Website Scraping for Data Analytics Gets a "Like" in 9th Circuit hiQ v. LinkedIn case
In hiQ Labs, Inc. v. LinkedIn Corporation[1], the U.S. Ninth Circuit Court of Appeals issued an especially notable decision with respect to the scraping of publicly-available data from the Internet for data analytics. While upholding a preliminary injunction prohibiting LinkedIn from cutting off access to hiQ, the court also held that hiQ’s scraping of such data did not constitute a violation of the federal Computer Fraud & Abuse Act (CFAA). This decision doesn’t completely clear the way for scraping of data from websites without the authorization of the website owner, but it is certainly helpful precedent for data analytics providers.
The Facts
hiQ is a data analytics company founded in 2012 that uses scraped data, including from LinkedIn, to create HR-related analytics products. One product – named Keeper – attempts to identify employees at the greatest risk of being recruited away. The other product – named Skill Mapper – summarizes employees’ abilities in the aggregate to allow employers to identify gaps in their workforce.
While it appears that relations between LinkedIn and hiQ were friendly for the first five years of hiQ’s existence – with LinkedIn employees even winning awards at hiQ conferences, the relationship soured when LinkedIn launched a new series of similar analytic products targeted to employers in 2017. At that point, LinkedIn sent a cease and desist letter to hiQ and further noted that they had “implemented technical measures to prevent hiQ from accessing, and assisting others to access, LinkedIn’s site, through systems that detect, monitor, and block scraping activity.”
Shortly thereafter, hiQ filed suit in federal district court seeking injunctive relief to prevent it from being cut off, and that request was preliminarily granted. LinkedIn then appealed to the 9th Circuit even though the case had not been fully and finally decided at the district court level.
Preliminary Injunction
The standard for a preliminary injunction is that the plaintiff must establish that: (1) it is likely to suffer irreparable harm in the absence of the injunction; (2) the balance of the equities tips in its favor; and (3) it is likely to succeed on the merits.
The 9th Circuit found that hiQ would clearly suffer irreparable harm in the absence of the injunction. Without LinkedIn’s data, hiQ wouldn’t be able to provide its analytics and may perish as a company. The court also weighed this harm against the potential harm to LinkedIn and its users. The court found that LinkedIn did not have an ownership interest in the user data, rather it only received a license from the user by the terms of its own user agreement. Further, as the users had knowingly put their data into the public domain, the user had little to no expectation of privacy in the data. This point was again underscored by LinkedIn’s own materials, specifically its privacy policy, which stated that, “any information you put on your profile and any content you post on LinkedIn may be seen by others.” As a result, the court found the equities weighed in favor of hiQ and its potential loss of its business, as against the lack of harm to LinkedIn.
Lastly, the court evaluated whether hiQ would succeed on the ultimate merits of the case. hiQ alleged that LinkedIn’s behavior constituted unfair competition and tortious interference with contract. LinkedIn countered that hiQ’s behavior was a violation of the CFAA as well as a violation of the Digital Millennium Copyright Act and common law trespass.
Unfortunately, given the preliminary status of the case, the court did not affirmatively rule on the full merits and all of the associated claims and defenses of the parties – it mostly focused on the CFAA. Nevertheless, the court clearly viewed LinkedIn’s behavior as a blatant attempt to put an established competitor out of business, and as such looked favorably upon hiQ’s tortious interference and unfair competition claims.
The CFAA
Perhaps sensing the weakness in its copyright and trespass arguments, LinkedIn principally argued that hiQ’s scraping without LinkedIn’s approval constituted a violation of the CFAA. The CFAA states that “whoever… intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer … shall be punished” by fine or imprisonment.[2] Further, “any person who suffers damage or loss by reason of a violation” of that provision may bring a civil suit “against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”[3]
The court found that the CFAA was never intended to cover the scraping of publicly available data, as opposed to data hidden behind a User ID and password. The court held that for the CFAA to apply, the behavior needed to be akin to “breaking and entering” – the intentional intrusion onto someone else’s computer – and not merely “misappropriation.” As a result, accessing readily available information, such as public LinkedIn profiles, was not “without authorization” and the CFAA did not apply.
Conclusion on the hiQ v. LinkedIn case
Data analytics firms received an important victory in this 9th Circuit decision, but the decision is not definitive. Other claims, such as for copyright infringement or common law trespass, may still apply to scraping data from the web. The types of data that are being scraped and how that data is used need to be carefully analyzed to ensure legal compliance. Even with that cautionary note, the court here clearly thought that hiQ had the better of the argument.
This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.
[1] hiQ Labs, Inc. v. LinkedIn Corporation, No. 17-16783 (9th Cir., September 9, 2019).
[2] 18 U.S.C. § 1030(a)(2)(C)
[3] 18 U.S.C. § 1030(g)
UPDATE (Nov. 8, 2019): LinkedIn's appeal of this case was rejected by the 9th Circuit Court of Appeals.