Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Parties reach agreement to resolve data scraping allegations

    Courts

    On December 8, the U.S. District Court for the Northern District of California issued a consent judgment and permanent injunction against a now-defunct plaintiff data analytics company in an action concerning whether the plaintiff breached a user agreement with a defendant professional networking site by using an automated process to extract user data (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The case was sent back to the district court earlier this year by the U.S. Court of Appeals for the Ninth Circuit (on remand from the U.S. Supreme Court) after the appellate court affirmed the district court’s order preliminarily enjoining the defendant from denying the plaintiff access to publicly available member profiles. (Covered by Infobytes here.)

    As previously covered by InfoBytes, last month the district court ruled that the plaintiff breached its user agreement by creating fake accounts and copying url data as part of its scraping process. Nonetheless, at the time, the district court noted that there remained a legitimate dispute over whether the defendant waived its right to enforce the user agreement after the plaintiff openly discussed its business model, including its reliance on scraping, at conferences it organized that were attended by defendant’s executives. The district court further questioned when the defendant became aware of the plaintiff’s scaping, whether it should have taken “steps to legally enforce against known scraping” sooner, and whether the defendant can raise certain defenses to its breach of contract claim tied to the plaintiff’s data scraping and unauthorized use of data.

    On December 6, the parties separately reached an agreement to resolve all outstanding claims in the case. The final consent judgment enters a $500,000 judgment against the plaintiff and waives all other monetary relief. Additionally, the plaintiff is permanently enjoined from scraping or accessing the defendant’s platform without express written permission, whether directly or indirectly through a third party or whether logged in to an account or not. The plaintiff is also prohibited from developing, using, selling, or distributing any software or code for data collection from the defendant’s platform. The plaintiff must also delete all software code in its possession that is designed to access the defendant’s platform, must delete all member profile data in its possession (including data stored with a third party), and is barred from “using, distributing, selling, analyzing, or otherwise accessing any data” collected without the defendant’s express permission, whether directly or indirectly through a third party, among other requirements.

    Courts Privacy, Cyber Risk & Data Security Data Scraping Consumer Protection Appellate Ninth Circuit State Issues Third-Party

  • Social media platform awarded $365,000 in scraping suit

    Courts

    On December 8, the U.S. District Court for the Northern District of California enjoined a data trading company (defendant) from accessing a social media platform (plaintiff), and ordered it to pay $361,790 in attorney fees and $3,640 in court costs to the platform. According to the complaint, the defendant unlawfully scraped the profiles of over 90 million of the plaintiff’s users before selling the data. The complaint specifically alleged that the defendant sold “in-depth insights into the demographics and psychographics of influencers and their audiences.” The order enjoined the defendants from, among other things: (i) accessing or attempting to access the plaintiff’s platforms; (ii) developing, offering, and marketing software or computer code intended to automate the collection of data; and (iii) engaging in any activity that disrupts the plaintiff’s platforms.

    Courts Privacy, Cyber Risk & Data Security Data Scraping Consumer Protection

  • Irish DPC fines global social media company €265 million over data scraping claims

    Privacy, Cyber Risk & Data Security

    On November 28, the Irish Data Protection Commission (DPC) announced the conclusion of a “data scraping” inquiry into the practices of a global social media company’s European operations. The inquiry, which included cooperation from all of the other data protection supervisory authorities in the EU, was commenced in April 2021 following media reports that personal data for which the company was responsible was available on the internet. According to the DPC, the inquiry focused on questions related to the company’s compliance with the GDPR’s obligation for “Data Protection by Design and Default.” Specifically, the DPC “examined the implementation of technical and organizational measures pursuant to Article 25 GDPR (which deals with this concept).” The decision, adopted on November 25, and agreed upon by all the other EU supervisory authorities, found that the company violated Articles 25(1) and 25(2) of the GDPR. The decision imposes a reprimand and requires the company to bring its processing into compliance by implementing several specific remedial actions within a particular timeframe. In addition, the company must pay an administrative fine of €265 million.

    Privacy, Cyber Risk & Data Security Of Interest to Non-US Persons GDPR Data Scraping Enforcement EU

  • District Court: Unclear when networking site became aware of data scraping

    Privacy, Cyber Risk & Data Security

    On November 3, the U.S. District Court for the Northern District of California issued an order ruling on cross-motions for summary judgment in an action concerning whether a now-defunct plaintiff data analytics company breached a user agreement with a defendant professional networking site by using an automated process to extract user data (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The defendant claimed that the user agreement prohibits scraping, and sent the plaintiff a cease-and-desist letter demanding it stop and alleging violations of the Computer Fraud and Abuse Act (CFAA) as well as various state laws. In response, the plaintiff sued the defendant, arguing that it had a right to access the public pages, and later sought a preliminary injunction, which the district court granted.

