A recent Northern District of California opinion in Cordova v. Huneault sent another bat-signal to those who follow this area of the law: copyright law in the context of public content is being consumed by the DMCA. [Eric’s note: I blogged the 512(f) angle of this case previously.]

The court let a DMCA section 1201(a) claim survive a motion to dismiss based on allegations that YouTube uses technical measures, including rolling cipher mechanisms, to prevent unauthorized downloading. The court then said the fact that the videos are broadly accessible by the public does not matter. If there are technical measures aimed at stopping downloading, that can be enough to plead an access-control theory.

On the surface, this feels like a modest pleading-stage ruling. Courts often say, sure, the plaintiff alleged a thing, let’s get to discovery. But small decisions like this one are how bad legal interpretations get normalized. This one matters because of what it treats as obvious, and what it does not even try to engage.

Publicly viewable, but with access locked?

Cordova alleged that defendants copied his publicly viewable YouTube videos and reposted them. The complaint described rolling-cipher technology, which encrypts and dynamically alters the video stream’s URL signatures, and asserted that ripping tools and browser extensions can “retrieve and decrypt the obfuscated streaming URLs” to make local copies.

Here is the crux of the issue: The work is publicly accessible for viewing, but the platform uses technical controls that allegedly limit access to a particular version of it, the downloadable file, or a preferred pathway to the content. The opinion treats that distinction as sufficient. Viewing is public. Downloading is gated. Therefore, access is controlled.

That framing is doing a ton of work. It is also a convenient way to turn product design and platform preferences into federal anti-circumvention liability.

In the modern web, nearly everything is delivered through some combination of signed URLs, token rotation, encryption, bot gating, and rate limits. They are default architecture. If courts treat that architecture as an access control for section 1201(a), then a lot of ordinary data collection and analysis starts to look like circumvention by definition.

That is how content protection shifts from the domain of copyright law into a federally enforceable platform-control law without anyone ever announcing the shift.

The opinion’s biggest problem is what it does not say

Section 1201 has been controversial for decades for a simple reason. It can be used to punish bypassing a restriction even when the underlying use would not be infringing or fair use, or even when the underlying issue is not copyright at all.

Some courts have confronted that risk head on. Two of the most important opinions are Chamberlain v. Skylink and Storage Technology v. Custom Hardware. They wrestle with the idea that 1201 should not create a new property right where copyright does not already grant one. They also worry about a world where rights holders can wrap non-copyright interests in a thin technical wrapper and then claim the DMCA as a super-powered enforcement mechanism.

While there is a circuit split on this issue, the courts on the other side of it should still appreciate the importance of finding a limiting principle here. They should get their spidey-sense up when section 1201 is being used as a substitute for proving copyright infringement, or as a circumvention mechanism itself to avoid fair use, interoperability, competition, and the basic underlying tenets of the Copyright Act.

The court in Cordova is uninterested in that conversation. It does not ask what prevents a plaintiff from turning any technology speed bump into a federal access-control claim. It does not grapple with the downstream impact on public-facing platforms and automated access. It does not ask whether calling publicly viewable content an access-controlled work just because the platform prefers one mode of access is consistent with what Congress really had in mind back when Clinton was the president.

Why this matters for scraping and the open web

I’ve been over this before, but if 1201 liability attaches whenever a platform can point to a rotating token or interface speed bump to public content and call it a TPM, then this law can lead to cascading consequences pretty quickly.

Cordova is a pleading-stage decision. It may narrow later. But if courts keep treating copyright and fair use considerations as “immaterial” to public-facing section 1201(a) cases, the momentum around this is going to build soon. It will allow platforms to set preferences as enforceable laws, and that will have major downstream market effects throughout the tech industry.

The post This Week in the “DMCA Eating Copyright Law”: Cordova v. Huneault (Guest Blog Post) appeared first on Technology & Marketing Law Blog.

A series of prominent web-scraping lawsuits are revisiting the fundamentals of public data access. And in so doing, with a slight reframing of a relatively settled legal issue, major platforms are challenging the presumption that collecting and using public data at scale is legal.

In September 2019, the Ninth Circuit in hiQ v. LinkedIn wrote:

Although there are significant public interests on both sides, the district court properly determined that, on balance, the public interest favors hiQ’s position. We agree with the district court that giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest.

hiQ Labs, Inc. v. LinkedIn Corporation, 938 F.3d 985, 1004 (9th Cir. 2019) (vacated by SCOTUS, but this language was later re-affirmed verbatim by the Ninth Circuit in 2022).

It’s hard to overstate the importance of this language for the web-scraping industry. For the first time, there was a court taking a public-policy stand in favor of web scraping. This was not just an instance where a court said that scraping did not constitute a crime. This was a circuit court taking a stand on policy grounds that it was in the public interest for public data on private fora to remain publicly available for public consumption. The Ninth Circuit seemed to fully embrace the idea that allowing public use of public data was vital for a functioning digital information ecosystem.

For those that operate in data access, broadly defined, hiQ v. LinkedIn became shorthand for a simple proposition: Scraping publicly accessible web pages was legal. And while the truth was always a bit more nuanced, and hiQ ultimately capitulated in the case and went under, the legality of public data access was never questioned by industry insiders after the decision.

The last six years have been an absolute boon for the web-scraping industry. And it is not hyperbole to say that the AI revolution might not have come, or at least not have come as fast, had it not been for strong policy presumption in favor of legal data access to public content after hiQ Labs.

Fast-forward six years, and data-access questions are more critical than ever. All the world’s information is there for the taking and there is no shortage of people and companies doing the taking.

In just a few years, AI has become an integral component of almost all knowledge work. And it is arguably the single biggest engine driving economic growth right now.

And the fuel that powers that engine is data—usually public data collected at scale. And with that, there are dozens of lawsuits percolating over the legalities of when it is and is not permissible to copy and reuse public data.

But with CFAA questions about publicly available data now largely resolved (except at the margins), and with terms of use often preempted by copyright, those looking to build walled gardens have been angling for new arguments to restrict access to public data.

In a recent wave of disputes over AI and “public data,” a new pattern has emerged. Plaintiffs are trying to rerun the hiQ fact pattern under a different federal statute.

That statute is the Digital Millennium Copyright Act (DMCA), specifically Section 1201.

While hiQ mostly resolved the CFAA-era battle over whether “public” means “authorized,” Section 1201 is the new battlefield over whether antibot tech is a technological measure that “effectively controls access” to a copyrighted work.

Created by ChatGPT Dec. 2025

But make no mistake, from the data monopolist’s perspective (or oligopolist, if we’re being more precise here), the goal is the exact same as it was in 2019, to restrict data collectors’ access to public data. The largest incumbent platforms such as Google want “free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use.” Companies like Google want to control the data. Many companies (like Reddit, Yahoo, X, and others) want to license the data (even to the extent that the data is generated by their users). But almost all the major platforms are making renewed legal pushes to keep startups off their digital lawns (while at the exact same time gobbling up the same type of content from others).

Section 1201 as an alternative to copyright, the CFAA, and terms of use claims

There are a few different reasons why 1201 is attractive to plaintiffs in scraping and AI-data cases.

