On September 9, 2019, the Ninth Circuit affirmed the Northern District Court of California’s decision to grant a preliminary injunction forbidding LinkedIn from denying plaintiff hiQ access to publicly available LinkedIn member profiles. As a result of HiQ Labs, Inc. v. LinkedIn Corp., hiQ may continue scraping data from public LinkedIn profiles to provide data analytics to its clients under the Computer Fraud and Abuse Act (CFAA).
LinkedIn has over 660 million members on its professional networking website. LinkedIn members own the content they post to LinkedIn but grant LinkedIn a non-exclusive license to “use, copy, modify, distribute, publish, and process” their personal information.
hiQ is a data analytics company that uses automated bots to “scrape” information from public LinkedIn profiles. This information yields analytics identifying employees with the greatest risks of being recruited and identifying skill gaps in specific corporations. HiQ sells its data analytics to clients including eBay and Capital One.
In May 2017, LinkedIn sent hiQ a cease-and-desist letter asserting that the company was in violation of the LinkedIn User Agreement and demanding that hiQ stop accessing and copying data from LinkedIn servers. LinkedIn also implemented preventative measures that blocked hiQ bots from accessing and scraping LinkedIn. hiQ demanded that LinkedIn recognize their right to access public LinkedIn profiles and sought injunctive relief in court.
LinkedIn cannot prevent hiQ from accessing information on public LinkedIn profiles.
The District Court granted hiQ’s motion for a preliminary injunction, ordering LinkedIn to remove existing technical barriers preventing hiQ from accessing public LinkedIn profiles. Reviewing for abuse of discretion, the Ninth Circuit affirmed the preliminary injunction.
A plaintiff seeking a preliminary injunction must establish that he is likely to succeed on the merits, that he is likely to suffer irreparable harm in the absence of preliminary relief, that the balance of equities tips in his favor, and that an injunction is in the public interest. The Ninth Circuit reasoned that absent a preliminary injunction, hiQ could not remain in business—sufficiently irreparable harm. The court also reasoned that the overwhelming harm to hiQ severely outweighed LinkedIn users’ expectations of privacy.
Next, the panel found hiQ highly likely to succeed in establishing LinkedIn’s intentional interference with its contracts. LinkedIn argued that hiQ violated the CFAA, but the court held that because LinkedIn’s data was accessible “without authorization,” it was seriously questionable whether LinkedIn could invoke the CFAA.
Lastly, the Ninth Circuit found that the last factor favored hiQ because allowing companies like LinkedIn to decide who can collect and use data that the corporations do not own could result in information monopolies that would disserve the public interest. Thus, the Ninth Circuit affirmed that hiQ had established the elements required for a preliminary injunction.
What does this mean for LinkedIn users?
At the time of writing, LinkedIn has not changed its User Agreement or taken steps to ratchet up the protections for public LinkedIn accounts. LinkedIn users generally anticipate that the professional networking platform will help them advance their careers and gain exposure to career opportunities, but they do not expect their data to be scraped and used by a third party to assess their “flight risk.” For qualified employees with no intent to leave their current company, such data may cause employer hesitation about said employees, leading to unwarranted negative job repercussions.
The cliché that “Internet is forever” has taken new meaning now that your information can be scraped from your LinkedIn and provided to employers indicating your likelihood of being recruited away or indicating the necessary skills you lack for your current job. This case provides yet another circuit’s interpretation of the CFAA, so it is likely that the Supreme Court will soon grant certification to conclusively establish the proper interpretation of the CFAA. In the meantime, anything that you post to your public LinkedIn page can be lawfully used by hiQ and other data analytics companies to assess your flight risk.
For more discussion on current issues surrounding the interpretation of the CFAA, see fellow ASLJ Staff Writer Chase Colwell’s blog post here.
The opinions expressed herein are those of the individual contributors to the ASLJ Blog and should not be construed as the opinions of the Arizona State Law Journal or the Sandra Day O’Connor College of Law at Arizona State University.