A recent complaint by Southwest Airlines has refocused attention on a perennial question: the legal status of data scraping. Southwest alleges that Kiwi, an online travel operator, scrapes fare data from Southwest’s site, presents the data on its own site, and then sells Southwest tickets with an unauthorized service charge. The complaint has already led to comparisons with the Ninth Circuit Court of Appeals’ controversial HiQ v. LinkedIn decision. In that case, the court upheld a preliminary injunction barring LinkedIn from taking steps to block HiQ from scraping LinkedIn’s data, performing analytics on a company’s employees, and then providing the analysis to the employer. The decision led to more than a few breathless announcements that “data scraping is legal.” But is that really what HiQ v. LinkedIn says? And is HiQ v. LinkedIn translatable to other situations—such as Southwest’s situation?
First, remember HiQ v. LinkedIn’s procedural posture—it was a fight over a preliminary injunction, not a resolution on the merits. The starting point was that district had issued the injunction under an unusually permissive standard. Normally a plaintiff needs to show a likelihood of success to obtain an injunction, but in the Ninth Circuit, where the balance of hardships tips “sharply” in a plaintiff’s favor, the plaintiff merely needs to raise “serious questions going to the merits.” The district court measured HiQ’s case against this permissive test and held that HiQ had raised sufficiently serious questions about whether LinkedIn could block HiQ’s data scraping. Then, the court of appeals measured the district court’s decision against a permissive abuse-of-discretion test. So it’s simply wrong to say that Ninth Circuit resolved anything about the law. All the Ninth Circuit did was decide that it wasn’t “illogical, implausible, or without support in the record” to conclude that HiQ had raised “serious questions” about the legal status of data scraping in the particular circumstances alleged in the complaint. In other words, it might be right that HiQ might be able to win in the end. No surprise that one judge, concurring in the opinion, cautioned the parties not to overinterpret the decision as a pronouncement on the merits.
(By the way, a petition for certioriari in HiQ v. LinkedIn is before the Supreme Court, which is yet another reason not to treat the decision as a definitive pronouncement of the law for all time and all purposes.)
Second, the court of appeals’ decision was chiefly about whether one particular law, the Computer Fraud and Abuse Act, prohibited data scraping under the circumstances. The CFAA prohibits accessing a computer without authorization or beyond authorization. Although the paradigmatic case under the CFAA is a hacker breaking into a remote system, some courts have held that accessing a site while violating the site’s terms of service violates the law. This has been a controversial question for some time with a number of unresolved questions: Does it matter that a website is generally public? Does a defendant violate the law merely by doing something unauthorized on a computer system (including a website), or does the defendant need to access a part of the system or site that she’s not authorized to access, akin to trespassing into a forbidden space? The Ninth Circuit didn’t purport to decide these questions; it merely held that HiQ had raised serious enough questions about how the CFAA applies to justify enjoining LinkedIn from trying to self-enforce the CFAA while the case was pending. And the Ninth Circuit was careful to carve out other legal theories that LinkedIn could use to prohibit web scraping, such as breach of contract. The court specifically noted that these other theories might still hold water.
The Ninth Circuit came closest to holding that “data scraping is legal” in its conclusion that LinkedIn’s attempts to stop data scraping might themselves violate California’s unfair competition law. Responding to that argument, the court noted a number of factors, unique to the HiQ case, to conclude that the argument was plausible enough to warrant a preliminary injunction. The court seems to have been influenced by its view that data on LinkedIn belongs to users, not to LinkedIn: “LinkedIn has only a non-exclusive license to the data shared on its platform, not an ownership interest.” And it also seems to have been influenced by HiQ’s narrative of the competitive dynamic: HiQ alleged that LinkedIn had essentially acquiesced (or even endorsed) HiQ’s business model, leading HiQ to enter into contracts with its customers, before LinkedIn switched courses to compete with HiQ and shut HiQ out of the data. These case-specific factors loom large in the Ninth Circuit’s reasoning, which means it’s dangerous to transpose the HiQ result to other fact patterns such as the Southwest v. Kiwi dispute.
(Incidentally, on remand from the Ninth Circuit, the district court recently dismissed many of HiQ’s competition claims, and even though the court gave HiQ a narrow chance to replead a few of them, HiQ chose not to. Which makes it even harder to take the position that the case definitively declared data scraping to be legal.)
The bottom line? Don’t overscrape the HiQ v. LinkedIn decision.
