Game On! Bright Data Scores Major Victory in Web-Scraping Dispute with Meta (Guest Blog Post)

by guest blogger Kieran McCarthy

Whether it is by accident or because of who he is, Judge Edward Chen of the Northern District of California has a way of finding himself at the center of the most important cases in the world of web scraping. He presided over the famous hiQ Labs v. LinkedIn case, which up until now was the most important case in the history of US web-scraping litigation. In that case, he ruled in favor of hiQ Labs on its CFAA claims, which produced two separate 9th Circuit opinions that concurred with his opinion. Then he reversed course on remand and ruled in favor of LinkedIn on its breach of contract claims.

On January 23rd, Judge Chen once again dropped a bombshell for the web-scraping world (and those looking to stop it) by ruling in favor of Bright Data and against Meta on its breach of contract claims at summary judgment. Meta Platforms, Inc. v. Bright Data Ltd., 2024 WL 251406 (N.D. Cal. Jan. 23, 2024)

The short version of the facts are as follows:

Bright Data, headquartered out of Israel, is one of the largest web-scraping companies in the world. Meta owns Facebook and Instagram. Meta was once a customer of Bright Data’s. In December 2022, Meta’s “anti-scraping team” told Bright Data to stop scraping its data. Bright Data responded by closing its Meta accounts and terminating its online contracts with Meta. Meta said that its terms still applied to Bright Data and those claims survived termination.

Meta sued in California. Bright Data countersued in Delaware. The Delaware court stayed proceedings pending the California action. Bright Data quickly moved for summary judgment in the California case, asking the judge to rule on the question of whether it was liable for scraping data outside of a log-in after its termination of its accounts (and therefore contracts) with Meta.

And lo and behold, Bright Data appears to have won (at least so far – I don’t think we’ve heard the last of this case).

Historically, if 1) a web scraper has notice of a website’s terms, 2) the website terms prohibit scraping, and 3) the scraper continues scrape in violation of the terms, they have been liable for breach of contract. But that’s not what happened here.

How?

There were a few steps in Judge Chen’s reasoning.

First, the court found that there was no evidence of logged-in scraping in the record. Meta disputed this, but this is not the most interesting part of the opinion. Logged in or no, historically web scrapers lose if they have knowledge of website’s terms and still scrape in violation of those terms, whether they’re logged in, logged out, or never agreed to a contract in the first place.

But here, Judge Chen found that Facebook and Instagram’s terms only apply to users, and once you terminate, you’re no longer a user. The most persuasive evidence on that front was as follows:

That a non-subscribing visitor is not a “user” bound by the Terms is underscored by a change that was made to the Facebook Terms. The 2009 Facebook Terms included the following clause: “accessing or using our website . . . signif[ies] that you . . . agree to be bound by these Terms . . . , whether or not you are a registered member of Facebook.” Meta’s Opp. at 18 (quoting the 2009 version of the Terms at issue in Fteja v. Facebook, Inc., 841 F. Supp. 2d 829, 839-841 (S.D.N.Y. 2012), Docket No. 6-1 (Apr. 4, 2011)) (emphasis in original). That clause has since been removed, i.e., is not in the current Terms. The now-obsolete clause demonstrates that Meta was fully aware of how to write a clear provision that applied to both logged-in and logged-off users and made a conscious decision not to include the distinction in the most recent iteration of the Terms for Facebook and Instagram. Therefore, it is reasonable to infer that the current Terms contemplate a “user” as an account holder.

Id. at 20.

But the opinion didn’t end there.  Bright Data was found not to have violated Meta’s terms, even for the period of time when it had an active account with Meta, because Bright Data’s logged-out scraping was “unrelated to the purpose of its accounts.” Bright Data claims that it was using its Facebook and Instagram accounts for marketing purposes and was never logged in to its accounts when scraping. Judge Chen then wrote: “Therefore, even though Bright Data could technically be characterized as a “user” of Facebook and Instagram inasmuch as it maintained accounts on those platforms, there is a strong and compelling argument that Bright Data was not “using” Facebook as contemplated by the Terms when it scraped public data while not logged-in.” Id. at 23.

Meta argued that even after termination, that Bright Data was bound by its prohibition on scraping, which had a survival clause.

But Judge Chen wasn’t persuaded by that, either.

The court’s reasoning was that the survival clause did not have a reasonable restriction or termination date. According to the court:

The U.S. Supreme Court has advised that courts “should not construe ambiguous writings to create lifetime promises.” M & G Polymers USA, LLC v. Tackett, 574 U.S. 427, 441-42, 135 S. Ct. 926, 190 L. Ed. 2d 809 (2015) (cited in Bright Data’s Mot. at 3, 24); see also 3 A. Corbin, Corbin on Contracts § 553, at 216 (1960). California courts have applied this presumption against perpetual agreements to various contexts, holding, for instance, in real estate contexts that “[a] construction conferring a right in perpetuity will be avoided unless compelled by the unequivocal language of the contract.” Nissen v. Stovall-Wilcoxson Co., 120 Cal. App. 2d 316, 319 (1953) (invalidating trial court’s interpretation of land purchase agreement as binding the defendant to pay all land assessments without time limitations). For this reason, courts generally hold that, for a survival clause to be valid and enforceable, the clause must be limited in scope as to its geography and duration. See, e.g., Nalco Chem. Co. v. Hydro Techs., Inc., 984 F.2d 801, 804 (7th Cir. 1993). Courts have invalidated or limited the scope of perpetuity provisions in other contexts as well. See Nissen, 120 Cal. App. 2d at 319; Foster Cable Servs., Inc. v. Deville, 368 F. Supp. 3d 1265, 1274 (W.D. Ark. 2019) (stating that “[t]he fact that the [confidentiality] Agreement does not state a time limitation, but instead applies forever, further supports a finding that it is unenforceable”); Howard Schultz & Assocs. v. Broniec, 239 Ga. 181, 187 (1977) (finding that a nondisclosure covenant with “no time limitation” was therefore “unenforceable”); Nalco, 984 F.2d at 804 (determining that a confidentiality clause without “a durational limitation” was void and unenforceable, except as to trade secret restrictions). Survival clauses are generally limited to “conduct that arises out of or shares a nexus to,” the agreement. Nolde Bros., 430 U.S. at 249.

Id. at 28-29.

There is much more to this opinion, but those were the highlights.

This case is an earthquake in the web-scraping world. It has huge ramifications for both web scrapers and those who are looking to stop it. For web scrapers, there is now a new precedent to argue that websites cannot stop scraping of “logged out” data. For those looking to stop scraping, ToS will need to be amended to take into account this new precedent and its implications.

Just a few of the open questions I have, off the top of my head:

– Where will this case go next, procedurally? I would be shocked if Meta didn’t appeal this.

– Given the Register.com v. Verio, Inc. precedent, could Meta just amend its terms, send another cease-and-desist, and revisit this, or does this case repudiate that whole line of precedent?

– Which courts around the country will follow this reasoning?

– Is this just a one-off decision based on the specific wording on the Meta agreements, or will this apply to all online contracts for users who are “logged out” in the scraping world (or at least in the Ninth Circuit)?

– Do all online contracts now need reasonable time restrictions on their survival clauses?

– Why didn’t Meta’s lawyers also bring DMCA, trespass to chattels, and misappropriation claims?

– Can a scraper that accesses a site with no log in also “terminate” the contract and continue to scrape in contravention of a terms of use? Is that a case-by-case question, or is there a categorical rule we can follow?

Bring your popcorn 🍿. Thanks to Judge Chen, legal issues in the web-scraping world just got a lot more interesting (again).

* * *

Eric’s comments: This ruling is definitely going to be appealed, so I’m not ready yet to declare this ruling as the new trespass-to-chattels baseline. I also don’t understand how the other anti-scraping doctrines (CFAA, TTC, etc.) might still apply to this case. Just like in hiQ, a loss on any of the legal doctrines would still be a total loss for Bright Data.

Another question to add to Kieran’s list: what’s up with Judge Chen’s seeming affinity for data snarfers? He’s going out of his way to enable them–despite the broad-scale movement elsewhere to crack down on data brokers and enhance consumer privacy. If Judge Chen thinks he’s doing consumers a solid with these rulings, he’s definitely mistaken.

Because Kieran covered the main points, I’ll focus on one line from the opinion: “Meta ‘left the gate open’ by choosing not to place all its content behind a password-protected barrier.”

First, would the world be a better place if Meta did put everything behind the password screen? For example, a lot of Instagram and TikTok content is only available after logging-in, which becomes an insurmountable barrier to access because I haven’t installed either app on my phone (and don’t plan to). Be careful what you wish for.

Second, the judge recycles the abysmal “gates” metaphor, prominently evangelized in the confusing the Van Buren Supreme Court decision. But notice here that Judge Chen is talking about breach of contract, not the Computer Fraud & Abuse Act, so the gates metaphor is now spreading to other legal doctrines? Oh joy. And the irony: the Van Buren court sidestepped whether TOSes could delimit access for CFAA purposes, but now the metaphor is being used to analyze the trespass implications of TOSes?

Third, the Van Buren opinion referred to gates up or down, but here, Judge Chen refers to gates open (and, by inference, closed). I never knew if gates up or down was more anti-trespass (i.e., is the “gate” a fence that get raised to keep people out or a portcullis that comes down to keep people out?). At least gates open or closed is clearer on that front.

Fourth, this prompts another question to add to Kieran’s list: is password protection the only way that a “gate” can be “closed”? The court implies that without actually saying so, and it really does make a difference. For example, if Facebook also had a robot exclusion header, would that close the gate? Or if Facebook had blocked Bright Data’s IP addresses? In other words, Facebook may have closed (or may be able to close) the gates on Bright Data using other technologies–if that matters to this decision at all.

Finally, I’m left wondering how easy it would be for a service to draft around this opinion. Facebook has enough money and motivation to do so, if it’s possible.