First, in some circuits, plaintiffs are trying to use 1201 to avoid (dare I say, circumvent?) the copyright fair use fight. There is a circuit split on the issue, but in the major circuits where this gets litigated (notably, the Second and Ninth), plaintiffs often argue that fair use is no defense to a Section 1201 anti-circumvention claim. In some jurisdictions, defendants may not be able to rely on fair use as a categorical defense to a §1201 claim, because courts treat §1201 as analytically distinct from infringement. And there are many situations where that distinction might be dispositive. Well-designed AI systems that train on large datasets are often going to be deemed fair use because they are highly transformative. Under the DMCA, though, that might not matter.

Second, plaintiffs may be able to avoid the copyright registration prerequisite that constrains many copyright claims. At least as alleged in the recent YouTube-scraping cases, plaintiffs emphasize that DMCA anti-circumvention claims do not depend on copyright registration in the same way copyright infringement claims do.

Third, the DMCA allows plaintiffs to allege that the tech itself is inherently unlawful. 1201(a)(2) lets plaintiffs target the tooling layer (Captcha solvers, challenge tools, proxy services, and other antibot solution tech) as “trafficking” in circumvention tech. Google’s new case leans heavily into that line of argumentation.

Courts have been wary of turning Section 1201 into a general-purpose “keep out” sign, as Eric recently noted in the Ziff-Davis case. But this new line of cases will test those limits once again. Older doctrine around “effective” technological measures and the relationship between circumvention and copyright protection shows up repeatedly in the case law discussions (think Lexmark and Chamberlain). But those were not Second or Ninth Circuit cases. And those cases were not resolved in the modern era of high-volume data access.

Google v. SerpApi and the SearchGuard blueprint (ND Cal, Dec. 2025)

Google’s recent lawsuit against SerpApi is the most on-the-nose “DMCA-first” pleading to date.

Google sued SerpApi in the Northern District of California, alleging SerpApi used massive volumes of fake search requests to bypass Google protections and resell content from search results. Google also publicly framed the suit as targeting “circumventing security measures protecting others’ copyrighted content that appears in Google search results.”

The complaint is explicit. It is a DMCA case from page one, asserting claims for circumvention (17 U.S.C. § 1201(a)(1)(A)) and trafficking in circumvention tech (17 U.S.C. § 1201(a)(2))

And it provides a detailed narrative about the technological measure itself. Google alleges it built SearchGuard, a system designed to block automated access without breaking normal user experience, including a JavaScript “challenge” that automated systems typically cannot solve at scale.

SerpApi’s public response is the classic hiQ-adjacent argument. We provide the same information any person can see in a browser without signing in.

Google’s complaint tries to make that defense irrelevant by focusing on: (1) the presence of licensed copyrighted material in SERPs, and (2) the alleged circumvention of SearchGuard to access it at scale.

That framing matters because it tries to make the “public vs. private” question less central. Instead, the center becomes: “was there an access-control measure, and did defendants circumvent it?”

I’ll give Google’s lawyers credit. They did a good sales job on this.

But don’t get it twisted: Google’s 1201(a) pitch that SearchGuard is a TPM stinks like two-month-old garbage in the Texas summer heat. A TPM, as Congress imagined it, is a lock on access to a copyrighted work, a measure that actually gates entry to protected expression. SearchGuard, by Google’s own framing, is a traffic-cop. It’s a system for managing how you reach pages, at what rate, with which client, under which terms. That’s not controlling access in any meaningful copyright sense; it’s controlling conduct. Conflating those two isn’t a clever reading. It’s a category error dressed up as inevitability. If SearchGuard is a TPM, then literally every site that throws up a speed bump can build an impenetrable copyright perimeter around almost any content whatsoever, and the statute becomes a magic spell. Add friction, say TPM, and now you can replace copyright law with your own proprietary preferences and they become federally enforceable.

That’s the crazy part. Google’s argument doesn’t just misread 1201(a). It turns the anti-circumvention statute into an anti-competition superweapon that will destroy existing copyright protections.

If Google pulls this off, they will have reshaped copyright law as a form of property rights in interfaces, where circumventing a company’s desire is treated like circumventing encryption. That doesn’t protect creators. It protects incumbents. It chills security research, accessibility work, archiving, interoperability, independent auditing, and every weird-but-legitimate tool that makes the internet function like it should rather than merely consumable on platform-approved terms.

Let’s be honest: This isn’t Google vs. circumvention, so much as Google wanting to build a DMCA moat around its own monopoly in search. And if successful, it will provide a handy playbook for any other platform looking to build or defend any online monopoly in any other vertical.

Tech writer Mike Masnick explains the potential consequences:

Google’s argument, if accepted, provides a roadmap for any website operator who wants to lock down their content: slap on a trivial TPM—a CAPTCHA, an IP check, anything—and suddenly you can invoke federal law against anyone who figures out how to get around it, even if their purpose has nothing to do with copyright infringement.

The implications spiral outward quickly. If Google succeeds here, what stops every major website from deciding they want licensing revenue from the largest scrapers? Cloudflare could put bot detection on the huge swath of the internet it serves and demand Google pay up. WordPress could do the same across its massive network. The open web—built on the assumption that published content is publicly accessible for indexing and analysis—becomes a patchwork of licensing requirements, each enforced through 1201 threats.

That doesn’t seem good for the prospects of a continued open web.

This is the “relitigating hiQ” move. If accessing a public page is a CFAA non-starter, then plaintiffs try to win by arguing the defendant defeated a technological control to access the same public page, even if the end use is not infringing.

Nvidia, Ziff-Davis, Reddit, and a host of class-action cases are pursuing similar claims along similar themes.

DMCA 1201 as the new anti-scraping front

If you zoom out, these new complaints share a single strategic philosophical theme.

Plaintiffs allege that it does not matter whether content is public and available to anyone with a web-browser. If antibot tech is designed to make certain content inaccessible at scale to automation, anyone who accesses it at scale through is violating the DMCA.

hiQ mostly put an end to hyper-aggressive CFAA allegations for public web access. But the current litigation wave shows a sophisticated and equally aggressive platform response. Swap the CFAA question (“authorized?”) for the DMCA question (“circumvented?”). That is the simple reframing at the center of the most important fights over public data.

Does this change the underlying public policy concerns described in hiQ Labs? And will those concerns highlighted in hiQ Labs inform the interpretation of the DMCA in this context? Only time will tell.

The post Relitigating hiQ Labs and Scraping Through the Lens of DMCA 1201 Anti-Circumvention (Guest Blog Post) appeared first on Technology & Marketing Law Blog.

Created by ChatGPT Dec. 2025

By guest blogger Kieran McCarthy

If you have ever wondered why big incumbents keep running to the Northern District of Texas the moment someone builds a tool that makes switching easier, comparing prices easier, or generally makes the internet work like the internet, AT&T Services, Inc. v. T-Mobile US Inc. should help you understand why.

On December 18, 2025, Judge Karen Gren Scholer entered a temporary restraining order blocking T-Mobile from implementing the original “Easy Switch” feature in its T-Life app, and blocking “any substantially similar version” that “accesses or obtains” information from AT&T’s “protected computer systems,” unless T-Mobile gets permission of the Court.

This opinion builds on the case law the N.D. Tex has been generating for years in the Southwest Airlines “don’t you dare build a useful layer on top of our website” cases.

