The HiQ vs LinkedIn ruling: what scrapers should know in 2026
The HiQ LinkedIn scraping ruling is one of the most cited court decisions in the entire web data space, and one of the most misunderstood. Almost every commercial scraper today operates under a mental model of “scraping public data is legal because of HiQ.” That mental model is partially correct, partially wrong, and partially incomplete in 2026 in ways that matter for how you build your pipeline. This guide walks through what the case actually decided, how Van Buren v. United States changed the landscape in 2021, what happened after the case eventually settled in 2022, and what the practical takeaway is for scrapers operating in 2026.
The audience is the technical lead, in-house counsel, or product owner who has heard the case name dropped in vendor pitches and customer conversations and wants the actual story.
What the case was actually about
HiQ Labs was a small data analytics company that scraped publicly visible LinkedIn profiles to build a workforce analytics product. They sold predictions about employee flight risk to large enterprise customers. LinkedIn sent HiQ a cease-and-desist letter in 2017 demanding they stop. HiQ sued LinkedIn for a declaratory judgement that their scraping was lawful and for an injunction preventing LinkedIn from blocking them.
The dispute was framed primarily under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. Section 1030. LinkedIn argued that HiQ’s continued scraping after the cease-and-desist letter constituted “access without authorisation” under the CFAA. HiQ argued that publicly visible data, accessible without a login, could not be “without authorisation” because no authorisation was required in the first place.
The Northern District of California granted HiQ a preliminary injunction in 2017. The Ninth Circuit affirmed in 2019. The Supreme Court vacated and remanded in 2021 in light of Van Buren. The Ninth Circuit affirmed again on remand in 2022. The case eventually settled later that year, with HiQ agreeing to certain limits and LinkedIn dropping its claims.
For the broader compliance picture across jurisdictions, see the GDPR compliance guide and the CCPA compliance guide.
What the Ninth Circuit actually held
The Ninth Circuit in 2019 (and again in 2022) held that the CFAA’s “without authorisation” language likely does not cover access to publicly available websites, because for such sites no authorisation is needed in the first place. The court drew an analogy: a cease-and-desist letter does not transform a public sidewalk into private property. The walking is the access; the public availability is the authorisation.
The court emphasised three points:
- The CFAA was originally enacted to address computer hacking, not civil disputes about access to public webpages.
- Reading “without authorisation” broadly to include cease-and-desist-revocation would create a “criminal” regime in which any TOS violation became a federal crime.
- The First Amendment and antitrust concerns weighed against allowing platforms to use the CFAA as a private weapon to control access to public information.
The decision did not say all scraping is legal. It said the CFAA does not criminalise scraping of publicly accessible data merely because the platform sent a cease-and-desist letter.
How Van Buren changed the landscape in 2021
In June 2021, the Supreme Court decided Van Buren v. United States. The case did not involve scraping, but it interpreted the CFAA’s “exceeds authorised access” language. A police officer had used his lawful access to a database to look up information for an improper purpose. The government argued he had “exceeded” his authorisation because his access was conditioned on use for proper purposes.
The Supreme Court rejected this reading. It held that “exceeds authorised access” means accessing files, folders, or databases that are off-limits, not accessing permitted data for impermissible purposes. The “gates-up-or-down” model: if the gate is up, your access is not unauthorised even if the use is.
This narrow reading of the CFAA aligned exactly with the Ninth Circuit’s HiQ analysis, and the Supreme Court remanded HiQ for reconsideration in light of Van Buren. The Ninth Circuit, on remand, reaffirmed its earlier decision.
The combined effect: in the Ninth Circuit (covering California and most of the western US), the CFAA does not reach scraping of publicly available websites, regardless of TOS violations or cease-and-desist letters.
What the eventual 2022 settlement actually said
Most coverage of HiQ stopped at the Ninth Circuit affirmance. Less covered: the case settled in late 2022. The settlement terms were partly confidential, but several public components were disclosed. HiQ agreed to a permanent injunction prohibiting it from scraping LinkedIn member data going forward. LinkedIn dropped its remaining claims.
