On April 18, a Ninth Circuit panel reaffirmed its holding that LinkedIn cannot stop hiQ Labs (“hiQ”) from scraping publicly accessible data from its website at this stage of the litigation. In its latest opinion in HiQ Labs, Inc. v. LinkedIn Corporation, the Ninth Circuit ruled that hiQ raised serious questions about whether their scraping of public LinkedIn profile information should be permissible under the Computer Fraud and Abuse Act (“CFAA”). While the court’s opinion was limited to hiQ’s motion for a preliminary injunction prohibiting LinkedIn from preventing hiQ’s scraping, the reasoning and discussion in the court’s opinion suggests that the panel’s position is that scraping publicly accessible data likely does not violate the Computer Fraud and Abuse Act (“CFAA”).

The CFAA is the most prominent federal anti-hacking statute, and it prohibits, among other things, obtaining information through access to a protected computer system “without authorization” or in a way that “exceeds authorized access.” The bounds of what constitutes a violation of authorization under the CFAA has been a topic of debate in recent cases. Last year, in Van Buren v. United States (previously discussed here and here), the Supreme Court ruled that using information from a computer system for unpermitted purposes would not “exceed authorized access” under the CFAA if the user was otherwise authorized to access that information using the computer.

Less than two weeks after issuing its decision in Van Buren, the Court issued a summary disposition in LinkedIn v. hiQ Labs, LinkedIn’s petition to the Supreme Court to allow it to prevent hiQ from continuing its scraping practices. The Court vacated the Ninth Circuit’s earlier opinion affirming the trial court’s decision to allow the scraping to continue and remanded the case to the Night Circuit for further consideration in light of the Van Buren decision. In the opinion issued on April 18, the Ninth Circuit reasoned that the Supreme Court’s reasoning in Van Buren supported the conclusion that the CFAA does not prohibit access to publicly accessible data.Continue Reading Ninth Circuit Affirms Preliminary Injunction in HiQ Labs, Inc. v. LinkedIn Corporation, Reasoning that CFAA Is Unlikely to Bar Access to Public LinkedIn Data

In a unanimous decision issued on February 3, 2022, the Illinois Supreme Court held in McDonald v. Symphony Bronzeville Park that the Illinois State Workers’ Compensation Act (“WCA”) did not bar claims under the Illinois’ Biometric Information Privacy Act (“BIPA”). In doing so, the court eliminated one significant defense commonly raised in such cases, since many BIPA class actions are brought in the context of employment (many of which were stayed pending the decision in McDonald). Critically, though, the decision does not preclude other potential defenses including claims of federal preemption.

BIPA is one of the most actively litigated privacy statutes in the United States. Among other things, it requires that businesses obtain consent prior to collecting biometric information (fingerprints, facial geometry information, iris scans and the like), issue a publicly available data retention policy, and refrain from certain data sales and disclosures. Because BIPA provides for a private right of action along with statutory damages of $1,000 to $5,000 per violation, it has proved fertile ground for the plaintiff’s bar.Continue Reading Illinois Supreme Court Finds Illinois Biometric Information Privacy Act Not Preempted By State Workers’ Compensation Law

The onset of the COVID-19 pandemic in 2020 shuttered daycare centers, shifted schools to virtual settings, and fueled the rapid growth of children’s applications and educational technology (“ed-tech”) to facilitate the shelter-in-place childcare and remote learning paradigms. The federal Children’s Online Privacy Protection Act (COPPA) and Family Educational Rights and Privacy Act (FERPA), as well as numerous state laws protect children’s and students’ privacy when using these platforms. In 2021, increased scrutiny of the data collection practices of these platforms has followed their rapid deployment, as new variants led to renewed restrictions on in-person education and childcare. That scrutiny is likely to continue in the new year, as the use of such platforms persists, even as the pandemic subsides. In this post, we survey the developments during 2021 and assess the future of child and student privacy in 2022.
Continue Reading Trends in Child and Student Privacy