The facts of the case are pretty simple. T-Mobile marketed a feature that let customers log into their current carrier account (AT&T or Verizon) and pull information to help them compare plans and switch. Customers made the decision to switch, and T-Mobile, for obvious reasons, automated the process. The horror!

AT&T sued, saying this was not “customer convenience.” It was unauthorized automated access and scraping of data from password-protected AT&T pages, with allegations of repeated bypassing of AT&T’s blocks, and “over 100” fields of customer data per user.

Over 100 fields? Dang! That’s, like, so many fields! And I suppose there are a few different lenses through which one could analyze that fact. One approach might be to say that automating a process with over 100 fields might be precisely the kind of thing that makes the internet useful, and that saves everyone time, money, and mental headaches.

Another way to view this fact is as evidence of “soooooo much computer fraud” even when T-Mobile is simply automating a process that consumers are choosing to automate. But that is how things work in the Northern District of Texas.

By the time the TRO issued, T-Mobile had already changed the tool so AT&T and Verizon customers could upload a bill PDF or manually enter information.

The court found AT&T likely to succeed because the Easy Switch tool, and its iterations before the November 26 change to PDF upload, accessed AT&T’s systems without authorization, pulled “over 100 fields” of customer data, and transmitted the data back to T-Mobile. It also found irreparable harm to AT&T’s control over its systems and data, plus reputation, goodwill and ‘customer privacy,’ without any inclination to grapple with the awkward fact that the customers were the ones asking to move their own information around. How the court concluded that customer privacy was at issue when the customers themselves initiated the switch .

Even though T-Mobile deactivated the challenged version, the court found the threat remained because T-Mobile wanted to retain the ability to use something “very similar” later.

T-Mobile is enjoined from implementing the original version or any “substantially similar” version, and “substantially similar” is defined basically as anything that accesses or obtains information from AT&T’s protected systems.

Perhaps, learned reader, you might be wondering if there was any discussion of user empowerment, lower lock-in costs, increased innovation and competition, added product development, interoperability, improved price discovery, or any other known policy benefits associated with data portability in the policy section of the TRO?

No. There was not. This is the entire policy discussion of the opinion: “This temporary restraining order will serve the public interest. The enforcement of state and federal laws serves the public interest.”

See how easy this judging stuff is?

To be clear, this is not a case where you would expect someone like T-Mobile to prevail in Texas. But the lack of analysis or consideration for the broader issues at stake is always a bit startling. A big incumbent takes a dispute that is at least partly about competition and consumer switching, recasts it as “computer trespass,” and asks a court to shut the product down quickly. And the N.D. Texas always obliges, especially when the plaintiff is a household-name company with a website and Terms of Use, and the defendant is building a tool that rides on top of it.

That posture matters historically because it reflects an early willingness to treat “automation + Terms + notice” as a path into computer-access liability, even when what is being accessed is, functionally, consumer-facing information.

AT&T’s complaint is explicit that this case is “not about competition for customers,” but about “unauthorized” intrusion into its systems, using automated bots “disguised as an AT&T customer,” scraping “over 100 categories” of data, and bypassing AT&T’s security measures. And that is what is what I like to call “bullshit.”

Either way, the N.D. Texas proves once again why it is the preferred venue and forum for those looking to build walled gardens.

* * *

Interestingly, Texas does have a mandatory data portability law, the TDPSA, or the Texas Data Privacy and Security Act. But the reality is that these laws have very little utility for consumers.

A portability right on paper like the TDPSA is little more than a slow and functionally useless export option. The reality is that laws like this don’t help consumers move with their data.

For one, TDPSA only mandates that companies return the “data you provided,” not the data you actually need to switch. Second, the time, frequency, and authentication friction make it useless for “I want to switch today.” Under TDPSA, controllers generally have up to 45 days (plus a possible 45-day extension) to respond. Waiting 45-90 days for data is so unhelpful that most consumers don’t see any value in requesting it. Next, a .pdf copy of data does not equal “interoperable.” Without shared schemas, APIs, and validation rules, the receiving service cannot reliably ingest the data—and certainly not at scale.

In a case like this one, the consumer-facing promise is “we’ll read your bill and account and recommend the right plan fast.” A statutory portability right typically gives you a dataset, not the transformation, normalization, and comparison workflow that makes switching easy. And when a competitor tries to fill that gap by automating access into the incumbent’s systems, you collide with the CFAA, terms of service, and state computer access statutes (exactly what the TRO discusses). Which is why, without meaningful analysis of the real value of automation for consumers in cases like this one, mandatory portability statutes are functionally useless for consumers.

[Eric’s comment: data portability mandates are generally quite popular, at least in academic circles. But I haven’t seen any evidence indicating that the mandates actually improve anything for anyone. I welcome pointers to academic studies on this topic.]

The post AT&T Blocks T-Mobile’s Data Portability Efforts (Guest Blog Post) appeared first on Technology & Marketing Law Blog.

[FN: Last night, I searched Westlaw ALLCASES and came up with 17 hits for “robots.txt” or “robot exclusion,” including some well-known cases like LinkedIn v. hiQ, Field v. Google, and Bidder’s Edge v. eBay, plus some less-heralded cases like Tamburo v. Dwoskin and AP v. Meltwater.]

* * *

This is a lawsuit over OpenAI’s automated scraping to build its ChatGPT model. Ziff Davis deployed a robots.txt file that “allegedly instructed GPTBot not to scrape Ziff Davis’s websites,” but the GPTBot allegedly ignored the instruction. Ziff Davis argued that OpenAI ignoring the robots.txt instruction violated 17 USC 1201(a) (the anti-circumvention restrictions) because OpenAI’s scraper circumvents “a technological measure that effectively controls access to a work.” The court disagrees and dismisses the claim.

The court explains:

Robots.txt files instructing web crawlers to refrain from scraping certain content do not “effectively control” access to that content any more than a sign requesting that visitors “keep off the grass” effectively controls access to a lawn. On Ziff Davis’s own telling, robots.txt directives are merely requests and do not effectively control access to copyrighted works. A web crawler need not “appl[y] . . . information, or a process or a treatment,” in order to gain access to web content on pages that include robots.txt directives; it may access the content without taking any affirmative step other than impertinently disregarding the request embodied in the robots.txt files. The FAC therefore fails to allege that robots.txt files are a “technological measure that effectively controls access” to Ziff Davis’s copyrighted works, and the DMCA section 1201(a) claim fails for this reason.

The court adds that: “At most, Ziff Davis alleges that OpenAI disregarded the instructions that were contained in robots.txt files. This is not ‘circumvention’ under the DMCA.”

* * *

This opinion doesn’t answer the most important questions about robots.txt because it only addresses 1201. Using 1201(a) as an anti-scraping law is not intuitive. Indeed, it feels overreaching to me, such that I doubt the plaintiffs expected the claim to succeed in court.

Created by ChatGPT Dec. 2025

This opinion turns on the specific statutory language of 1201, which limits its applicability to other doctrines. That’s unfortunate, because we could use more clarity about if and when robots.txt can effectively limit access to websites.