Why did HiQ agree to a permanent injunction if they had won? Two reasons. First, after years of litigation, the company had effectively lost commercial momentum and was wound down. Second, while the CFAA claim had been knocked out, LinkedIn’s parallel state-law claims (breach of contract for TOS violations, trespass to chattels, tortious interference) were still live. The CFAA win did not resolve the state-law theories.
This is the part most scrapers miss. Winning the CFAA fight does not win the state-law fight. Public availability does not erase contract. A scraper that creates an account, agrees to terms, and then scrapes is in a fundamentally different posture than a scraper that hits public URLs without ever logging in.
The Meta v. Bright Data parallel
In January 2024, the US District Court for the Northern District of California decided Meta v. Bright Data. The fact pattern was deliberately similar to HiQ: Bright Data scraped public Facebook and Instagram pages and resold the data. Meta sued for breach of contract (TOS violation) and tortious interference.
The court held that Meta’s TOS only bound logged-in users. Bright Data’s scraping of publicly accessible logged-out pages did not breach the contract because no contract had ever formed. This was a very strong scraper-side ruling, but it was narrow: it applied only to logged-out scraping. The moment a scraper authenticates, the TOS attaches.
The Israeli court ruled similarly in a parallel proceeding the same year. EU regulators were quick to point out that the absence of a contract violation does not equal a lawful basis under GDPR, but the court rulings did establish a clear US-side rule: logged-out scraping of public data is legally robust against TOS-based claims.
For the broader public-vs-personal data analysis, see the personal vs public data scraping framework.
What the rulings collectively permit and forbid
| Activity | Legal posture in 2026 (US) |
|---|---|
| Scraping public URLs, no login | Generally permitted; CFAA does not reach |
| Scraping behind a login you created | TOS applies; breach-of-contract risk |
| Scraping after a cease-and-desist letter (logged out) | Permitted under HiQ |
| Scraping behind a paywall you bypassed | High risk; CFAA may reach (gate is down) |
| Bulk personal data resale | TOS-independent risks: state privacy law |
| Scraping for AI training | Legal under HiQ; copyright fair use is separate |
| Scraping with fake accounts | TOS breach; state-law exposure |
The asymmetry between logged-in and logged-out is the most important practical takeaway. Public, logged-out scraping has a strong legal floor in the US. Anything behind authentication exists under the platform’s terms.
Decision tree: is your scraping covered by HiQ?
Q1: Is the target URL accessible without any login?
├── No -> HiQ does not protect you. Evaluate TOS and CFAA.
└── Yes -> Q2
Q2: Are you in the Ninth Circuit's jurisdiction (or a court likely to follow)?
├── Yes -> CFAA risk is low.
└── No -> Other circuits have not all adopted; evaluate locally.
Q3: Did you create an account and accept terms?
├── Yes -> TOS attaches; CFAA may not, but contract claim does.
└── No -> Q4
Q4: Are you scraping personal data of identifiable individuals?
├── Yes -> CCPA, GDPR, PDPA, DPDP may apply independently.
└── No -> Q5
Q5: Are you bypassing technical access controls (CAPTCHA, IP block, rate limit)?
├── Yes -> CFAA "gate is down" risk increases.
└── No -> Strongest defensive posture.
The combination of “logged-out, public, identifiable-but-public, no controls bypassed” is the strongest position. Each “yes” to authentication, controls bypass, or personal data adds risk that HiQ does not resolve.
Practical implications for 2026 scraping pipelines
Three operational implications.
First, separate your logged-out and logged-in scraping infrastructure. Logged-out scraping enjoys HiQ-grade protection. Logged-in scraping operates under TOS and contract law. Mixing the two in one pipeline obscures your legal posture and weakens both.
Second, do not bypass technical access controls. The Van Buren “gates-up-or-down” model means that if a site puts up a gate (CAPTCHA, IP block, paywall) and you bypass it, you have moved from “authorisation not required” to “authorisation explicitly denied.” That is a different legal universe.
