# Scraping, the CFAA, and the Fine Print: How hiQ v. LinkedIn Actually Ended
*Everyone remembers the headline — scraping public data isn't "hacking" under the CFAA. Fewer remember how the case ended: with hiQ conceding it breached LinkedIn's user agreement and the CFAA, paying $500,000, and being permanently enjoined.*
The hiQ v. LinkedIn litigation produced one of the most cited rulings in data-scraping law — and then a final judgment that cut the other way. Read together, the two halves tell contractors exactly where the line sits between lawful collection of public web data and unlawful access.
The Famous Ruling
hiQ Labs built its business by scraping public LinkedIn profiles to sell workforce analytics. When LinkedIn sent a cease-and-desist and blocked hiQ, hiQ sued. The Ninth Circuit (2019, reaffirmed in 2022 after the Supreme Court sent it back in light of Van Buren) held that scraping publicly available data likely does not violate the CFAA's "without authorization" provision — because that provision protects information behind an authentication gate (a password), not data anyone on the open internet can see. That holding became the anchor for the proposition that public-data scraping is generally not "hacking."
How It Actually Ended
The injunction fight was not the whole case. After remand, the parties reached a consent judgment entered December 8, 2022, and the terms matter: a $500,000 judgment against hiQ; hiQ's concession that it breached LinkedIn's User Agreement; a CFAA violation tied to hiQ's use of fake accounts to reach password-protected pages; findings of trespass to chattels and misappropriation, plus spoliation sanctions; and a permanent injunction requiring hiQ to stop scraping and destroy the data and algorithms built from it. In other words: scraping truly public data may avoid the CFAA, but the moment hiQ used fake logins to get behind LinkedIn's authentication gate — and breached the terms it had agreed to — it lost.
Why It Matters for Contractors
- "Public" is doing a lot of work. The CFAA safe harbor covers data with no authentication gate. Reach anything behind a login — even with a fabricated account — and you are back in CFAA territory.
- Contracts bind where the CFAA doesn't. A site's terms of service and user agreement are enforceable on their own. Losing the CFAA argument did not save hiQ from a breach-of-contract judgment.
- Data-sourcing diligence is a compliance issue. Contractors that ingest third-party or web-sourced data — for analytics, AI training, or OSINT — need documented sourcing rules.
Key Takeaways
- The Ninth Circuit held that scraping publicly available data likely is not a CFAA violation — the statute guards authentication-gated data.
- The case ended with a consent judgment: hiQ conceded a user-agreement breach and a CFAA violation (fake accounts), paid $500,000, and was permanently enjoined.
- For contractors: public is not unlimited. Login gates and terms of service still create liability.
Pair this with Van Buren on what "authorized access" means, and see the Computer Fraud and Abuse Act statute page.
*Source: hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022); Consent Judgment, No. 17-cv-03301 (N.D. Cal. Dec. 8, 2022)*