    As previously covered by InfoBytes, earlier this year, the U.S. Court of Appeals for the Ninth Circuit, on remand from the U.S. Supreme Court, affirmed the district court’s order preliminarily enjoining the defendant from denying the plaintiff access to publicly available member profiles. The 9th Circuit had previously affirmed the preliminary injunction, but was called to further consider whether the CFAA applies to the plaintiff’s data scraping after the U.S. Supreme Court vacated the appellate court’s judgment in light of its ruling in Van Buren v. United States. The 9th Circuit found that the ruling in Van Buren, in which the Supreme Court suggested the CFAA only applies in cases where someone is accused of hacking into or exceeding their authorized access to a network that is protected, or in situations where the “gates are up,” narrowed the CFAA’s scope and most likely did not apply to cases involving data scraped in bulk by automated bots from public websites. The appellate court concluded, among other things, that the defendant showed that it “currently has no viable way to remain in business other than using [the networking site’s] public profile data” for its analytic services and “demonstrated a likelihood of irreparable harm absent a preliminary injunction.” Moreover, the 9th Circuit rejected the defendant’s claims that the plaintiff violated the CFAA.

    In partially granting the defendant’s motion and denying the plaintiff’s, the district court ruled that the plaintiff breached its user agreement by directing the creation of fake accounts and copying of url data as part of its scraping process. Nonetheless, the district court noted there remains a legitimate dispute over whether the defendant waived its right to enforce the user agreement after the plaintiff openly discussed its business model, including its reliance on scraping, at conferences it organized that were attended by defendant’s executives. Moreover, questions remain for trial as to when the defendant became aware of the plaintiff’s scaping, whether it should have taken “steps to legally enforce against known scraping” sooner, and whether the defendant can raise certain defenses to its breach of contract claim tied to the plaintiff’s data scraping and unauthorized use of data.

    Privacy, Cyber Risk & Data Security Courts Data Scraping Consumer Protection Computer Fraud and Abuse Act State Issues California Appellate Ninth Circuit

  • District Court grants plaintiff’s injunction in data scraping suit

    Courts

    On September 30, the U.S. District Court for the Northern District of California certified a stipulation and proposed order regarding a permanent injunction and dismissal to abandon remaining allegations against an Israel-based company and a Delaware company (collectively, defendants) related to their use of data scraping from the parent company of large social media platforms (plaintiff). In 2020, the plaintiff alleged that the defendants developed and distributed internet browser extensions to illegally scrape data from the plaintiff’s platform and other platforms. The order noted that the court’s prior summary judgment decision concluded that the defendants collected data using “self-compromised” accounts of users who had downloaded the defendants’ browser extensions. The order further noted that the defendants stipulated that the plaintiff had established that it suffered “irreparable injury” and incurred a loss of at least $5,000 in a one-year period as a result of one of the companies’ unauthorized access. The order further noted that judgment has been established “based on [the Israel-based company’s] active data collection through legacy user products beginning October 2020, and based on [the Israel-based company’s] direct access to password-protected pages on [the plaintiff’s] platforms using fake or purchased user accounts.” Under the injunction, the defendants are immediately and permanently barred from accessing or using two of the plaintiff’s social media platforms without the plaintiff’s express written permission, regardless of whether the companies are using the platforms directly or via a third party. The defendants are also banned from collecting data or assisting others collect data without the plaintiff’s permission, and are required to delete any and all software, scripts or code that are designed to access or interact with two of the plaintiff’s social media platforms. Additionally, the defendants are prohibited from using or selling any data that they have previously collected from the plaintiff’s social media platforms.

    Courts Privacy, Cyber Risk & Data Security Data Scraping Social Media Data Collection / Aggregation

  • District Court grants final approval of data breach settlement

    Privacy, Cyber Risk & Data Security

    On August 9, the U.S. District Court for the Western District of North Carolina granted final approval of a class action settlement resolving allegations that two hemp companies (collectively, “defendants”) were involved in data breaches. According to the plaintiffs’ unopposed motion for final approval of the class action settlement, the defendants notified the SEC, various states’ attorneys general, and thousands of affected customers about two data breaches that occurred through their website on two different occasions. The plaintiffs alleged that the incident allowed hackers to “scrape[]” many of the defendants’ consumers’ names from the website by infecting the ecommerce platform with a “malicious code,” and stole the personally identifiable information of approximately 40,000 customers. According to the settlement, the deal will provide that class members can receive as much as $210 for out-of-pocket expenses such as card replacement fees, overdraft fees, interest, and up to $80 in costs for obtaining credit monitoring and identity theft protection, among other things. The district court also approved $2,500 payments to the lead plaintiffs as service awards.