That issue is central to trespass to chattels claims, including CFAA claims. For example, the Supreme Court indicated in Van Buren that website access could be delimited by whether technological “gates” are up or down (the opinion didn’t clarify if the delimiting occurs when gates are up or gates are down…details…). This 1201 opinion casts a little doubt on robots.txt acting as a technological “gate” for TTC purposes. After all, the court expressly says that robots.txt don’t control access to sites and says they are as technologically effective at preventing access as a “keep off the grass” sign. If I were a scraper, I would cite the decision in favor of treating robots.txt instructions as legally irrelevant.

Case Citation: Ziff Davis v. OpenAI, Inc., 2025 WL 3635559 (S.D.N.Y. Dec. 15, 2025)

UPDATE: On December 18, the judge denied Ziff Davis’ request to amend the complaint to cure the 1201 claim.

The post Are Robots.txt Instructions Legally Binding?–Ziff Davis v. OpenAI appeared first on Technology & Marketing Law Blog.

the software embeds snippets of JavaScript computer code on a website, which then deploys on each website visitor’s internet browser for the purpose of intercepting and recording the website visitor’s electronic communications with the website, including their mouse movements, clicks, keystrokes, URLs of web pages visited, and/or other electronic communications in real-time. The session-replay provider then uses those website communications to recreate website visitors’ entire visit to the website. A business utilizing this technology can then access useful consumer data, including detailed heatmaps of a website that provide information about which elements of a website have high user engagement, how far website users scrolled on the website, and the total clicks within a given area on the website. In essence, session-replay technology helps a business to determine which parts of its website are effective with customers and which are not

Standard product marketing work.

The technology at issue is Microsoft’s Clarity service. It has three settings for capturing personal information during the session: (1) no user text is captured, (2) key items, like passwords, are not captured (this is the default setting), and (3) all user text is captured. The defendant, Pet Supplies Plus, masked the text capture so it did not include the plaintiffs’ street number or zip code.

The plaintiffs’ lawsuit over Clarity’s session replay fails because the plaintiffs lack Article III standing per Spokeo and TransUnion.

To establish Article III standing, the plaintiffs have to show how they suffered a “concrete” injury. This is no small challenge. Tracking and recording a person’s navigation of a website may be unwanted and disquieting, but it typically has no real effects on individual users. See my old paper on data mining.

I highlight this issue when I teach the old Phamtrak case. I ask students: where’s the harm where the system collected highly sensitive PII but the collector never paid attention to it? In Pharmatrak, the plaintiffs couldn’t articulate any theory of how that unexamined collected data harmed them (though the case didn’t turn on Article III standing). Same too here.

To satisfy Spokeo/TransUnion, the plaintiffs’ claims must satisfy the common law requirement that any privacy intrusion be highly offensive. Session replay isn’t that:

Popa does not explain how the tracking of her interactions with the PSP website caused her to experience any kind of harm that is remotely similar to the “highly offensive” interferences or disclosures that were actionable at common law….Popa identifies no embarrassing, invasive, or otherwise private information collected by Clarity. Indeed, the monitoring of Popa’s interactions with PSP’s website seems most similar to a store clerk’s observing shoppers in order to identify aisles that are particularly popular or to spot problems that disrupt potential sales….

At most, Popa alleges that Clarity gathered her pet-store preferences and her street name. To the extent Microsoft’s tracking software could be offensive in particular circumstances (e.g., involving sensitive medical or financial information), Popa does not plausibly allege the infringement of any such privacy interest.

While I agree with the conclusion, the court’s invocation of an offline analogy to online activities is problematic. I recently dealt with similar analogies in my Segregate-and-Suppress paper, where I claimed there was a significant difference between a physical-space retailer’s inspection of a shopper’s government-issued ID and online age authentication using government-issued ID. I pointed out several key differences, including the fact that the digital mediation (including the encoding, interceptability, and possible storage that could lead to expropriation) creates privacy and security risks that don’t exist with physical world age authentication. Also, a store clerk monitoring a shopper isn’t likely to record any of the shopper’s conversations with other store clerks or patrons, while session replay will. The opinion would have been better without the offline analogy.

In a footnote, the court discounts the identity theft risk:

the complaint identifies potential harms that might be associated with session-replay technology, such as identity theft. But the complaint includes no allegations plausibly linking these potential, generalized harms to the operation of Clarity on PSP’s website vis-à-vis Popa.

The court also discounts the possible trespass to chattels angle:

Popa also mentions trespass as a potential common-law analog twice in her opening brief, without any additional explanation. But she never identifies what possessory interest Microsoft invaded. Indeed, Clarity—at least according to the complaint—appears to operate on PSP’s website rather than on an individual’s computer.

The court also says that statutes (in this case, the Pennsylvania ECPA equivalent) can’t boostrap themselves into creating a concrete injury for Article III standing purposes based on the mere statutory violation.

The obvious question is: could session replay plaintiffs establish Article III standing with better pleadings, or will session replays always lack any cognizable harm? I think the answer is… yes? Recording for session replay is a fundamentally inconsequential act by itself, even though the court intimates that the collection of more sensitive consumer information might be a different story. (That’s a warning to any Clarity or other session replay users who aren’t suppressing recording of user text). However, when the data collection is combined with some other harm, such as an expropriation that leads to actual identity theft, then the plaintiffs may have something. But session replay plaintiffs aren’t likely to have evidence of these additional harms very often, and even more rarely will have that evidence at the time of filing the complaint (i.e., pre-discovery).

Without better facts, the plaintiffs try to manufacture Article III harms by invoking speculative and factually unsupported future possibilities. This court wasn’t receptive to that effort. Accordingly, I think most or all of the session replay cases in the Ninth Circuit won’t survive this ruling.

Case Citation: Popa v. Microsoft Corporation, 2025 WL 2448824 (9th Cir. August 26, 2025)

The post Ninth Circuit Dismisses “Session Replay” Lawsuit–Popa v. Microsoft appeared first on Technology & Marketing Law Blog.

(As usual, there is a lot more going on in this case beyond trespass to chattels, but I’m focusing this blog post just on that claim).

The court summarizes the plaintiffs’ trespass allegations:

Defendants “intentionally used, intermeddled, interfered with, and dispossessed [them] of their computing devices without their consent by placing the fbp, ga, and gid cookies on [their] computing devices,” and that as a result, their devices “are useless for exchanging private communications with Tenet [ ], which substantially impairs the condition, quality, and value of [their] computing devices.”

The court says these allegations aren’t good enough in light of Hamidi.

First, the court says the mere placement of cookies, without more, doesn’t show any actual injury to the plaintiffs. The court distinguishes the In re Meta Healthcare Pixels case, where the plaintiffs adequately alleged that the cookies had slowed down their device. (That is almost certainly not a credible statement, but courts have a limited ability to test the evidence on a motion to dismiss). In contrast, “here Plaintiffs do not allege that the placement of cookies led to a measurable decrease in storage, memory, or any other impairment to their computing devices’ functioning.” Assuming the plaintiffs can satisfy Rule 11, it should be easy enough for them to fix these allegations.

Second, the plaintiffs provided no evidence of “dispossession.” Indeed, they cannot: the meaning of dispossession is (per the Cambridge Dictionary) “the fact of having property, especially buildings or land, taken away from you.” No one took away the plaintiffs’ phones from them. However, even if the court strikes the dispossession allegation, the plaintiffs should be able to proceed with arguments tha tthe cookies “intermeddle” or “interfere” with the device.

