Following up on our April 27, 2022 post, Data Scraping Deemed Legal in Certain Circumstances, the most significant data scraping lawsuit has finally come to an end. After six years of litigation, LinkedIn Corp. and hiQ Labs, Inc. reached a confidential settlement agreement and filed a stipulation and proposed consent judgment (stipulation) with the California district court on December 6, 2022. The stipulation includes, among other things, a $500,000 judgment entered against hiQ, establishment of hiQ’s liability under California common law torts of trespass to chattels and misappropriation, and various forms of injunctive relief effectively prohibiting hiQ’s future ability to data scrape LinkedIn.
While the stipulation is not considered a finding of fact by the court and therefore has no precedential value, the various decisions leading up to this point show that, under certain circumstances, data scraping publicly available websites is legal under the Computer Fraud and Abuse Act (CFAA) but may create liability risk under a breach of contract claim or even common law torts claims.
Picking up where we left off, the US Court of Appeals for the Ninth Circuit issued a new order in April 2022 affirming the original injunction issued by the California district court in 2017 that prohibited LinkedIn from blocking hiQ’s access to LinkedIn and from using the CFAA as a remedy against undesired access to public websites. The Ninth Circuit reasoned that the CFAA’s “without authorization” provision does not apply to public websites like LinkedIn. Moreover, the Ninth Circuit maintained that violating a public website’s user agreement alone is insufficient to trigger CFAA liability under the “without authorization” provision.
As a practical matter, the Ninth Circuit’s April 2022 order ended the CFAA issue in favor of hiQ and effectively made the Ninth Circuit the most pro–data scraping circuit in the country. However, website operators are not without recourse.
In August 2022, the California district court issued an order dissolving the preliminary injunction because LinkedIn established hiQ no longer had an ongoing business and was essentially defunct. The dissolution of the injunction opened the doors for a breach of contract claim to be brought against hiQ, which the California district court took up through a series of cross-motions for summary judgment it heard on November 4, 2022.
Although the California district court denied the summary judgment motions because of factual issues regarding hiQ’s waiver and estoppel defenses, the court ruled that provisions of a website user agreement that prohibit data scraping and creation of fake profiles are enforceable under a breach of contract claim.
With six years of litigation culminating into a confidential settlement and a stipulation that lacks precedential value, many will remember this case to mean that data scraping of public websites is legal in certain circumstances. However, website operators should be sure to remember this case means common law tort claims and breach of contract claims are available remedies against undesired data scrapers.