Earlier this month, the Supreme Court addressed the scope of the CFAA’s “exceeds authorized access” clause. In that decision, the Van Buren Court rejected the use of the CFAA as a tool to enforce usage restrictions for a person with access to a computer. In other words, the CFAA can no longer reach actions by an individual with access to a protected computer who uses that access for a disallowed or prohibited purpose. The fact pattern at issue was a police officer that had access to a law enforcement database, but accessed the database outside of his job duties for the improper purpose of selling the information. For more information, see our recent alert on Van Buren v. United States.
The decision has a significant impact on battles about web scraping. Many websites have terms of service that specifically limit or prohibit scraping of data, and a common litigation strategy was to allege a violation of the CFAA when a scraper ignored the restrictions in the terms of service. But the Van Buren decision now prohibits the use of the CFAA to enforce any violation of a website’s terms of service.
However, another clause of the CFAA—the restriction on those who “intentionally access a computer without authorization”—is often at play in web scraping litigation, but was not addressed by Van Buren. Instead, this issue was raised in LinkedIn Corp. v. hiQ Labs, Inc., a case where hiQ Labs was scraping information from LinkedIn, prompting LinkedIn to attempt to stop the scraping via a cease-and-desist letter. The question remains as to whether web scraping from a publicly available website—after the receipt of a cease and desist letter expressly prohibiting scraping—is covered by the CFAA’s “without access” prong.
This issue was fully briefed and pending review by the Supreme Court at the time of the Van Buren decision. After that decision, LinkedIn submitted a supplemental brief, asking the Supreme Court to provide needed clarification of the “without authorization” clause and highlighting conflicting decisions on the issue in lower courts. Subsequently, the Supreme Court vacated the judgment of the Ninth Circuit, and remanded the LinkedIn case for further consideration in view of the Van Buren decision.
Thus, we can expect further clarity on the application of the CFAA to web scraping, first from the Ninth Circuit, and then likely further clarified by the Supreme Court. Ultimately, we can expect to learn whether the “without authorization” prohibition of the CFAA can restrict web scraping once a target provides a cease and desist letter, or whether the CFAA only prevents scraping when technological measures (e.g., a password-protected section of a website) are circumvented.