    Privacy, Cyber Risk & Data Security Courts Data Breach Class Action Settlement SEC Data Scraping

  • District Court settles data scraping lawsuit

    Privacy, Cyber Risk & Data Security

    On May 9, the U.S. District Court for the Northern District of California issued a final judgment on consent resolving a lawsuit concerning data scraping allegations. A professional networking site (plaintiff) sued a Singapore-based company and three company founders (collectively, “defendants”) claiming the defendants violated the terms of the plaintiff’s user agreement by gaining unauthorized access to areas of the plaintiff’s platform that are only accessible to real logged-in members, scraping millions of member profile pages, and using fake member accounts and prepaid virtual debit card numbers to fraudulently obtain access to a function that provides advanced features. In alleging claims for breach of contract, fraud and deceit, and misappropriation, among others, the plaintiff claimed the defendants’ activities defrauded it out of hundreds of thousands of dollars in revenue. According to the court’s judgment, the defendants have agreed to be permanently restrained and barred from engaging in the aforementioned activities, including using scraping to access the plaintiff’s data, engaging in marketing and advertising about the availability of user data on the defendant’s website, circumventing any technological measures that control access to the plaintiff’s servers, and transferring data to third parties. “Defendants represent that they have destroyed all [plaintiff] member profile data, whether stored in electronic form or otherwise, in their possession, custody, or control and have certified in writing that they have done so,” the judgment stated. While the judgment did not include a monetary penalty, the court noted that violation of the final judgment or consent shall expose the defendants and all other persons bound by the final judgment on consent “to all applicable penalties, including contempt of Court.”

    Privacy/Cyber Risk & Data Security Courts Data Scraping Settlement

  • 9th Circuit: Networking site cannot deny data scraping access to publicly available profiles

    Privacy, Cyber Risk & Data Security

    On April 18, on remand from the U.S. Supreme Court, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order preliminarily enjoining a professional networking site from denying a data analytics company access to publicly available member profiles. At issue are allegations brought by the networking site claiming the data analytics company used automated bots to extract user data from the networking site’s website (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The networking site sent the data analytics company a cease-and-desist letter, asserting violations of state and federal law, including the Computer Fraud and Abuse Act (CFAA). The data analytics company responded that it had a right to access the public pages and later sought a preliminary injunction. In granting the preliminary injunction, the district court ordered the networking site to, among other things, “remove any existing technical barriers to [its] public profiles, and to refrain from putting in place any legal or technical measures” that would block access.

    The 9th Circuit previously affirmed the preliminary injunction, but was called to further consider whether the CFAA applies to the data analytics company’s data scraping after the U.S. Supreme Court vacated the appellate court’s judgment in light of its ruling in Van Buren v. United States.

    On remand, the appellate court reviewed whether the data analytics company accessed data “without authorization” in violation of the CFAA after it received the cease-and-desist letter. The 9th Circuit found that the ruling in Van Buren, in which the Supreme Court suggested that the CFAA only applies in cases where someone is accused of hacking into or exceeding their authorized access to a network that is protected, or in situations where the “gates are up,” narrowed the CFAA’s scope and most likely did not apply to cases involving data scraped in bulk by automated bots from public websites. “A defining feature of public websites is that their publicly available sections lack limitations on access; instead, those sections are open to anyone with a web browser,” the appellate court wrote. “In other words, applying the ‘gates’ analogy to a computer hosting publicly available webpages, that computer has erected no gates to lift or lower in the first place.” Therefore, the court held, the phrase “without authorization” does not apply to public websites.

    In determining that a preliminary injunction was appropriate, the appellate court held that the district court did not abuse its discretion in concluding that the data analytics company met the standard of establishing that the plaintiff is likely to succeed on the merits, is likely to suffer irreparable harm without such relief, that the “balance of equities” is in the favor of the plaintiff, and that the injunction would be in the public interest.  The court found that the data analytics company showed that it “currently has no viable way to remain in business other than using [the networking site’s] public profile data” for its analytic services and “demonstrated a likelihood of irreparable harm absent a preliminary injunction.” In considering the balance of hardships, the 9th Circuit agreed that the scales “tipped sharply” in favor of the data analytics company “when weighing the likelihood that [the data analytics company] would go out of business against [the networking site’s] assertion that an injunction threatened its members’ privacy” and therefore risked the goodwill it had developed with its members. Finally, the court rejected the networking site’s claims that the data analytics company violated the CFAA, which would have preempted the remaining state law claims.  
     

    Privacy/Cyber Risk & Data Security Courts Appellate Ninth Circuit Cyber Risk & Data Security Computer Fraud and Abuse Act Data Scraping

Upcoming Events