Third, document your access methodology. If you ever need to invoke HiQ in your defence, you will need to prove that your access was logged-out, that no controls were bypassed, and that the data was genuinely publicly accessible. A scrape that goes through a residential proxy mesh after using browser fingerprint spoofing to defeat a fingerprinting check is not “publicly accessible” in the HiQ sense.
For a deeper dive on the bot management and fingerprinting question, see the DataDome vs PerimeterX vs Akamai comparison.
External references
The Ninth Circuit opinion in HiQ Labs v LinkedIn (2022 remand) is at cdn.ca9.uscourts.gov/datastore/opinions/2022/04/18/17-16783.pdf. The Supreme Court opinion in Van Buren v United States is at supremecourt.gov/opinions/20pdf/19-783_k53l.pdf. The Meta v Bright Data summary judgement is in the public PACER record for case 3:23-cv-00077.
Comparison: HiQ doctrine vs state contract law vs GDPR
| Issue | HiQ / Van Buren (CFAA) | State contract law | GDPR |
|---|---|---|---|
| Reaches public URLs | No | No (no contract) | Yes |
| Reaches logged-in scraping | Limited | Yes (TOS) | Yes |
| Requires lawful basis | No | No | Yes |
| Personal data carve-out | Irrelevant | Irrelevant | Public availability not a defence |
| Statutory damages | Up to USD 1k per access | Variable | Up to 4% revenue |
| Cease-and-desist effect | None on logged-out | Strengthens contract claim | Irrelevant |
| Settlement strategy lever | Weak (clean win) | Strong (TOS hook) | Strong (DPA leverage) |
The takeaway: HiQ is a strong shield against CFAA claims for logged-out public scraping. It is not a shield against contract, GDPR, or other state privacy law claims. Build your legal posture for all four regimes simultaneously.
What changed in 2024-2025 case law
Three additional cases shaped the 2026 landscape.
X Corp v Bright Data (2024, ND Cal) reaffirmed Meta v Bright Data: logged-out scraping is not a TOS breach because no contract attaches. The court was explicit that platform terms cannot bind non-users.
Reddit v Anthropic (2025, ND Cal) is still pending as of mid-2026. Reddit alleges Anthropic scraped past explicit robots.txt directives blocking ClaudeBot. The case will test whether ignoring robots.txt for AI training constitutes any kind of cognisable claim distinct from CFAA. The outcome will reshape AI scraping practice.
Doe v Github (2024, ND Cal) addressed scraping of open-source code for AI training, holding that the public availability of code on GitHub did not waive copyright protections in derivative or memorised outputs. Public availability and copyright protection are separate inquiries.
For a forward-looking discussion of where the AI training case law is heading, see fair use for AI training data in 2026.
FAQ
Is all web scraping legal because of HiQ?
No. HiQ knocked out one specific federal claim (the CFAA) for one specific kind of scraping (logged-out public data). It did not legalise all scraping. Contract, copyright, privacy, and trade-secret claims survive independently.
Does HiQ apply outside the Ninth Circuit?
The Ninth Circuit covers California and the western US, where most tech litigation lands. Other circuits have not uniformly adopted the same reading, but the trend post-Van Buren is in that direction.
What about scraping social media platforms?
Logged-out, public-page scraping is reasonably defensible under HiQ and Meta v Bright Data. Logged-in scraping is a TOS issue and should be evaluated separately.
Can a cease-and-desist letter make my scraping illegal?
Under the CFAA in the Ninth Circuit, no. Under state contract or trespass law, it can strengthen the platform’s claim. Treat a C&D as a serious signal even if it does not change the federal analysis.
Did HiQ actually win in the end?
The CFAA fight, yes. The commercial fight, no. HiQ wound down operations and agreed to a permanent injunction in the 2022 settlement. The case is a legal win and a commercial cautionary tale.
