Find a lawyerOur capabilitiesYour career
Locations
Our capabilities
News

Select language:

Locations
Our capabilities
News

Select language:

hamburger menu showcase image
  1. Our thinking
  3. Blogs
  5. Technology Quotient
  7. Data Scraping Does It Again
2MIN

Data Scraping Does It Again

May 18 2022

Once again, hiQ wins the day in the continuous data scraping saga. In the most recent ruling, the U.S. Ninth Circuit Court of Appeals reaffirmed its original finding that scraping data that is publicly available on the internet is not a violation of the CFAA (Computer Fraud and Abuse Act), which governs certain types of computer hacking.

The Ninth Circuit’s ruling constitutes the latest decision in a long-running legal battle between the parties around hiQ’s data scraping of LinkedIn profiles. Although the district court originally sided with hiQ, LinkedIn’s appeals attempted to get some traction around its CFAA claims. Initially the Ninth Circuit affirmed the lower court’s decision, reasoning that LinkedIn could not invoke the CFAA as a defense to ban hiQ from scraping public data from the social networking site. But the Supreme Court later vacated that decision and remanded the case for further consideration in light of its decision in the Van Buren case, which resolved a circuit split regarding the scope of the CFAA, holding that the “exceeding authorized access” prohibition of the statute does not require misuse of a computer system that a user otherwise has the authority to access.

In the current decision, the Ninth Circuit analyzed whether or not hiQ’s continued scraping and use of LinkedIn member data following receipt of a cease-and-desist letter constituted unauthorized access under the CFAA, in light of the Van Buren. The decision found Van Buren consistent with the Ninth Circuit’s categorization of computer systems for which data is generally accessible to the public, as a class of systems for which authorization cannot not be withdrawn. The extension of the Ninth Circuit’s categorical approach could preclude a CFAA violation even if LinkedIn enacted technical measures to specifically block hiQ’s access, and hiQ circumvented them, a result which may not have been intended by the Supreme Court in Van Buren.  By distinguishing its prior decision in Power Ventures based on the fact that Facebook requires users to provide a username and password, the Ninth Circuit left open the notion that authorization for CFAA purposes can still be withdrawn by a cease-and-desist letter, but some generally applicable restriction on access may be necessary.

The Ninth Circuit’s ruling certainly affords shelter to automated scraping and analytics businesses from criminal liability under the CFAA. However, while the decision provides some additional clarity on how the CFAA should be applied, the issue is far from being settled. Questions still linger within the civil field and around the application of the CFAA to the different web scraping scenarios. It seems likely that we will have more to report on this as this case continues.

Tags

usdatadata protectionlitigation

Authors

New York

Menachem Kaplan

Partner
New York

Timothy Howard

Global Co-Head of Data and Technology
Latest Insights

Latest Insights

NAVIGATE TO
About usLocations and officesYour careerOur thinkingOur capabilitiesNews
CONNECT
Find a lawyerAlumniContact us
NEED HELP
Fraud and scamsComplaintsTerms and conditions
LEGAL
AccessibilityCookiesLegal noticesTransparency in supply chains statementResponsible procurementPrivacy

Select language:
Select language:
© 2026 Freshfields. Attorney Advertising: prior results do not guarantee a similar outcome