LinkedIn has recorded a new judgment against it in its fight against a company collecting data from its public profiles.
Under California law, what constitutes "unauthorized" access to computer systems? The Court of Appeals had to decide this very question. The context: a dispute in which it had already ruled in 2019. It pits LinkedIn against hiQ Labs.
Founded in 2012, this company collects information from public profiles, formats it, and markets it using predictive analytics. Its target market: employers. Its products are designed to help them map skills (Skill Mapper) and identify employees who are considering leaving (Keeper).
In 2017, LinkedIn formally requested that hiQ cease the practice, citing the Computer Fraud and Abuse Act (CFAA). This law, in effect since 1986, penalizes accessing a computer without permission or abusing authorized access.
Faced with this injunction, hiQ took legal action in California to try to prove that its activity was legal. And it won.
LinkedIn appealed. In September 2019, the Court of Appeals rejected the appeal, citing, among other reasons:
– The social network does not have rights over the data published by its members , as the latter own their profiles.
– Users who choose a public profile “obviously” expect it to be accessible by third parties .
– The CFAA is supposed to govern cases of hacking ; it is all the more questionable to invoke it in a case concerning freely accessible data.
– Giving LinkedIn control over the use of public data could create an “information monopoly” detrimental to the public interest
– Without access to the relevant data, hiQ would face “irreparable damage”
LinkedIn mentions a legitimate economic interest…
The case went all the way to the Supreme Court, which ruled in favor of LinkedIn . Underlying this was a decision the Court had issued a few weeks earlier… a decision that involved a different interpretation of the CFAA than the Court of Appeals. Specifically, it focused on the misuse of authorized access—and, consequently, the technical measures LinkedIn had implemented against bots . The case involved a police officer who had used a database to conduct his own investigation.
Asked again, the Court of Appeal upheld its initial position. It ruled on two points in particular. First, the existence of a disruption in the contractual relationship between hiQ and its clients. Second, the applicability of the CFAA, LinkedIn .
On the first point, hiQ claims that the interference was intentional, and that it manifested itself both through the implementation of technical measures and the invocation of the CFAA. LinkedIn does not dispute these observations but maintains that, according to the law, such interference can be justified by a legitimate economic interest.
How did the Court reason on this matter? It first considered that, in the existence of a contractual relationship, the societal interest in stability is generally prioritized over freedom of competition. Then, it adopted elements of the Supreme Court's reasoning. More specifically: such interference cannot be justified solely by the fact that a competitor seeks to gain an economic advantage at LinkedIn . It must be proven that the action was taken to "safeguard an interest of greater societal value than the stability of the contract."
To determine whether this is the case, two things need to be checked. First, whether the means of interference remain within the framework of "accepted commercial practices." Second, whether they remain within the bounds of fair competition.
… but clashes with the CFAA's interpretation
Technical blocking is probably not a "recognized business practice" under California law, the Court ruled . This contrasts with practices such as advertising, price adjustments, or employee poaching, which may indirectly affect contractual relationships but do not fundamentally disrupt a business model .
that it was not a given that the practices constituted fair competition Skill Mapper, a product that could potentially compete
The second question then remains: once the formal warning was received, did the data collection continue "without authorization" within the meaning of the CFAA?
The blocking itself cannot be considered a lack of authorization, the Court clarifies from the outset. It then justifies maintaining its "restrictive" interpretation of the text: simple misuse is not sufficient to invoke it; the concept of intrusion is essential (see "hacking" above).
Is there anything in the "LinkedIn vs. hiQ" case that amounts to an intrusion? The Court's answer is no. In broad terms, based on the following:
– The concept of unauthorized access only applies to information made private by some form of password-type requirement
– Other texts besides the CFAA – including the Stored Communications Act – go in the same direction
– LinkedIn has clearly not made the data on its public profiles private
—————————
prospecting automation software that allows you to easily manage all the complex aspects of your marketing processes.
Try Magileads free for 14 days. Click here .
Or book a demo to see how it works. Click here .
