As readers of CPW know, data scraping is a hot button data privacy issue. We previously covered the hiQ/LinkedIn data-scraping saga HERE, and HERE. In the most recent ruling out of the Northern District of California, Judge Chen denied hiQ’s motion to dismiss LinkedIn’s counterclaims for breach of contract, misappropriation, and trespass to chattels. Additionally, the Court deferred ruling on the motion to dismiss counterclaims for violation of the Computer Fraud and Abuse Act (“CFAA”) and California Penal Code § 502, pending the Supreme Court’s ruling on LinkedIn’s petition for a writ of certiorari.
What question is pending before the SCOTUS in LinkedIn’s petition for writ? As LinkedIn phrases it, the issue is “[w]hether a company that deploys anonymous computer ‘bots’ to circumvent technical barriers and harvest millions of individuals’ personal data from computer servers that host public-facing websites—even after the computer servers’ owner has expressly denied permission to access the data—‘intentionally accesses a computer without authorization’ in violation of the Computer Fraud and Abuse Act.” [Note: In hiQ’s framing, the question is instead whether a professional networking website, such as LinkedIn), may rely on CFAA’s prohibition on “intentionally access[ing] a computer without authorization” to prevent a competitor from accessing information that the website’s users have shared on their public profiles and that is available for viewing by anyone with a web browser.]
In addition to LinkedIn’s petition, the question of “when does a person exceed authorized access under the CFAA?” is also pending before SCOTUS in the case of United States v. Van Buren, 940 F.3d 1192 (11th Cir. 2019), although it involves different facts than the present litigation. 140 S. Ct. 2667 (2020). According to Judge Chen, both decisions may “have an impact on the instant case.” And “[t]he Court will be in a better position to address the counterclaim[s] once the Supreme Court has issued its decision in Van Buren and/or the instant case.”
Since the specific question pending before the SCOTUS relates to the meaning of “unauthorized access” under CFAA, it was not surprising that Judge Chen deferred the ruling on the CFAA claims until after the SCOTUS has issued its decision. What was somewhat more surprising, or interesting, was the Court also deferring ruling under the California Penal Code § 502, pending the SCOTUS ruling. The Court agreed that although § 502 is not on all fours with the CFAA, the question of whether “as a matter of policy, the use of public information should be deemed criminal conduct” was deemed related to the question of “unauthorized access” under CFAA.
For you novices out there, California Penal Code § 502 makes it unlawful to “knowingly” and “without permission” access, alter, damage, delete, destroy, or otherwise use any data, computer or computer system or network. In contrast to the CFAA, § 502 does not require “unauthorized access” but rather “knowingly access,” “without permission.” In other words, what makes the access unlawful, is that the person “without permission” takes, copies, or makes use of’ the data. Some may say § 502 is more restrictive than CFAA, but regardless, there is no question that both of the currently unanswered questions are bound to have a significant impact in the data-scraping arena.
Regarding hiQ’s motion to dismiss LinkedIn’s counterclaims for breach of contract, misappropriation, and trespass to chattels, the Court considered those adequately pled, raising only factual disputes and questions, which are not meant to be addressed at the pleading stage. At bottom, hiQ was not successful in its motion to dismiss, but to be fair, the true victory in this case is squarely dependent on the question pending before the SCOTUS. Stayed tuned for that. CPW will be there.