HiQ Labs, Inc. v. LinkedIn Corp. concerns whether a court can compel a professional networking platform to provide access to users’ profile information to a third-party data mining company. HiQ Labs is a company that collects (or “scrapes”) data from LinkedIn users’ profiles. From this data, hiQ creates profiles of those users and sells the data to employers, including predictions of employee recruitment and summaries of employee skills. In response to a cease and desist letter from LinkedIn claiming that the data collection violated the Computer Fraud and Abuse Act, hiQ filed a preemptive lawsuit seeking declaratory relief and a preliminary injunction allowing access to the LinkedIn profile data. The lower court granted hiQ’s motion and issued an injunction ordering LinkedIn to grant access, and prohibiting them from limiting access, to their users’ “public” profile data. The Ninth Circuit affirmed. LinkedIn has petitioned the U.S. Supreme Court for review.
Defendant LinkedIn is a website that provides users with business and professional networking services. LinkedIn allows users to create profiles and then establish connections with other users and businesses. When LinkedIn users create such profiles, they can choose their level of privacy protection. For instance, users can choose to keep their profiles entirely private, or to make them viewable by: 1) their direct connections on LinkedIn; 2) a broader network of connections; 3) all other LinkedIn members; or 4) individuals not logged in to LinkedIn. When users choose to make their profile “public”, their profiles are viewable regardless of whether a user is logged in to LinkedIn. LinkedIn currently allows public profiles to be indexed by search engines such as Google.
HiQ Labs, Inc. provides “data services” to employers. As part of its business, hiQ Labs collects and sells data to employers about their employees, based on data that hiQ collects from LinkedIn users’ pblic profiles. HiQ has created two specific data products targeted at employers: (1) “Keeper,” which informs employers which of their employees are at “risk” of being recruited by competitors; and (2) “Skill Mapper,” which provides an overview of an employee’s skills set. HiQ collects employees’ personal data by “scraping” the public profiles on LinkedIn.
On May 23, 2017, LinkedIn sent a letter demanding that hiQ “immediately cease and desist unauthorized data scraping and other violations of LinkedIn User Agreement.” LinkedIn demanded that hiQ stop “scraping” data from LinkedIn’s public profiles and noted that hiQ’s actions violated their User Agreement, which prohibits various types of data collection from LinkedIn’s website. As a result of the violation, LinkedIn restricted hiQ’s company page and “future access of any kind” and provided that such access would be “without permission and without authorization from LinkedIn.” LinkedIn also employed a series of technical measures that “prevent hiQ from accessing, and assisting others to access, LinkedIn’s site, through systems that detects, monitor, and block scraping activity.” LinkedIn also provided that any further access to LinkedIn’s data would be in direct violation of California Penal Code § 502(c), the federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, state common law trespass, and the Digital Millennium Copyright Act (DMCA).
U.S. District Court for the Northern District of California
Unable to come to an agreement outside court, hiQ filed a complaint in federal court on June 6, 2017. HiQ asserted that it had an affirmative right to access public profiles on LinkedIn’s website under California law and sought declaratory relief that its actions would not violate any of the laws listed above. Furthermore, hiQ filed a request for a temporary restraining order (TRO) and an order to show cause why a preliminary injunction should not be issued against LinkedIn. Ultimately, the parties entered into a standstill agreement after a hearing on the TRO. The agreement preserved hiQ’s access to LinkedIn’s data and converted hiQ’s initial motion to a motion for a preliminary injunction.
The district court granted hiQ’s motion for preliminary injunction upon finding that the balance of hardships tipped in hiQ’s favor. The court determined that hiQ was able to show serious questions on the merits of LinkedIn’s claims; for instance, the court was doubtful that LinkedIn may invoke the CFAA in response to hiQ’s scraping of public profile data. The court found that LinkedIn’s interpretation of the CFAA, if adopted, could impact “open access” on the Internet. The court believed this was not something Congress intended by enacting the CFAA. Furthermore, the court found that by blocking hiQ’s access to public profiles, LinkedIn might be violating state competition laws.
U.S. Court of Appeals for the Ninth Circuit
LinkedIn appealed to the Ninth Circuit, which affirmed. The appeals court found that “hiQ’s interest in continuing its business” outweighed users’ privacy interests in their profile information. EPIC filed an amicus brief in the case. EPIC argued that “the lower court has undermined the fiduciary relationship between LinkedIn and its users.” EPIC also said the order is “contrary to the interests of individual LinkedIn users” and contrary to the public interest “because it undermines the principles of modern privacy and data protection law.” Siding with neither party, EPIC urged reversal to protect online privacy.
EPIC has a strong interest in protecting the privacy of consumers and their information, including their social media information, and ensuring this data is not improperly disclosed to third parties. EPIC closely monitors the use of advanced tracking techniques that enable companies to track users browsing activities and collect a wealth of personal data about users that the businesses use to develop and sell profiles. EPIC has done extensive work in the areas of online tracking and behavioral profiling, including urging the FTC to limit the use of cross-device tracking, whereby companies track consumers across their smart-phones, laptops, tablets, and other internet-connected devices. EPIC also supports proposals to impose technological limits on the tracking of third-party web browsing history.
EPIC has filed amicus curiae briefs in support of consumers alleging that their rights have been violated by third party tracking techniques. In Smith v. Facebook, the Ninth Circuit considered whether Facebook’s tracking of users’ visits to medical websites violates California and Federal privacy laws. EPIC argued that generic notice is insufficient to establish meaningful consent to the detailed tracking of users’ web browsing history.
In In Re Nickelodeon, a case arising under the Video Privacy Protection Act, the plaintiffs alleged that -children who visited the website Nickolodeon.com -they were subject to tracking by Viacom, the company that managed the website, and Google, and that these companies collected their personal information in connection with online views of video content. EPIC argued in its brief that the definition of “Personally Identifiable Information” (or “PII”) in the VPPA is purposefully broad to protect against the very type of privacy abuses at issue in the case.
EPIC has also previously challenged Facebook’s privacy policies – in particular their requiring that users disclose certain personal information – in a complaint with the FTC. The FTC subsequently brought legal action against Facebook for unfair and deceptive business practices, and entered into a consent decree in 2011 following EPIC’s complaint.