Web-Scraping Ruling Possibly ‘Breathes Life’ Into CFAA Claims: Proskauer

dismiss, Jeffrey Neuburger, co-head of Proskauer’s Technology, Media & Telecommunications Group, said in an analysis Thursday. Bryson's opinion (docket 1:20-cv-01191) “potentially breathes life into the use of the CFAA to combat unwanted scraping,” said Neuburger. Low-cost European airline Ryanair sued five travel booking companies in September 2020, alleging they engaged in web scraping to collect data from myRyanair, the restricted-access section of the airline’s website, then used that data to enable users to book Ryanair flights on their own websites, often at higher fares than Ryanair was offering. Ryanair also alleged that the web-scraping defendants circumvented the technology that Ryanair installed to prevent unauthorized users from accessing myRyanair. The Delaware court allowed the unauthorized access claims to go forward, on grounds that Ryanair had raised a "plausible" argument when it asserted that the myRyanair portion of its website was nonpublic, "thus making the defendants’ continued access to those pages unauthorized for purposes of the CFAA,” said Neuburger. The ruling suggests that a “cognizable vicarious liability” claim under the CFAA is “certainly possible in certain circumstances,” he said. Those scenarios include where the commissioning party has the requisite knowledge and control over the scraper’s actions or if a party induces another to commit violations of the CFAA, he said. Bryson's ruling also is noteworthy because it suggests that a CFAA intent to defraud claim might be pleaded, “based on actions taken by data scrapers to avoid anti-scraping technologies,” he said. “It remains to be seen how future courts would characterize specific anti-detection measures under the CFAA.”