Third, the plaintiffs claimed the cookies interfered with their private communications. But this concern doesn’t reflect a technical limitation on the device’s functioning due to the cookies. Instead, it’s the users’ behaviorial countermove to the cookies’ presence. Per Hamidi, users’ behavioral changes aren’t recognizable harms, just like the California Supreme Court disregarded the changes in Intel employees’ behavior in response to Hamidi’s spam. The court cites Doe I v. Google.

While it’s nice to see the court push back on plaintiffs’ overclaims of trespass to chattels, we’ll have to see if the plaintiffs can revive the claim by copying the pleading approaches from the Meta Healthcare Pixels case. If it’s that easy for the plaintiffs to correct their complaint, this ruling becomes inconsequential. Instead, my hope is that courts will keep pushing back on the Meta Healthcare Pixels ruling, which made a breathtakingly broad interpretation of the interplay between cookies and trespass to chattels.

Case Citation: Doe v. Tenet Healthcare Corp., 2025 WL 1635956 (E.D. Cal. June 9, 2025)

More Posts on the Pixel Cases

• Clickwrap Formed Even When a Consumer Has Limited Time to Act–Washington v. Flixbus
• Meta Pixels Case Dismissed by Second Circuit–Solomon v. Triller
• Leaky TOS Formation = No TOS Formation–Snyder v. G6
• The VPPA May Be a Dinosaur Statute, But It’s Very Much Alive in the Second Circuit–Salazar v. NBA
• Pixel Case Against Google “Jumps the Shark”–Doe I v. Google (Catch Up Post)
• Think You Understand Online Trespass to Chattels Law? Think Again–In re Meta Healthcare Pixels
• More Chaos in the Law of Online Contract Formation
• Privacy Lawsuit Based on Website Tracking by Service Provider Trimmed

The post Court Rejects Trespass to Chattels Claim Over Placing Cookies–Doe v. Tenet appeared first on Technology & Marketing Law Blog.

With as much scraping as is happening for AI training and enhancement these days, it’s amazing to me that there aren’t more lawsuits happening over scraping. The legal headlines are more of a trickle than the flood I was expected.

But on June 4th, Reddit sued Anthropic in the Superior Court of California for breach of contract, unjust enrichment, trespass to chattels, tortious interference, and unfair competition.

—

The facts are as follows: Anthropic was trained, at least in part, on Reddit data. In fact, in the complaint, they have a quote from Anthropic’s model Claude where Claude admits that it was trained, in part, on Reddit data.

I asked ChatGPT (model o4) the same question. It replied:

—

Yes, ChatGPT has been trained, at least in part, on Reddit data.

OpenAI has utilized Reddit content in multiple ways throughout the development of its language models:

1. Early Training with Reddit-Linked Content: For GPT-2, OpenAI created a dataset called WebText, which consisted of web pages linked from Reddit posts that had received at least 3 upvotes. This approach was intended to gather high-quality and diverse content from the internet.
2. Fine-Tuning with Reddit Data: In 2019, Microsoft Research developed DialoGPT, a conversational AI model fine-tuned on 147 million Reddit conversation exchanges from 2005 to 2017. This fine-tuning aimed to enhance the model’s ability to generate human-like dialogue .
3. Recent Licensing Agreement: In May 2024, OpenAI entered into a formal partnership with Reddit, granting OpenAI access to Reddit’s Data API. This agreement allows OpenAI to use Reddit’s real-time, structured, and unique content to train and improve its AI models, including ChatGPT .

—

And it’s the last part that is why this Reddit-Anthropic legal dispute has arisen. OpenAI and Google have entered into a formal licensing agreement with Reddit. Anthropic has not. OpenAI and Google are paying Reddit to access Reddit content. At least according to the complaint, Anthropic is not.

—

Pay to access our (user-generated) content, or we’ll sue. That’s the rub. And then the legal question is whether Reddit can restrict access to public content that is not proprietary to Reddit, but was created by its users. And according to what legal theories it can restrict that access.

—

One of the things that’s interesting to me here is that the suit has been filed in California Superior Court, rather than in the Northern District of California. Almost all of the major legal scraping precedents happened in the Northern District, and it is definitely unusual that this was filed in state court.

—

I have no idea what Anthropic’s defense to this will be, but if I were counsel for Anthropic, I would start with copyright preemption arguments. This is a content use legal dispute, at its core. And there is a legal regime dedicated to that issue, and it’s called copyright law.

I think there are very strong arguments post ML Genius and related cases that the breach of contract, unjust enrichment, and unfair competition claims should be preempted by copyright.

—

I think Reddit’s strongest argument here is the tortious interference claim, namely that Anthropic’s failure to follow the official protocols with scraping potentially impacts its ability to comply with its own terms of service with its users (to the extent that Anthropic is not following those protocols). That would likely not be preempted by copyright, and if proven, could lead to a successful claim.

—

I hate that we’re still doing trespass to chattels claims in 2025. Reddit’s allegations boil down to this paragraph: “Anthropic’s acts have diminished the server capacity and functioning that Reddit can devote to its legitimate users and thereby injured Reddit by depriving it of the ability to use its personal property.”

More than two decades ago, the Cal. Supreme Court in Hamidi said “The tort does not encompass, and should not be extended to encompass, an electronic communication that neither damages the recipient computer system nor impairs its functioning.”

This complaint alleges neither damage to the servers nor impaired functioning. Merely “diminished capacity” without any attempt to quantify whether that’s a 20% diminished capacity or a .00002% diminished capacity. De minimis diminished server capacity when you’re probably using AWS shouldn’t be a tort.

We need to go back to Hamidi on that one.

—

Either way, this should be another interesting and important case to follow, assuming Anthropic decides to fight rather than just pay up.

* * *

Eric’s Comments

Reddit’s centerpiece claim against Anthropic is breach of contract. So how did it form a contract with Anthropic?

You’re not going to believe this, but Reddit is trying to enforce a “browsewrap.” The relevant allegations from the complaint:

Reddit prominently displayed a link to the User Agreement on its platform. The use of Reddit’s platform is governed by the User Agreement. The User Agreement states: “By accessing or using [Reddit’s] Services, you agree to be bound by these Terms. If you do not agree to these Terms, you may not access or use our Services.”

Anthropic accepted the terms of the User Agreement every time it or its agents—including ClaudeBot, Dario Amodei, or the other authors who found Reddit data to be of the highest quality and well-suited for fine-tuning AI models—accessed or logged on to Reddit’s platform.

Dafuq? Seriously?

I decided to check out this purported placement (I didn’t see a screenshot in the complaint’s body). I couldn’t immediately find the referenced link on Reddit’s landing page. To find it (I had to do a word search), you have to scroll down and look at the bottom of the third column (under the “popular communities” widget). Here’s what I saw on June 6 in Firefox after scrolling down some:

Do you see the words “user agreement” in the bottom right? That is the foundation of the breach of contract claim. Virtually invisible link. No call to action. No action button. Nothing to ensure that parties have notice or manifest their assent. FFS.

It’s even more shocking because courts recently have been dramatically raising the bar on contract formation expectations. “Sign-in-wrap” formations that historically were just fine are failing with alarming frequency. Yet, Reddit thinks it’s going to win without even so much as a sign-in-wrap???

To put it another way: if Reddit wins the breach of contract claim based on this allegation, it will completely blow up online contract formation law as we currently know it. For more on this, see my slide deck from my May presentation on online contract formation.

