Tech & Sourcing @ Morgan Lewis


After two decisions by the US Court of Appeals for the Ninth Circuit, data scraping is deemed legal if the information is publicly accessible on the internet.

In May 2017, LinkedIn sent hiQ, a data analytics company founded in 2002, a cease-and-desist letter stating that hiQ was in violation of LinkedIn’s user agreement and demanding that hiQ stop copying data from LinkedIn’s server. In response, hiQ filed suit for injunctive relief based on the claim that LinkedIn could not lawfully invoke the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), California Penal Code § 502(c), or the California common law of trespass against hiQ. The district court agreed with hiQ, and LinkedIn appealed the case to the Ninth Circuit.

In 2019, the Ninth Circuit ruled in favor of hiQ and stated that hiQ successfully met all four of the elements necessary for a preliminary injunction: (1) irreparable harm, (2) balance of equities, (3) likelihood of success, and (4) public interest.

The court stated that although there were public interests on both sides, the public interest favored hiQ because LinkedIn should not have the right to decide who can collect and use data that LinkedIn itself does not own. The Ninth Circuit was concerned that ruling in favor of LinkedIn’s public interest “risks the possible creation of information monopolies” for companies like LinkedIn.

More than two years later, in June 2021, the US Supreme Court vacated the Ninth Circuit’s opinion and remanded the case in light of the Supreme Court’s recent decision regarding the applicability of the CFAA in Van Buren v. United States, 593 U.S. __ (June 3, 2021).

The CFAA, which aims to address computer hacking, prohibits accessing a “protected computer” without authorization. In Van Buren, the Supreme Court provided a narrow interpretation of the “exceeds authorized access” clause under the CFAA, stating that an individual exceeds authorized access when accessing a computer with authorization and then obtaining information to which the user did not have access.

In the hiQ–LinkedIn case, the Ninth Circuit directly addressed a different CFAA clause, holding that hiQ’s activities were not “without authorization” because the data scraped was publicly available. Despite this different CFAA clause being addressed, the Supreme Court remanded the hiQ–LinkedIn case with the intent that Van Buren would provide more context for the Ninth Circuit to review its original ruling regarding the CFAA.

In 2022, the Ninth Circuit concluded that the Van Buren holding reinforced its original interpretation of the CFAA’s “without authorization” clause, and once again held that the concept of “without authorization” does not apply to public websites, thus solidifying a monumental ruling that data scraping is legal in certain circumstances.