In 2017 many data analytics companies received cease and desist letters from LinkedIn. The letter accused the analytics company of unlawfully scraping (i.e. extracting data, often using a bot, from a website) data that stored on LinkedIn’s servers. The letter cited many state and federal laws and LinkedIn’s own terms of service to assert that such conduct was unlawful. While comprehensive – and intimidating to many start-ups and companies smaller than LinkedIn – the best argument that LinkedIn relied on was that the scraping violated the federal Computer Fraud and Abuse Act (“CFAA”). Because of a recent Ninth Circuit opinion in HiQ v. LinkedIn, data analytics companies relying on data from public sources now have a strong counter-argument.
Why was LinkedIn’s CFAA argument initially so strong? Because, in 2017, the relevant case was a Ninth Circuit opinion, Facebook, Inc. v. Power Ventures, Inc., which implied that a cease and desist letter could be used to revoke authorization to access a computer. The CFAA prohibits, in over-simplified terms, accessing a “protected computer” “without authorization.” Power Ventures essentially opened the floodgates to selective cease and desist letters designed to stymie competition.
Then what happened? HiQ was the recipient of once such cease and desist letter. HiQ is a data analytics company that uses LinkedIn data to develop two different products. HiQ obtains the data it needs for those products from LinkedIn users by using automated bots to scrape information that LinkedIn users have made public on their LinkedIn profiles, which data could include name, job title, work history, and skills. After receiving LinkedIn’s cease and desist letter, hiQ filed a declaratory relief action and sought a temporary restraining order. The district court ultimately granted hiQ a preliminary injunction. LinkedIn appealed.
What did the Ninth Circuit conclude? After holding that hiQ had established the likelihood of irreparable harm and that the equities favored the injunction, the Ninth Circuit’s opinion turned to the issue of likelihood of success. At the district court, hiQ asserted several affirmative claims. Holding that it was likely to prevail on at least one of those (intentional interference with contract), the Ninth Circuit turned to the “pivotal” question: “whether once hiQ received LinkedIn’s cease-and-desist letter, any further scraping and use of LinkedIn’s data was ‘without authorization’ within the meaning of the CFAA and thus a violation of the statute.” Ultimately, the Court held that hiQ’s scraping was not “without authorization.”
How did the Ninth Circuit determine that hiQ’s scraping was not “without authorization”? First, the Ninth Circuit looked to the plain language of the statute. “‘[W]ithout authorization’  suggests a baseline in which access is not generally available and so permission is ordinarily required.” In other words, the CFAA refers to an affirmative act. Having already indicated that the data hiQ was scraping was data made publicly available by the LinkedIn users, the Court went on to explain that “[w]here the default is free access without authorization, in ordinary parlance one would characterize selective denial of access as a ban, not as a lack of ‘authorization.’”