May 4, 2022
Data Privacy and Cybersecurity
Data Scraping: In hiQ v. LinkedIn, the Ninth Circuit
Reaffirms Narrow Interpretation of CFAA
By: Sara M. Crook, Aaron R. Coo per and Madeleine V. Findle y
On April 18, 202 2, the Ninth Circuit reaf firmed its narrow interpr etation of the Computer Fra ud and
Abuse Act’s (CFAA) “without autho rization” prong in a data scrapin g dispute between hiQ a nd LinkedIn.
The opinion upheld a pr eliminary injunction that barred L inkedIn from stopping hiQ fr om scraping public
data from the L inkedIn website and held that scraping such p ublic information likely does not constitute
accessing a computer “without authorization” un der the CF AA.[1] The opinion is good news for
companies employing data scr aping pract ices for publicly availab le information. More br oadly, the
decision’s narr ow interpretation of the CFAA follows the Supreme Court’s na rrow approach to the
statute in its Van Buren decision and clarifies (at lea st in the Ninth Circuit) sever al questions tha t the
Supreme Court’s ruling in Van Buren left open.[2]
The CFAA and the Van Buren Decis ion
The CFAA proh ibits, in relevant p art, accessing co mputers “without author ization” or “exceed[ing]
authorized access” a nd thereb y obtaining infor mation, and per mits civil recovery for victims sufferin g
“damage or loss” as a result o f a violation.[3] As a prio r Jenner & Block alert discussed , in Van Buren v.
United States, the Supreme Court reso lved a Circuit split ove r the CFAA’s “exceeds autho rized access”
prong, ho lding that the CFAA does not app ly to an individual who is auth orized to access information
on a computer, even if they do so for an improp er purpose . Instead, the Cour t held, the CF AA creates
a “gates- up-or-d own” inquiry: either a n individual is auth orized to access a computer system or parts of
that system, or the y are not; a person “e xceeds authorized access” by a ccessing a part of the
computer system to which the auth orization does not extend.[4]
The Supreme Cour t’s decision sugge sted—but did no t expressly hold—that violat ing purpose- based
limits on access to a computer system, such as the ter ms of service of a pu blic website, would also not
on its own violate the CF AA’s “without autho rization” prong.[5] Instead, t he Court limited its holding to
the scope of “exceeds authorized access.” [6] Enter the hiQ v. Link edIn dispute.
hiQ v. LinkedIn
Before the Van Buren decision, LinkedIn Corporation (LinkedIn) and data science company hiQ Lab s,
Inc. (hiQ) were litigating in the Ninth Circuit about whether hiQ’s d ata scraping p ractices violate th e
CFAA. Data scraping, for purpo ses of the litigation , was defined as an info rmation gatherin g and
analysis tactic whereby a r obot or ind ividual “extract[s] data from a website and cop[ies] it in to a
structured format, allowing for data manipu lation or ana lysis.”[7] At issue in this litigation, h iQ scraped
information from public p rofiles on Linked In and then sold th e resulting “p eople analytics”—su ch as
whether a person was likely to leave a job—to its clien ts.[8] LinkedIn sent a cease- and-desist let ter
demanding hiQ stop scraping data from its website and implemented technical b arriers specifica lly to
“prevent hiQ from accessing, and assisting other s to access, Linked In’s site, through systems that
detect, monitor, a nd block scrapin g activity.”[9] In the cease-a nd-desist lette r, LinkedIn asserted that
hiQ’s conduct violate d LinkedIn’s terms of service, and if hiQ continu ed to scrape data in the future, it
would violate the CFAA and similar statu tes.[10]
