Logo for LinkedIn social media platform.

hiQ v. LinkedIn: User Agreements in the Age of Data Scraping

Image by BedexpStock from Pixabay

On November 4, 2022, LinkedIn announced a “significant win” for the platform and its members against “personal data scraping.” The win resulted from a 6-year legal battle that asked, in part, whether LinkedIn must allow hiQ Labs to scrape data from the public profiles of LinkedIn members.

Last Friday, the U.S. District Court for the Northern District of California answered that question by ruling that LinkedIn’s User Agreement “unambiguously prohibits hiQ’s scraping and unauthorized use of the scraped data.” And as such, hiQ breached LinkedIn’s User Agreement “through its own scraping of LinkedIn’s site and using scraped data.”[1]

An Overview of Data Scraping

Data scraping is a technique by which a computer program extracts data from another program or source. The technique typically uses scraper bots, which send a request to a specific website and, when the site responds, the bots parse and extract specific data from the site in accordance with their creators’ wishes.

Scraper bots can be built for a multitude of purposes, including:

  • Content scraping – pulling content from a site to replicate it elsewhere.
  • Price scraping – extracting prices from a competitor.
  • Contact scraping – compiling email, phone number, and other contact information.

In today’s economy, data is key, and data scraping is an efficient means of acquiring huge amounts of specific data. Yet, this court ruling signals that companies may need to be more cautious about how and where they use data scraping bots.

hiQ’s Data Scraping Violates LinkedIn’s User Agreement

Founded in 2012 as a “people analytics” company, hiQ Labs provides information to businesses about their workforces. To do this, hiQ extensively relied on using automated software to scrape data from LinkedIn’s public profiles. hiQ then aggregated, analyzed, and summarized that data to create two products, “Keeper” and “Skill Mapper,” which allowed businesses to improve their employee engagement and reduce costs associated with external talent acquisition.

However, in 2017, LinkedIn sent a cease-and-desist letter threatening legal action against hiQ, arguing that LinkedIn’s User Agreement prohibits data scraping. Specifically, the User Agreement states:

Continue Reading hiQ v. LinkedIn: User Agreements in the Age of Data Scraping
Customer service representative with headset on and computer in front of her, communicating with another person.

TWO-PARTY CONSENT REQUIREMENTS FOR RECORDING CALLS

Image by Slash RTC from Pixabay

For a call recording to be lawful, federal law[1] and most states require at least one party to the conversation to consent to the recording. However, many states go further, requiring two-party (or all-party) consent for a call to be lawfully recorded.

As the following list demonstrates, navigating the state law nuances of two-party consent for recording calls can require some finesse.

CALIFORNIA

Requires prior consent from all parties to record a confidential in-person, telephone, or video communication.[2]

However, case law indicates that where a person communicating is made aware that the conversation is being monitored or recorded, there may be no violation because there is no objectively reasonable expectation of privacy.[3] Moreover, by continuing with the conversation after being so warned, consent is given by implication.[4]

CONNECTICUT

Allows call recording if:

  • all parties have consented to the recording,
  • recording is preceded by a verbal notification which is recorded as well, or
  • recording is accompanied by an automatic tonal warning.[5]

DELAWARE

Requires two-party consent for recording telephone or other private conversations.[6]

However, a district court held the state law was meant to emulate its federal equivalent,[7] so one-party consent may, in some circumstances, satisfy the consent requirement.

FLORIDA

Requires prior consent from all parties to record an oral communication.[8]

However, the law does not cover when the person communicating had no reasonable expectation of privacy,[9] which may occur when the parties are notified at the outset that the call will be monitored or recorded.

ILLINOIS

Requires all parties to consent to recording either an in-person or transmitted communication when at least one party intends the communication to be of a private nature under circumstances reasonably justifying that expectation.[10]

MARYLAND

Requires all parties to a communication to consent to the recording.[11]

However, Maryland courts have interpreted this to be limited to situations where parties have a reasonable expectation of privacy.[12]

Continue Reading TWO-PARTY CONSENT REQUIREMENTS FOR RECORDING CALLS
Map of the United States - State Privacy Laws

And Then There Were Five…

Image Credit: Free-Photos from Pixabay.

Just last summer, in July of 2021, Colorado joined California and Virginia, and became the third U.S. state with a comprehensive consumer privacy law. The Colorado Privacy Act is set to take effect in July 2023.

Hot on its heels, and within just two months of each other, first Utah in March of 2022, now Connecticut in May of 2022, passed privacy bills which will become effective in 2023.

So far, California remains the only state which allows for a private right of action in connection with its privacy bill. For more information, please see our comparison of the current U.S. state consumer privacy laws below.

For our unofficial redline of the CPRA, click here.

Follow these links for the official text of the CPRA, CPA, CTDPA, UCPA, and VCDPA.

To view and download a PDF version of this chart, click here.

Image of the entrance to the United States Supreme Court building.

Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts? Whose Law Will Prevail in Privacy Disputes?

Image Credit: MarkThomas from Pixabay.

[Originally published as a Feature Article: Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts?, by Amira Bucklin and Lily Li, in Orange County Lawyer Magazine, May 2021, Vol. 63 No.5, page 40.]

by Amira Bucklin and Lily Li

In 2020, when lockdown and shelter-at-home orders were implemented, the world moved online. Team meetings, conference calls, even court hearings entered the cloud. More than ever, consumers used online shopping instead of strolling through malls, and online learning platforms instead of classrooms. “Zoom” became a way to meet up with friends over a glass of wine, or conduct job interviews in a blouse, suit jacket, and yoga pants.

This has had vast consequences for personal privacy and cybersecurity. While most consumers might recognize the brand of their online learning platform, ecommerce store, or video conference tool of choice, most consumers don’t notice the network of service providers that work in the background. A whole ecosystem of connected businesses and platforms that collect, store, and transfer data and software, all governed by a new set of international privacy rules and contractual commitments. Yet, many of these rules have not been tested in the courts, and they have several implications in the context of privacy.

The Privacy Conundrum

This month marks the three-year anniversary of the EU’s General Data Protection Regulation (GDPR). As expected, its consequences have been far-reaching, and fines for violations have been staggeringly high.

The GDPR requires companies in charge of personal data (“data controllers”) to enter into data processing agreements with their service providers (or “data processors”), including, at times, standard data protection clauses drafted by the EU Commission. These data processing mega-contracts (ranging from 1-100+ pages) impose a series of foreign data protection and security obligations on the parties.

A unique challenge presented by these contracts is the fact that such data processing agreements and model data protection clauses often include their own choice of law provisions, calling for the applicability of EU member state law, and requiring the parties to grant third-party beneficiary rights to individuals in a wholly different country.

This challenge is not just limited to parties contracting with EU companies, either. Due to the GDPR’s extraterritorial scope, two U.S.-based companies can enter into a contract subject to the laws of the State of California, but which includes a data processing addendum or security schedule that is subject to the laws of the United Kingdom, France, or Germany.

What happens if there is a dispute between these parties regarding their rights and responsibilities, which are subject to foreign data protection laws? How will U.S. courts treat these disputes? How much deference will—and should—a U.S. court provide to foreign interpretations of law?

Continue Reading Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts? Whose Law Will Prevail in Privacy Disputes?
1 2 3 7