• Paul Peter Nicolai

Public Data Scraping Likely Does Not Violate CFAA

Updated: Sep 14, 2020

The Computer Fraud And Abuse Act (CFAA) prohibits accessing a computer without authorization. It is violated when a person circumvents a computer’s rules to gain access to it. A business which used LinkedIn public profiles was sent a cease-and-desist letter based on the CFAA. It sued and asked for a preliminary injunction against LinkedIn requiring it to allow it to access LinkedIn’s public pages.

The district court granted the motion. It ordered LinkedIn to withdraw its cease-and-desist letter, remove any existing technical barriers to the plaintiff’s access to public profiles, and refrain from using legal or technical measures to block the plaintiff’s access to public profiles.

On appeal the circuit court affirmed the order. It determined the CFAA’s prohibition on accessing a computer without authorization is violated when a person circumvents a computer’s rules. Such a violation does not occur when a user accesses publicly available data on a computer network like LinkedIn’s.

The court said giving companies like LinkedIn free rein to decide who can collect and use public data could result in information monopolies that disserve the public interest. LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles.

The court cautioned its opinion was issued at the preliminary injunction stage and it did not resolve the dispute definitely, nor did it address all the claims and defenses.

WHY THIS IS IMPORTANT…This decision contravenes decisions on the same issue by two other circuit courts of appeal. It will affect handling of publicly available data. There will be new efforts to hold data close or make sure creators are compensated. As this happens it could change scrapers’ business models. The decision also assumes an individual waives any privacy rights by posting personal information on certain sites for specific purposes.The decision assumes there is no limited waiver – all waivers are full waivers.

Recent Posts

See All

State Privacy Laws Have Teeth

In 2008, Illinois passed the Biometric Information Privacy Act to grant consumers privacy protections for collected biometric information. It requires written consent be gotten before information is s

Uber Arbitration Agreement Tossed

The Massachusetts Supreme Court has ruled that Uber's customer terms and conditions requiring them to arbitrate claims against Uber are unenforceable. No enforceable contract requiring arbitration had