In an online world where websites are often publicly accessible, the question of how and when a website owner can bring a claim under the Computer Fraud and Abuse Act (CFAA) when it revokes “authorization” to site visitors is unclear.
The decision in L’Occitane, Inc. v. Zimmerman Reed LLP, et al. may provide some helpful guidance, as a federal court in California found that a website owner cannot revoke authorization to its public website by sending a cease-and-desist letter to unwanted visitors when the site failed to impose any technological barriers to access.
L’Occitane expands the body of case law that calls for something more than just a cease-and-desist letter to establish CFAA liability for public websites. However, exactly which measures constitute something more remains an open question.
L’Occitane, Inc. v. Zimmerman Reed LLP, et al.
Background
This was an unexpected arena for a CFAA decision. The main dispute relates to L’Occitane’s use of certain analytics cookies on its website which Zimmerman Reed, a law firm, believes constitutes prohibited wiretapping activity in violation of the California Invasion of Privacy Act. Zimmerman Reed then sought to initiate thousands of arbitrations against L’Occitane on behalf of its clients.
L’Occitane proactively filed suit, asserting a claim for declaratory relief that Zimmerman Reed and its clients violated the CFAA (18 U.S.C. § 1030(a)(2)(C)) after L’Occitane sent a letter that they were no longer authorized to access L’Occitane’s website. According to L’Occitane, “numerous . . . Defendants accessed L’Occitane’s website and obtained information for L’Occitane’s protected computer after being expressly informed through Zimmerman Reed that they were not authorized to do so.”
C.D. Cal. Grants Zimmerman Reed’s Motion to Dismiss on CFAA Claim
The court followed the Ninth Circuit’s lead in hiQ Labs, Inc. v. LinkedIn Corp. to dismiss L’Occitane’s CFAA claim, reiterating that the statute’s concept of “without authorization” is not apt where a website is freely accessible on the Internet.
On remand from the Supreme Court after Van Buren v. United States, the Ninth Circuit in hiQ interpreted the CFAA to contemplate the existence of three kinds of computer systems: “(1) computers for which access is open to the general public and permission is not required; (2) computers for which authorization is required and has been given; and (3) computers for which authorization is required but has not been given.” 1
Here, the court found that L’Occitane’s website – like LinkedIn’s public profiles – falls into the first category, and thus L’Occitane could not revoke authorization to its public website under the CFAA through a cease-and-desist letter alone. Put another way, an unwanted visitor continuing to access a public website after receipt of such a letter is not akin to “breaking and entering” – an analogue that the Ninth Circuit found to have guided Congress’ intent in enacting the CFAA.
L’Occitane argued that other Ninth Circuit precedent – United States v. Nosal (“Nosal II”) and Facebook v. Power Ventures – supported L’Occitane’s contention that Zimmerman Reed and its clients visited the website “without authorization,” but the court distinguished those cases because they apply to situations in which authorization is generally required and has either (a) never been given, or (b) has been revoked. More specifically, Nosal II involved a former employee, where authorization only existed on account of the employment, and in Power Ventures, authorization occurred when a user created an account and received access. Here, the court explained that these cases do not control as the information is “presumptively open to all comers” – including when the defendants visited L’Occitane’s website after receiving the cease-and-desist letter.
Cease-and-Desist Letters – Looking Ahead
This decision follows recent cases in dismissing CFAA claims when a defendant accesses public data that isn’t protected by technical barriers. The foundation of this trend can likely be attributed to the Supreme Court’s decision in Van Buren v. United States, where the Court interpreted the word “access” to have a specialized, technical meaning in the computer context, not a generalized meaning. And the Ninth Circuit (in hiQ) does not stand alone in following the Court’s interpretation; for example, in October 2022, Delaware’s federal court in Ryanair v. Booking Holdings adopted the position that the CFAA’s concept of “authorization” focuses heavily on technical barriers to access and held that “a violation of [] terms of use or the defiance of a cease-and-desist letter will not give rise to liability under the CFAA.”
Separately, cease-and-desist letters may still create the risk of criminal prosecution and breach of contract claims. To the first point, the Department of Justice’s May 2022 CFAA prosecution policy states that “when authorizers later expressly revoke authorization—for example, through unambiguous written cease and desist communications that defendants receive and understand—the Department will consider defendants from that point onward not to be authorized.” It’s difficult to reconcile this policy with the prevailing case law, and the DOJ may update its policy as the law continues to develop.
For breach of contract claims, a plaintiff may also put a defendant on notice of terms (such as browsewrap terms) by sending the contract with a cease-and-desist letter, thereby seeking to bind the defendant to the terms should the defendant continue to access the website after receipt. These were the facts in Southwest Airlines v. Kiwi.com, where the Northern District of Texas found in September 2021 that Southwest established the existence of a valid contract after putting Kiwi.com on notice of certain terms through a cease-and-desist letter and granted a preliminary injunction against Kiwi.com’s scraping based on breach of contract.
The Northern District of California reached the same conclusion in May 2024 in Meta Platforms, Inc. v. Voyager Labs Ltd., where Meta alleged breach of contract based on Voyager’s creation of fake accounts and scraping of Facebook and Instagram. In that case, Meta sent several cease-and-desist letters to Voyager over a span of several years, where it identified the provisions Voyager allegedly breached or described the unauthorized conduct. The court found that Meta’s allegations suggested that Voyager had actual knowledge of Meta’s terms, leading the court to deny Voyager’s motion to dismiss.
Despite the uncertain future of cease-and-desist letters in different contexts, we can confidently catalog this decision in the growing body of CFAA case law because the court dismissed L’Occitane’s claim without leave to amend. In a subsequent filing shortly thereafter on April 22, 2024, L’Occitane conceded the court’s reasoning and agreed to a total dismissal of its CFAA claim.
- hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1197-98 (9th Cir. 2022) ↩︎