Extended case law analysis
The hiQ Labs v LinkedIn litigation ran from 2017 to 2022 and produced four major opinions. The 2019 Ninth Circuit opinion held that scraping public data did not violate the CFAA’s without authorisation prong because public data is by definition authorised for any visitor. The Supreme Court’s Van Buren v United States decision (June 2021) reinforced the gates-up gates-down reading of the CFAA, which strongly supported the hiQ position. The 2022 Ninth Circuit opinion on remand reaffirmed the public-data holding and remanded the contract claims, which hiQ ultimately settled.
The post-hiQ landscape contains four important precedents that scrapers should know.
Meta Platforms v Bright Data (Northern District of California, January 2024). Meta’s CFAA and contract claims against Bright Data largely failed at summary judgment for public data scraping. The court relied on hiQ for the CFAA analysis and held that Bright Data had not formed a contract by browsing logged-out pages.
X Corp v Bright Data (Northern District of California, May 2024). The court reached a similar conclusion, dismissing X’s claims for scraping public data while users were not logged in.
Ryanair v PR Aviation (CJEU, 2015) and the 2024 follow-ups. The European pathway places more weight on database rights and contract than on CFAA-equivalent statutes.
The 2024-2025 wave of state-level scraping statutes, including bills introduced in California, Texas, and New York that propose explicit rules for AI training data scraping.
Implementation patterns post-hiQ
Operators acting on the hiQ ruling should follow a five-step posture.
Distinguish logged-out from logged-in scraping. The hiQ holding extends only to logged-out public scraping. Logged-in scraping involves account terms which hiQ does not protect.
Avoid technical bypass of authentication, rate limits, or bot detection beyond ordinary headless browser use. Bypass is what triggers the CFAA in post-hiQ cases.
Maintain a documented record of the scrape’s purpose, frequency, and destination. Litigation discovery will surface this and a clean record helps.
Honour cease and desist letters carefully. The hiQ ruling does not give scrapers a right to ignore valid C and D letters that allege contract or tort claims. The right response is legal review, not silence.
Apply privacy law independently. CFAA protection does not equal GDPR or CCPA protection. Personal data is regulated by separate statutes.
Code pattern: distinguishing logged-out scraping
def is_logged_out_only(session):
if session.cookies:
return False
if "Authorization" in session.headers:
return False
if "X-Auth-Token" in session.headers:
return False
return True
Comparison: scraping legal posture before and after hiQ
| Question | Pre-hiQ default | Post-hiQ default (US public data) | Caveat |
|---|---|---|---|
| CFAA risk for public scraping | Substantial | Low | Bypass changes the analysis |
| Contract risk | Moderate | Moderate to high | Browsewrap terms still litigated |
| Trespass to chattels | Low | Low | Resource exhaustion claims survive |
| Privacy law risk | High | High | Independent of CFAA |
| Copyright | Moderate | Moderate | Fair use defence is fact-specific |
Additional FAQ
Does hiQ apply to data behind a login?
No. The holding is limited to public, unauthenticated data. Logged-in scraping involves account terms.
Does hiQ apply outside the United States?
No. Each jurisdiction has its own statutes. The European Union, the United Kingdom, Singapore, and India apply different frameworks.
Can a publisher block scrapers technically?
Yes. Technical blocks (rate limits, IP bans, bot detection) are lawful. Bypassing them weakens the hiQ defence.
Is the hiQ ruling settled law?
The Ninth Circuit holding stands. Other circuits have not directly contradicted it but they could. A scraping operation should not assume nationwide uniformity.
Cases that built on the hiQ framework
Two post-hiQ decisions have shaped how courts apply the doctrine in 2024-2026.
In Meta Platforms v. Bright Data (N.D. Cal., January 2024), Judge Edward Chen granted summary judgment to Bright Data on Meta’s contract claims for scraping logged-out Facebook and Instagram public profile data. The court explicitly relied on the hiQ framework, holding that Meta could not enforce its terms of service against Bright Data because Bright Data had no account and had not assented to the terms. The decision reinforced the bright-line significance of the logged-in versus logged-out distinction. Meta’s separate trespass and unjust enrichment theories were also dismissed.