Now, Reddit has more arguments it could possibly make to bind Anthropic to contract terms. It could try the Register.com v. Verio/Restatements 69 contract formation workaround. It could argue that Anthropic has publicly admitted that the TOS terms bind it. It could argue that Anthropic employees created Reddit accounts and thus learned about the restrictive terms during the account formation process. It could argue that Anthropic knew about the Robots.txt restrictions and somehow that turned the Robot.txt instructions into a contract. It could argue that Anthropic’s robots clicked on the user agreement link and assented as Anthropic’s legal agents. These are all theoretical arguments because Reddit doesn’t appear to be arguing any of this yet (some of these arguments would require an amended complaint).

What Reddit cannot do is successfully argue that its home page link to “user agreement” creates a binding contract. Browsewraps without a call-to-action are not a contract. Claiming otherwise puts Reddit–and its very capable and expensive lawyers–at risk of massive and unrelenting public and judicial derision.

Reddit’s trespass to chattels claim isn’t much better. Here’s how Reddit pleads Anthropic’s knowledge of the server delimitations: “Anthropic knowingly exceeded the permission granted by Reddit to access Reddit’s personal property, including its technological infrastructure and servers.” This is a threadbare allegation of knowledge without specifying any supporting facts. The complaint’s recitation of facts only marginally improve this. Further, as Kieran notes, the TTC harm statement is also pretty weak in light of the Hamidi standard.

__

Two other noteworthy points about this lawsuit.

A real party-in-interest to this lawsuit is OpenAI. Now that OpenAI is paying a license fee to Reddit, they need all of their rivals to bear the same costs. If Reddit can’t impose license fees on Anthropic, assume that OpenAI will look for other ways to jack up Anthropic’s cost structure to more closely mirror OpenAI’s. I explain this dynamic in my Generative AI is Doomed paper.

Also, Reddit frames itself as the champion of its users’ interests, but Reddit is walking a fine (and awkward) line. Sure, it’s nominally defending its users from rapacious scraping malefactors. But in practice, even Reddit’s values have a price tag. Reddit isn’t opposed to third parties profiting from its users’ content; it just needs its vig.

* * *

Kieran’s Supplement

Following up on Eric’s comments.

Under any reasonable current interpretation of California law, the breach of contract claim should be gone. There’s no evidence of actual or constructive knowledge of the online agreement in the complaint. There is case law in other jurisdictions that says that a sophisticated business may be held liable for breach of contract even when there is no proof of actual notice in the record (CouponCabin LLC v. Savings.com, Inc., 2017 WL 83337 (N.D. Ind. Jan. 10, 2017); Int’l Council of Shopping Ctrs., Inc. v. Info Quarter, LLC, No. 17-5526 (S.D.N.Y. May 7, 2019)), and when a business also has an online agreement that is similar to the one that is being enforced. DHI Group, Inc. v. Kent, No. 16-1670 (S.D. Tex. Oct. 26, 2017). But that reasoning has never been applied in California.

Perhaps Reddit might argue in a reply that the semi-omniscient “bots” have or should have knowledge of the terms and that knowledge should be imputed to Anthropic. But that argument is without precedent in California, either. If Reddit’s allegations pass muster for “actual or constructive knowledge,” then this would be a complete evisceration of the current standard for knowledge of actual or constructive knowledge of an online agreement for a sophisticated business in California.

The post Reddit Challenges Anthropic’s Scraping to Create Generative AI Models (Guest Blog Post) appeared first on Technology & Marketing Law Blog.

This summer, I wrote that the jury trial between Ryanair and Booking Holdings ended in the strangest way possible. The jury returned a verdict that Booking Holdings had caused exactly $5,000 in legally cognizable “loss” to Ryanair under the CFAA—the statutory minimum to establish a CFAA claim.

Of course, there’s no way that the actual damages caused by one company to another under the CFAA would match the statutory loss threshold to the cent. What really happened was that the judge gave a jury instruction that confused the hell out of the jury, and so the jury returned a meaningless and indefensible verdict, one that was certain to be appealed.

And so it comes as no surprise that there were some post-trial fireworks in this case. On January 22, Booking.com’s renewed motion for judgment as a matter of law (“JMOL”) was granted. That indefensible jury verdict was overturned.

The JMOL had two primary conclusions:

First, that the CFAA has extraterritorial application, and therefore it was appropriate for this court to apply the CFAA here. This is an incredibly controversial holding. By the time trial rolled around, this case involved only an Irish plaintiff (Ryanair) and a Dutch defendant (Booking.com B.V.).

Now, one might reasonably think that an American court has no business adjudicating a business dispute between two European companies, when that case might result in an extraterritorial injunction that directly conflicts with European laws in their home countries. But this court says, not so. The court’s reasoning was that because the definition of “protected computer” includes computers located outside of the United States, that this is a clear, affirmative indication of the CFAA’s extraterritorial application, even though the statute itself does not say that it has extraterritorial application. And, of course, the statute itself was drafted long before the Internet was in ubiquitous use, so the drafters could never have contemplated this situation. That holding has enormous potential ramifications for companies around the world, but it didn’t end up being dispositive to the parties in this dispute.

Second, and more importantly for the parties in this dispute, the court found that Ryanair did not meet its burden of proving at least $5,000 of “loss” attributable to Booking.com (or, in the alternative, obtaining $5,000 in value from alleged fraud). The judge determined that certain costs, such as customer service agent expenses, did not qualify as a loss, and determined that only $2,457.72 from Ryanair’s antibot technology “Shield” were attributable as losses under the CFAA. Because Ryanair did not meet the $5,000 CFAA loss threshold after the judge’s re-evaluation of the facts in the case, the judge threw out the adverse jury verdict under the CFAA.

And so, four and a half years after the initial complaint was filed, the case ended with no finding of liability for either party.

In the end, two parties paid many millions in legal fees to determine whether one party had caused another $5,000 in “loss” under the CFAA. They engaged in this absurd legal dance because Ryanair wanted injunctive relief. It wanted a worldwide, enforceable court order to get Booking and its affiliates to stop reselling Ryanair flights. I do not think that’s what the drafters of the CFAA had in mind.

I blame this result on this court’s definition of technological harm. Here’s what happened:

After being provided the CFAA definition of “loss,” the jury was instructed that “the cost of responding to an offense may be considered a loss even if no actual technological harm has occurred, as long as the response is directed at technological harm, such as preventing an impending unauthorized access or investigating the method by which an offender accessed the computer, rather than business or other harms, such as investigating how the offender used the access for commercial gain.” Dkt. No. 453 at 5. The jury was further instructed that they “should not offset any losses by any profits Ryanair may have received as a result of Booking.com’s actions,” and that “[l]osses do not include any costs that are not borne by Ryanair.” Id.

JMOL at 16.

This is equal parts nonsensical and confusing.

According to the Supreme Court in Van Buren, the definition of loss under the CFAA “focus[es] on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data.” Van Buren v. United States, 593 U.S. 374, 392 (2021). But according to this court, a party can establish technological harm “even if no actual technological harm has occurred,” as long as they investigate non-harm in a technological way.

Huh? Got that?

