Corp., vacating the decision of the U.S. Ninth Circuit Court of Appeals, and remanding the case to the Ninth Circuit for further consideration in view of the Supreme Court’s recent decision in Van Buren v. United States.
hiQ Labs, Inc. (“hiQ Labs”) is a data analytics company that uses data publicly available on various websites to develop talent management algorithms and other software. The dispute between hiQ Labs and LinkedIn Corp. (“LinkedIn”) arose as a result of hiQ’s collection, through the use of automated data-scraping bots, of LinkedIn user information from public LinkedIn profiles. In 2017, LinkedIn sent to hiQ Labs a cease and desist letter, demanding that hiQ discontinue its data-scraping practices on LinkedIn user profiles, and blocked hiQ Labs’ ability to employ its automated bots on LinkedIn profiles. In response, hiQ Labs sought injunctive relief in the U.S. District Court for the Northern District of California, where hiQ was granted such relief, enjoining LinkedIn from asserting various statutes and causes of action against hiQ Labs, including the Computer Fraud and Abuse Act (“CFAA”). The ruling of the District Court was affirmed by the Ninth Circuit, which held that hiQ Labs’ use of automated, data-scraping bots to access public information was not likely to be a violation of the CFAA.
The CFAA imposes civil and criminal liability on anyone who intentionally accesses a computer without authorization or whose access exceeds authorized access to such computer. In Van Buren, the Supreme Court assessed whether a police officer who performed a search within a police database in exchange for money – a search that, because it was unrelated to police business, violated applicable police policy – was subject to liability under the CFAA. The Supreme Court held that the CFAA covers those who obtain information from any portion of a computer (e.g., files, databases, and the like) to which their authorized access does not extend, but that it does not cover those who have improper motives for accessing portions of the computer that would otherwise be lawfully accessible by them.
In remanding hiQ Labs back to the Ninth Circuit, the Supreme Court appears to suggest that it believes there is a question as to whether the CFAA applies to hiQ Labs’ data-scraping activities. LinkedIn has argued that, in light of its terms of service (which prohibit automated data scraping), its cease and desist letter, and its use of technical measures to block the ability of hiQ Labs bots to scrape data from LinkedIn profiles, hiQ Labs did not have authorization to use bots to perform data scraping, and that its data-scraping activities fall squarely within the ambit of the CFAA.
As the use by companies of automated data-scraping technologies proliferates across the internet, the Ninth Circuit’s decision on remand may have wide-reaching consequences for social media platforms and other websites that collect and make available user information. Resolution of the “authorized access” issue may force website operators to retool their terms of service by bolstering provisions related to access and permitted use.
On the other hand, it is possible that the Ninth Circuit may “side-step” the CFAA question on public policy grounds. For example, the Ninth Circuit may adopt a similar line of reasoning as it did the first time it heard hiQ Labs, and may find that allowing companies – such as LinkedIn – that collect and use personal information of users, and that make such personal information publicly available – to decide, on any basis, who can collect and use the data, may give rise to “information monopolies” that would be contrary to public interest, especially in light of recent legislative trends granting individuals greater rights in their personal information. Regardless of the outcome, the Ninth Circuit’s decision will be an important development in the personal information and data privacy spheres.