In X Corp v. Bright Data (N.D. Cal., May 2024), Judge William Alsup followed the same logic for logged-out scraping of X (formerly Twitter) public posts. Judge Alsup’s opinion went further than Meta v. Bright Data in characterising the policy stakes, observing that giving social media platforms unilateral power to control public-facing data would create de facto information monopolies inconsistent with US antitrust and free-speech traditions. The decision is now the most quotable post-hiQ pro-scraping precedent for logged-out commercial use.
Both cases stop at logged-out scraping. Neither protects the bypass of authentication, the use of fake accounts, or the circumvention of technical blocks. The combined doctrine is narrow but settled in the Ninth Circuit for the use cases it covers.
The litigation history of hiQ
The hiQ Labs v LinkedIn dispute began in May 2017 when LinkedIn sent hiQ a cease and desist letter demanding that hiQ stop scraping public LinkedIn profiles. hiQ sued for declaratory relief, arguing that scraping public data did not violate the Computer Fraud and Abuse Act and that LinkedIn’s blocking efforts violated antitrust and tortious interference principles.
The Northern District of California granted hiQ a preliminary injunction in August 2017. The Ninth Circuit affirmed in September 2019, holding that scraping public data did not violate the CFAA’s without authorisation prong. The Supreme Court vacated and remanded in light of Van Buren v United States in June 2021. The Ninth Circuit affirmed again on remand in April 2022, reaffirming the public-data holding.
The case finally settled in late 2022 after the contract claims were remanded to the district court. The settlement terms were not made public, but hiQ agreed to stop scraping LinkedIn and acknowledged having breached LinkedIn’s terms of service. The company subsequently wound down operations.
The procedural history matters because the holding stands even though the company that brought the case did not survive. The legal precedent is what scrapers operate under in 2026, and that precedent is favourable to public-data scraping but does not provide a shield against contract claims.
How the Supreme Court’s Van Buren decision changed the analysis
Van Buren v United States, decided in June 2021, addressed the without authorisation and exceeds authorised access prongs of the CFAA. The Supreme Court adopted a gates-up gates-down reading, under which a person violates the CFAA only when they access a computer system that is closed to them. A person who is authorised to access certain files but uses that access for an improper purpose does not exceed authorised access.
Applied to scraping, Van Buren strengthened the hiQ holding. Public LinkedIn profiles are gates-up for any visitor. A scraper that accesses them is not exceeding authorised access. The CFAA does not reach the activity.
Van Buren did not reach the question of when a scraper is gates-down. Subsequent cases have explored that question. A scraper that bypasses authentication, ignores IP blocks, or rotates User-Agent strings to evade detection is plausibly gates-down. The line is fact-specific and remains unsettled.
Practical operational implications
A 2026 scraping operation taking hiQ as authoritative should adopt five operational practices.
First, document the public-facing nature of every target page. Maintain screenshots showing that the page is reachable without login. Maintain timestamps. The evidentiary record matters in litigation discovery.
Second, avoid technical bypass. The hiQ holding does not protect a scraper that bypasses CAPTCHA, defeats bot detection, or rotates IPs to evade rate limits. Each of those activities is a potential gates-down trigger.
Third, respond promptly to cease and desist letters. Ignoring a C and D letter does not improve the legal position. The right response is legal review followed by either a measured response or a tactical pause.
Fourth, separate logged-in scraping from logged-out scraping operationally. Use different infrastructure, different credentials, different audit trails. The legal analysis is fundamentally different.
Fifth, monitor circuit splits. The hiQ ruling is Ninth Circuit law. Other circuits may reach different conclusions. A scraper operating nationally should track relevant cases in the Second, Fourth, and Eleventh Circuits.
Next steps
If your team relies on HiQ in any pitch, customer conversation, or compliance memo, the fastest improvement is to make the logged-out vs logged-in distinction explicit in your documentation. The legal protections are very different. For a fuller compliance posture across regimes, head to the DRT compliance hub and pair this with the GDPR and CCPA guides.
This guide is informational, not legal advice.