This standard is confusing, easy to manipulate, and seems to contradict the direct language of the Supreme Court and the statute itself. It also is at odds with any sort of common-sense understanding of what constitutes technological harm. And because it allows plaintiffs to bootstrap a definition of technological harm in the absence of actual harm, it incentivizes companies to pursue business grievances through the CFAA. And apparently now companies can do this regardless of whether they have any connection to the United States, assuming they operate online and some of their business is transacted here.

If this is what passes as technological harm, then more CFAA absurdity is certain to come in the near future.

Case Citation: Ryanair DAC v. Booking.com BV, 1:20-cv-01191-WCB (D. Del. Jan. 22, 2025).

The post Court Overturns a Bad Jury Verdict Against Scraping–Ryanair v Booking (Guest Blog Post) appeared first on Technology & Marketing Law Blog.

Last year, I wrote about how Elon Musk had inadvertently become web scrapers’ most powerful legal advocate. Not because he wanted to advocate for them. But rather, in seeking to enforce a no-scraping ban in X Corp.’s terms of use in a way that was targeted to stifle speech that was critical of him in X Corp. v. Center for Countering Digital Hate, he gave a face to the strongest policy arguments in favor of scrapers. Now, other scrapers get to apply those arguments in every commercial dispute as legal precedent.

Last year, he also engaged in a rather ham-fisted attack on Bright Data, the world’s largest web scraper. And he lost on a motion to dismiss against them, too.

But Musk, for all his flaws, is persistent. And he has unlimited resources to spend on legal fees, which makes for a dangerous combination. [FN] He hasn’t given up on either case. He’s appealing the CCDH case to the Ninth Circuit. And X Corp. also sought to amend its claims against Bright Data to add a host of new legal claims.

[FN from Eric: per the Isaacson biography, in a poker game, Musk went all-in on every poker hand until he eventually won].

On November 26th, X Corp. mostly prevailed in its motion to bring additional claims against Bright Data. On December 17th, Bright Data answered and added counterclaims against X Corp., including antitrust claims.

It’s rare in the web-scraping world when a party that seeks to stop scraping engages with a company with the resources to fight back and the appetite to do so. But that’s what’s happening here. X Corp. won’t relent. And for Bright Data, scraping is their business, and business has been good.

This makes me think that a lot of important precedent is going to come out of this case, and I think we’re just at the beginning.

November 26th Order on Motion for Leave to Amend Claims

The November 26th order was unusual in a lot of ways. For one, the decision of whether to allow a party to amend claims is a matter of judicial discretion. There isn’t a legal standard to satisfy to amend your claims. If the judge thinks it’s reasonable, the judge can allow it. But here, the judge invited the parties to engage in extensive letter-briefing on the motion to amend the claims. In so doing, the motion to amend claims became a mini-motion-to-dismiss by a different name. Which is why we ended up with a 21-page order on a motion to amend claims.

X corp. sought to amend its claims with revised trespass to chattels, Section 17200 of the California Business and Professions Code, tortious interference with a contract, and breach of contract claims. And it sought to supplement its complaint with DMCA, CFAA, and CDAFA claims.

Here’s how it went:

Trespass to Chattels

Trespass to chattels was the primary legal claim used to stop scrapers in the late 1990s and early 2000s. But after Hamidi in 2004, CFAA and breach of contract claims became the primary means that websites used to stop scraping.

It’s experiencing a revival again. X Corp. alleged that it purchased 10-20% more server capacity to deal with the traffic jumps caused by scrapers. The judge decided that this was an “actionable deprivation of use” of its servers, and allowed the TTC claims to proceed.

Section 17200

Section 17200 prohibits unlawful, unfair, and fraudulent business acts. Here, X Corp. convinced the judge that “deceptive” conduct is necessary to scrape at the scale done by Bright Data. X Corp. limits access by IP address, requires the user to agree to terms, and otherwise seeks to limit access to content to human users. According to the court, “scrapers take active steps that serve no purpose but to trick X into given them not a second, not a third, but a millionth turn to see the sites (citations omitted).”

X Corp’s motion to amend its 17200 claim to include fraudulent acts was granted. But its motion to amend its 17200 claim to add “unfair” acts was denied, as the court found that X Corp. was simply trying to eliminate competition.

Tortious Interference

The court previously dismissed X Corp.’s tortious interference claim because it had not plausibly alleged damages. Now, because the court accepted X Corp.’s arguments with respect to server impairment, it granted X Corp.’s motion to amend its tortious interference claim.

Breach of Contract

Here, again, the court bifurcated its analysis of the breach claim with respect to claims involving the access of data and claims involving scraping of data. Again, the court granted X Corp.’s motion to amend the complaint with respect to access-related claims on the basis that Bright Data’s accessing of X Corp.’s servers was impairing its servers. But the court denied X Corp.’s claims with respect to scraping of data on the basis that they were preempted by copyright.

Supplemental Claims

X Corp. also sought to add three new claims: DMCA, CFAA, and CDAFA claims. Bright Data did not oppose X Corp.’s motion to amend its claims but instead told the court of its intention to file a motion to dismiss on these claims. The court wrote:

If Bright Data believed these claims were dead on arrival, it should have said so at the first chance. Without prejudice to ruling in Bright Data’s favor on a later motion opposing these amended claims, the Court will not consider such a motion at this time. Bright Data should allow discovery to proceed and the case to develop. Then, if Bright Data still believes a motion appropriate as to any of these claims, Bright Data may move for summary judgment.

Dkt. 156 at 21.

I’m not a civil procedure expert, but I’ve never heard of a court saying that waiving the right to challenge leave to amend is also a waiver of the right to file a rule 12 motion. But that’s what happened here. That further underscores the bizarre procedural posture of this order. And that augurs a long and bumpy road ahead for both parties.

Counterclaims

On December 17th, 2024, Bright Data brought some claims of its own. Namely, claims for violation of Section 1 of the Sherman Act, Monopolization under Section 2 of the Sherman Act, Attempted Monopolization under Section 2 of the Sherman Act, violation of the California Cartwright Act, violation of the California Unfair Competition Act, violation of the Nevada Unfair Trade Practice Act, violation of the Texas Free Enterprise & Antitrust Act, and Tortious Interference with Prospective Customer Relationships.

The suit alleges that X perceives Bright Data to be one of its biggest competitors in the “Public Square Data” market and brought suit to restrict it from accessing public data.

Bright Data’s attorneys have done an excellent job litigating on its behalf recently, but this is a particularly bold move. Public square arguments directed at private companies rarely succeed. But it would always take creativity to suggest that Bright Data and Twitter are in the same relevant market. On the one hand, it’s obvious that Twitter’s conduct here is in part motivated by anti-competitive animus. On the other hand, it is not obvious how Twitter’s conduct fits into the historically successful antitrust buckets.

Here, Bright Data has alleged many antitrust theories, under many state and federal laws. Maybe one or two will stick.

Final Thoughts

As is always the case in web-scraping or data-access disputes, the party seeking access typically doesn’t just carry the burden of prevailing on some of the legal claims. To avoid injunctive relief, they usually carry the burden of prevailing on all their legal claims. And so while the legal theories used to block scrapers continue to evolve from trespass to chattels to the CFAA to breach of contract to the DMCA, the stakes remain the same. The party looking to stop scraping just needs one legal theory that lands with the judge, and they can likely obtain injunctive relief.