On January 12, 2021, the U.S. District Court for the District of Columbia granted a motion to compel production of allegedly privileged cybersecurity documents in Guo Wengui v. Clark Hill, PLC, 1:19-cv-03195.  In doing so, the Court determined that the Defendant’s cybersecurity assessment was neither covered by work product protection nor attorney client privilege because the Defendant law firm would have investigated the breach in the same way as a business function.
Continue Reading DC District Court Requires Production of Cybersecurity Assessment Prepared at Direction of Outside Counsel

On December 8, 2020, the Supreme Court heard oral argument to consider the TCPA’s definition of an “automatic telephone dialer system” (ATDS) in Facebook, Inc. v. Duguid, Noah et al., Dkt. 19-511. The Supreme Court is tasked with interpreting the scope of liability under the TCPA, and its resolution may bring much needed clarity to companies struggling with the meaning of that definition, particularly in light of a current split among circuits on the question and the D.C. Circuit’s 2018 decision, ACA International v. Federal Trade Commission striking down the FCC’s own interpretation. Because the TCPA imposes significant statutory penalties for calling or sending text messages using an ATDS to cellphones in violation of the act, clarification of the meaning of an ATDS may help companies mitigate their risks and curtail potential TCPA class action lawsuits.
Continue Reading Supreme Court Reviews Definition of Auto-Dialer Under TCPA To Clarify Circuit Split

remote workOn November 30, 2020, the Supreme Court held oral argument in Van Buren v. United States to determine the scope of criminal liability under the Federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030.  The court’s decision may resolve a circuit split and have far-reaching implications for the scope of civil and criminal liability under the CFAA.  The key point of dispute under the CFAA is whether a person “exceeds authorized access” of a computer (1) only by accessing the computer as an unauthorized person, or (2) more broadly by using the computer for unpermitted uses, even when otherwise permitted to access the computer.  The First, Fifth, Seventh, and Eleventh Circuits have broadly interpreted “exceeds authorized access” to cover access that takes place for an improper purpose, whereas the Second, Fourth, and Ninth Circuits have narrowly interpreted unauthorized access to require a lack of any authorization.  For example, under the broad interpretation at dispute before the Supreme Court, an employee who is authorized to access a work computer to carry out certain tasks for employment may still be liable under the CFAA if the employee uses the office computer to download confidential information for non-employment purposes.
Continue Reading Supreme Court Hears Oral Argument to Address Circuit Split under the CFAA

California State Flag. Close up.

On November 3, 2020, Californians passed the ballot initiative for the California Privacy Rights Act (CPRA) with a 56% vote.  As discussed earlier, the CPRA significantly expands upon the California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020, and whose regulations were approved on August 14, 2020 with  subsequent proposed amendment in October 2020.

Most CPRA provisions will take effect on January 1, 2023, but its new obligations will apply to any personal information collected from California residents on or after January 1, 2022, a little over one year from passage.
Continue Reading California Privacy Rights Acts Approved by California Ballot Vote

The Supreme Court generally upheld the constitutionality of the Telephone Consumer Protection Act (TCPA) in Barr v. American Association of Political Consultants, Dkt. No. 19-631, issued on July 6, 2020.  Multiple stakeholders have been pressing on constitutionality of the TCPA, including advocates against “nuisance” robocalls, service providers weary of uncertain class action liability, and free speech advocates wanting less regulation.  The Supreme Court determined that only an exception to the TCPA permitting automated government debt collector calls was an unconstitutional restriction on free speech.  To remedy this violation, the Court rejected requests to find the entirety of the TCPA statute unconstitutional and instead affirmed the Fourth Circuit’s approach of severing of the offending exception from the statute.

The Supreme Court’s concerns about the governmental debt exception, however, could point to a vulnerability in other privacy statutes, such as the California Consumer Privacy Act, which exempts non-profits.  Going forward, privacy advocates will need to be particularly mindful of free speech concerns as privacy legislation grows.
Continue Reading Supreme Court Upholds Constitutionality of the TCPA But Severs the Government Debt Carve-Out on First Amendment Grounds