The five-year dispute between hiQ Labs and LinkedIn over web scraping has come to an end. Around December 6, 2022, the parties reached a private settlement, and hiQ agreed to a permanent injunction requiring it to cease web scraping and to delete all source code, data, and algorithms created and obtained in its efforts to scrape LinkedIn in violation of the site’s user agreement.
Now entered by the court, the stipulation and consent judgment also provides for $500,000 in damages for LinkedIn and a stipulation by hiQ that LinkedIn may establish liability under the CFAA and California’s state-law equivalent—though those stipulations do not serve as precedent because they amount to an agreement between the parties.
For those watching, the case has had a winding path through the courts: beginning with a cease-and-desist letter in 2017, the case was appealed to the Ninth Circuit, remanded by the Supreme Court to the Ninth Circuit, and then finally concluded back in district court.
In the end, the case addressed several issues related to breach of contract and the Computer Fraud and Abuse Act that may inform future cases involving scraping.
Web Scraping Going Forward
Breach of Contract
In November 2022, LinkedIn won its motion for summary judgment on its breach of contract claim. The district court held that hiQ, under the circumstances present in that case, violated LinkedIn’s user agreement through (1) its automated web scraping of LinkedIn profiles and (2) its hiring of crowdsourced workers (“turkers”) to create fake profiles through which to access LinkedIn’s platform. Moreover, the court found that hiQ expressly agreed to the user agreement when it created its corporate account on LinkedIn’s platform.
This decision highlights how and when courts may enforce online user agreements and terms of service, including restricting web scraping activities. In addition, if a company’s agents or contractors violate a site’s terms on a company’s behalf, the company may be held liable for breach of contract.
The Computer Fraud and Abuse Act (CFAA)
Earlier in the saga, the Ninth Circuit twice held that hiQ’s scraping likely did not violate the CFAA, and granted hiQ’s preliminary injunction, which allowed it to continue scraping LinkedIn’s public-facing content. The court declined to apply the CFAA’s “without authorization” provision to websites that generally permitted public access to their data and took no steps to demarcate their data as private or require the use of an authorization system. See our previous discussion: “Ninth Circuit Says It Again: Scraping of Public Websites Is Generally Not a CFAA Violation.” The Ninth Circuit later dissolved that preliminary injunction after LinkedIn showed that hiQ effectively ceased its operations, leaving no business left to protect.
In the wake of the settlement and permanent injunction, some of the CFAA issues raised remain unanswered—namely what constitutes “discovery of the damage” for purposes of the CFAA’s two-year statute of limitations, and what factors contribute to when “gates,” or access limitations, are up or down (or even which sorts of gating measures matter).
Although this case is resolved, web scraping-related litigation continues. LinkedIn, for instance, is separately litigating another web scraping dispute with 3taps (an exchange platform that aggregates user-generated data from around the web), and Meta recently obtained a default victory over a Hong Kong social media data company, only a couple of months after settling with two other companies that it sued for web scraping. Websites and web scrapers alike will want to stay tuned for how these disputes continue to unfold.