Airline Sues to Stop Popular Web-Scraping Service–American Airlines v. The Points Guy (Guest Blog Post)

by guest blogger Kieran McCarthy

Those interested in web scraping legal issues had high hopes that the Supreme Court’s opinion in Van Buren v. United States last summer would provide clear guidelines on which types of online data access were permissible and which were not.

And while most would agree that the Supreme Court avoided a worst-case scenario with its decision, it didn’t give us what many were hoping for. Van Buren gave us quite the soliloquy on the contextual construction of the word “so” in the drafting of the Computer Fraud and Abuse Act. And it told us that “liability under both clauses [of the CFAA] stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” But it did not define what a gate was, and the Court went out of its way, in two confusing footnotes, footnotes 8 and 9, to avoid any real guidelines about the types of barriers and protocols give that rise to liability under the CFAA.

With that, it’s fair to say that many of the key questions in this area of law are still undecided.

In January, two new cases were filed that illustrate the many challenges judges face with web scraping. The cases involve The Points Guy, LLC (“TPG”) and American Airlines, Inc. (“AA”).

TPG is a service built around the brand of a world-traveling man sipping champagne in first class, selling to the world his knowledge of the best rewards programs for credit cards and flights.

TPG aggregates and collects information from the most prominent rewards programs and provides a series of rankings and recommendations designed to help maximize your rewards points. It also provides various services for tracking and managing your rewards points. Thus, the Points Guy.

Also not shocking: Airlines hate this. Maximizing your reward points means minimizing their profit margins.

In January, the Points Guy LLC and American Airlines filed dueling legal complaints against each other, with TPG filing for a declaratory judgment in the state court of Delaware and American Airlines filing a complaint in federal court in the Northern District of Texas.

On January 9th, American Airlines sent TPG a cease-and-desist letter. The Northern District of Texas, home to AA’s headquarters, has a long history of being the least scraping-friendly jurisdiction in the United States. Knowing well that litigation in the Northern District of Texas is not in its best interests, TPG filed a declaratory judgment in Delaware hoping to take advantage of the first-to-file rule. This strategy is similar to the strategy employed by hidden-city flight broker Skiplagged in its dispute with Southwest Airlines in 2021.

With all that, the first battle in this litigation will be the question of where to litigate it. AA’s terms and conditions says that all disputes arising under its agreements will be governed by the Northern District of Texas. But before they get there, these courts must first decide whether AA’s terms and conditions constitutes a valid and enforceable contract, and whether TPG assented to its terms.

According to AA’s complaint, “Upon defendants’ use of, they agreed to be bound by the terms of the Use Agreement.” Based on my reading of AA’s complaint, I think these allegations should be considered too conclusory to survive a motion to dismiss. AA’s complaint does not allege actual or constructive notice of AA’s terms, nor does it allege that TPG affirmatively agreed to AA’s terms. What’s more, it appears, reading between the lines of the complaint, that TPG isn’t actually logging into or accessing AA’s site. Rather, AA’s customers are logging in to AA’s site using a tool provided by TPG.

This case hearkens back to the pre-hiQ Labs Facebook v. Power Ventures, Inc. dispute back in the Ninth Circuit in 2016. Facebook v. Power Ventures involved a social media aggregator’s consensual use of its users’ Facebook passwords to access their Facebook accounts. The service that Power Ventures sold was a platform to manage multiple social media platforms together. Of course, Facebook objected and sent a cease-and-desist letter. According to the Ninth Circuit panel, after receiving a cease-and-desist letter, Power Ventures could not access Facebook accounts with “authorization” under the CFAA and was thus violating the CFAA, even though they still had authorization from Facebook’s users to access their accounts with shared credentials.

After the same court’s hiQ Labs decision from 2019, it wasn’t clear whether that was still good law.

The Ninth Circuit in hiQ Labs said:

We agree with the district court that giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest.

That language implied that revocation-by-cease-and-desist letter was no longer sufficient to trigger CFAA liability. And then last summer, hiQ Labs was vacated by the Supreme Court. So it’s anyone’s guess where the law stands on that question now. At oral argument last October, the Ninth Circuit still seemed skeptical about revocation-by-cease-and-desist letter theory of liability. But hiQ Labs II hasn’t been decided yet.

Either way, the fact pattern here appears to be even more attenuated in terms of potential liability than Power Ventures (again, based on my inferences in reading the public filings), in that TPG doesn’t appear to be logging in to accounts, but rather providing customers a tool to log in on their own behalf.

Regardless, if this gets to the point where any court decides the CFAA issue on the merits, it will be something the rest of the industry will be watching with great interest.

And while the CFAA issue is usually what gets the most attention with web scraping cases, because of its criminal component, it’s not the only legal claim at stake here. In total, AA has alleged 12 legal claims: 1. Breach of Contract 2. Tortious Interference with a Contract 3. Unfair Competition by Misappropriation 4. Trespass 5. Trademark infringement 6. Dilution 7. Dilution under Texas State Law 8. False Designation of Origin 9. Copyright Infringement 10. Violation of the CFAA 11. Violation of Texas Harmful Access by Computer Act 12. Unjust Enrichment.

[It’s been a while since I’ve seen a plaintiff file a trespass claim in a web-scraping case (rather than trespass to chattels). If nothing else, let’s hope that hot ball of garbage gets tossed in the dumpster.]

As with many web-scraping cases, there are enough legal issues crammed into the complaint to fill an internet-law course or twelve.

What this case illustrates to me is that we have not yet achieved a stable equilibrium on these issues. TPG’s service is popular with consumers and pro-social. Its core product seems benign in every way other than that it hurts airlines’ profit margins. TPG’s use of trademarks seems consistent with that of every online travel agent.

A lot of this lawsuit, in my opinion, is the kind of pretextual BS that makes it easy to become cynical practicing in this field. Courts need to get wise that what’s really happening here is incumbents are leveraging things like trademark law, the CFAA, and the law of online contracts to avoid competition on the internet. That said, at least some of the issues raised by this lawsuit involve novel and interesting questions of law that have yet to be fully decided.

TPG’s parent company Red Ventures, LLC, has a market cap about the same size as American Airlines. Usually, when incumbents pick these fights, it’s a David vs. Goliath situation. In this instance, AA has picked a fight with a company its own size. That makes this a rare web-scraping case that has a chance to be decided on the merits.

It will be interesting to see if we get clarity from this case that we didn’t from Van Buren.