The original case was brought in California federal district court in 2017 by a company (hiQ) trying to protect its business of using publicly posted user data on LinkedIn. The California federal district court awarded a temporary restraining order against LinkedIn.
Appellate Court Ruling
On September 9, 2019, by a 3-0 decision, the Ninth Circuit appellate court affirmed the federal district court’s ruling and found that hiQ raised serious questions on the merits of LinkedIn’s argument that hiQ’s conduct violated the CFAA and upheld the TRO.
Takeaways from the Ninth Circuit Appellate Court Opinion:
- Judge Marsha Berzon, writing for the NinthCircuit Panel, stated that giving companies such as LinkedIn “free rein” over who can use public user data risked creating “information monopolies” that harm the public interest.
- “LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles.”
- “And as to the publicly available profiles, the users quite evidently intend them to be accessed by others,” including prospective employers.
- hiQ’s conduct of data scraping public profiles off of LinkedIn likely does not violate the CFAA.
“Where do scrapers go from here? Where is my web-bot?!” Hold On! …Not totally home free
This is a key decision that represents a significant federal circuit –the Ninth Circuit- putting limits on companies trying to affirmatively use the CFAA to restrict an outsider’s use of publicly posted user data. Unfortunately for scrapers, the Ninth Circuit left the door open to other claims, such as state law trespass to chattels, copyright infringement, breach of privacy, breach of contract, misappropriation and unjust enrichment that might allow companies like LinkedIn to limit competition with its products (LinkedIn could still pursue the case against hiQ on some of these other claims). So the fight between scrapers and companies that post data is not over, but the ruling from the Ninth Circuit is helpful to companies that may want to use publicly available data to enhance their own business offerings. (Please note that the CFAA is subject to multiple conflicting interpretations across the federal circuits, making it likely that the Supreme Court will eventually be forced to resolve the meaning of key terms like “without authorization;” thus, it is important to analyze in what jurisdictions the conduct is occurring to get an up to date assessment on scraping and data use.)
And does this tie into the CCPA? You bet!
As the Ninth Circuit’s makes clear, it is critical to consider who owns the data. In the hiQ case, it was a significant point that the users owned the data. This seems to relate to the same principles that founded the California Consumer Privacy Act (“CCPA”), which is set to go in effect on January 1, 2020. This is also something to be mindful of as it feeds into why compliance with CCPA is so important (i.e. because it relates to who ultimately owns the data and when a user wants his or her data removed, or if a user wants to know if you are selling his/her data, you must tell them and give him/her a right to not sell the data etc. …a company must comply under the CCPA!)
Important Comments from the decision to be mindful of for data scrapers:
The Ninth Circuit decision noted that the conduct of hiQ involved accessing publicly available information. The decision discusses at length the concept of “without authorization” and noted the conduct of hiQ did not involve logging on to the LinkedIn platform with a password. Other Ninth Circuit cases have taken issue with “logging on” to a platform to get access to data; consequently, as a rule of thumb, a company should not log in to any platform to scrape data.