On Monday, December 20, Meta (f/k/a Facebook) filed a complaint in the Northern District of California against Social Data Trading Ltd. The crux of the issue, according to Meta, is that Social Data scrapes data without permission from accounts on websites such as Instagram (which is owned by Meta) and other popular sites. Specifically, Social Data allegedly uses bots to scrape public profile information from Instagram, and then analyzes this information to provide insights about “influencers and their audiences.” See Complaint.
Meta’s current complaint raises similar issues as the hiQ v. LinkedIn web scraping battle (see prior blog “Web scraping battle to provide further clarification to Computer Fraud and Abuse Act (“CFAA”)”). According to Meta, Social Data is in breach of Instagram’s Terms of Use, and Social Data has been sent a cease and desist letter. Also, Meta has attempted (apparently with limited success) technical measures to block Social Data from accessing Facebook and Instagram. However, Social Data argues that its activity—which purportedly involves scraping “public” account data—cannot be restricted by Meta. In fact, Social Data cites the hiQ litigation as the basis for its right to scrape public data. See Complaint at Ex. N.
Facebook has had prior success restricting access to its website, see Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1067 (9th Cir. 2016) and Facebook, Inc. v. BrandTotal Ltd., No. 20-CV-07182-JCS, 2020 WL 6562349 (N.D. Cal. Nov. 9, 2020). But data scraping cases are highly fact specific, and questions about how the data was accessed and whether that data was public or private (e.g., password protected) will be critical in the current litigation. In BrandTotal, the court acknowledged the difference between password protected and “public” data: “…Facebook’s general interest in policing access to the password-protected portions of its networks is far greater than LinkedIn’s interest in restricting access to otherwise public pages in hiQ.”
Recently, the Supreme Court limited the reach of the CFAA based on similar considerations. See “SCOTUS narrows the Computer Fraud and Abuse Act in Van Buren v. United States” (distinguishing between information that is “off-limits” as opposed to information otherwise available to a user but obtained for improper reasons). Notably, Meta does not advance a CFAA claim here, but instead relies on California state computer access law—a likely attempt to avoid the recent jurisprudence narrowing the protections of the CFAA when dealing with public or quasi-public data. Ultimately, disputes such as Meta and hiQ may clarify rights of access (or lack thereof) to public or semi-public data that is curated by major websites, such as LinkedIn, Instagram, YouTube, TikTok, and others.
Nixon Peabody’s Cybersecurity & Privacy team will continue to monitor legal developments regarding web scraping.