- Henry Park
Data scraping. Maybe not so safe in California.
Our prior post (see link), examined a recent order that permitted a business to continue to scrape publicly available information from LinkedIn. In that decision, the court examined whether the business violated the U.S. Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, and the declaratory judgment plaintiff's California Unfair Competition Law claim, Cal. Bus. & Prof. Code § 17200 et seq.
A more recent decision from the Ninth Circuit Court of Appeals examined whether the violation of a website's terms of use could constitute a violation of California's Comprehensive Data Access and Fraud Act (CDAFA), Cal Penal Code § 502(c). See Oracle v. Rimini, Nos. 16-16832 and 16-16905 (January 8, 2018). This law states in relevant part:
any person who commits any of the following acts is guilty of a public offense:
...
(2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.
(3) Knowingly and without permission uses or causes to be used computer services.
In this case, there was no question that Rimini took and used data from the Oracle website. However, the taking and use of data was permitted by Oracle. The central issue was whether taking data using a method prohibited by the applicable terms of service, when the taking itself generally is permitted, violates the CDAFA. The Court of Appeals decided it did not.
The Court also referenced its decision in Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1069 (9th Cir. 2016), cert denied, 138 S.Ct. 313 (2017). In that case, the defendant was found to have violated the CDAFA because the defendant continued to access Facebook's computers after Facebook sent it a cease and desist letter.
Image by Balasoiu on Freepik.