Though if a party seeking access to data were to ultimately prevail through trial on its antitrust claims, that narrative might change as well. Regardless, this case has all the elements of a heavyweight legal fight, and it will be a case to watch closely in 2025 (and probably beyond).

The post Catching Up on the Heavyweight Scraping Battle Between X and Bright Data (Guest Blog Post) appeared first on Technology & Marketing Law Blog.

My headline makes it sound like this is a run-of-the-mill outcome, but nothing about 230 is routine any more in the Ninth Circuit after the Calise and YOLO cases.]

Jeremy Ryan claims “that he is a successful “NFT artist” who utilizes his account on X to “further develop his cryptocurrency and NFT community,” and to “promote his NFT projects.”” He says Twitter suspended seven of his accounts without warning and not in response to any TOS breaches, and he claims the suspension damaged his cryptobusiness (and his cryptobro-iness). Twitter’s TOS says it can unilaterally pull the plug any time it wants, but Ryan tried to mine other site disclosures to manufacture promises he allegedly relied upon.

Section 230

Much of this case turns into a surprisingly easy Section 230 dismissal.

ICS Provider. X is “inarguably” an ICS provider.

Third-Party Content. “Ryan seeks to hold X liable for decisions it made regarding ‘information provided by another information content provider,’ i.e. information that he, rather than X, provided.”

Publisher/Speaker Claims. “Ryan seeks to treat X as a publisher for most of his claims because most arise from X’s decision to suspend his seven accounts and suspension is a traditional publishing function according to the Ninth Circuit….the activity that most of Ryan’s claims challenge boils down to X’s decision to exclude Ryan’s material from its platform. To the extent that is the case, his claims are barred by section 230.”

Breach of Contract. “Ryan’s breach of contract claim fails as a matter of law because it is barred by section 230(c)(1)….his suspension was undertaken by X in its capacity as a publisher of information.”

To navigate the recent Calise and YOLO rulings, the court reaches back to the Roommates.com en banc opinion and the Barnes opinion to indicate that Section 230 applies whenever a claim is based on information publishing, including breach of contract. As “in Barnes, the duty Ryan argues X breached can be similarly distilled; the duty to maintain or suspend users’ accounts arises from its Terms and its status as a publisher.” The court cites to Murphy v. Twitter, Zimmerman v. Facebook, and many other account termination/content removal cases.

The court tries to distinguish the Calise ruling:

the breach of contract cause of action in Calise asserted that plaintiff had relied on an “enforceable promise” Meta allegedly made to prevent fraudulent advertising on its platform. That promise, the Ninth Circuit held, was distinguishable from its performance; as such, the breach of contract claim arising from Meta’s failure to fulfill it sought to hold Meta liable for behavior that was not identical to publishing behavior…

Ryan’s breach of contract claim is not analogous to the breach claims in Calise or Barnes. Ryan is trying to impose liability upon X arising from its actions as a publisher, not its failure to fulfill some promise separate from that role.

Does that distinction persuade you?

Later, the court says “statements made in a social media site’s terms and community standards do not amount to a legally enforceable promise,” which is true, but that pertains to the prima facie case, not the Section 230 elements.

The court summarizes: “Ryan’s breach of contract claim, as pleaded, falls squarely within section 230 immunity….There is only the company’s decision to suspend his account, which courts have time and time again found to be a publishing decision covered by section 230 immunity.”

The way I see it, Judge Orrick is defying the Calise and YOLO panels’ overreading of the interplay between Section 230 and contract breach claims, essentially telling those Ninth Circuit panels to suck it. I think Judge Orrick is on the side of righteousness, but perhaps not on the side of precedent. I’m sure an appeal in this case will give us more data on the Ninth Circuit’s temperature on the 230/contract breach interface.

Contract Interference. Any interference between Ryan and his contracting parties is due to Twitter’s publishing decision to suspend his accounts.

Conversion. The allegedly converted assets were Ryan’s “digital property rights to his social media account.” That doesn’t sound like convertible assets to me. The court says the suspension of those assets was a publishing decision. In a footnote, the court adds “Ryan’s theory of conversion ignores that X’s Terms give it the right to suspend his accounts for “any” or “no” reason.”” Note that this is the same right that X has been trying to vindicate in the bankruptcy sale of Alex Jones’ X accounts.

Unjust Enrichment. In the December ruling, the court holds that this claim is preempted by Section 230. Ryan alleged the following unjust enrichment: “X is wrongfully deriving and retaining a benefit from Ryan’s intellectual property because it still generates advertising revenue from ads that continue to run alongside Ryan’s suspended accounts even though Ryan cannot himself access his accounts or the content they hosted.” Putting aside the obvious IP preemption problems with this argument, the court says:

Ryan’s unjust enrichment claim attempts to hold X liable for decisions it made as a publisher and is accordingly barred by section 230. X decided to suspend Ryan’s accounts (a publishing activity) and it continues to allow various entities to advertise on its platform (also a publishing activity). This claim does not attempt to hold X liable for alleged misrepresentations or false promises. Ryan does not assert that X promised him that it would not continue to generate ad revenue from advertisements associated with his suspended accounts—he merely challenges its decision to do so.

The ICS/ICP Distinction. In the December ruling, Ryan argued that Section 230 applies only if the defendant isn’t also an ICP. While this is true, it’s too vague. I wonder if Ryan was making an (insipid) Anderson argument that Twitter became an ICP for third-party content by exercising its editorial discretion….? The court says it doesn’t understand what argument Ryan is making. The court guesses that Ryan is arguing that “the “challenged activity” (i.e. X’s suspending of his accounts) may have been taken “entirely by another information content provider,” meaning X’s AI system, [so] he has shown a dispute about whether the challenged content is provided by “another” information content provider.” As recapped by the judge, the argument goes nowhere because it would be stupid. “Whether X or its AI system or some combination thereof made the decision to suspend Ryan’s accounts, the content at issue on those accounts was content provided by “another” information content provider other than X or its AI system: Ryan.” As I have tried to explain before, content that originates with third parties remains third-party content throughout its life cycle, regardless of what happens to it.

But the Algorithms. Ryan argued that Twitter uses “AI” for content moderation. The court is like…so…?

no authority suggests that X’s use of a generative AI model to do content regulation deprives it of section 230 immunity. Nothing in the plain language of the statute suggests that X would be denied section 230 protection because it uses an AI system for content moderation. No court has held otherwise….

Ryan has offered no authority that suggests section 230 protections are to be rescinded from interactive computer services that use AI systems to moderate content. X’s decision to suspend—and its act of suspending—Ryan’s accounts was publishing activity that falls within the scope of section 230

In a footnote, the court adds that the Moody case didn’t provide any “substantive guidance” about the use of AI for content moderation.

First Amendment

In a footnote from September, the court said:

given the Supreme Court’s recent holding in Moody v. NetChoice, 144 S.Ct. 2383 (2024), where the Court confirmed that “[w]hen [social media] platforms use their Standards and Guidelines to decide which third-party content those feeds will display . . . they are making expressive choices [meaning] they receiving First Amendment protection,” the same claims that are barred by section 230 would probably fail under Moody.

I agree 100%, but note that this exact same argument is what led the Anderson v. TikTok court in the Third Circuit to DENY Section 230. That was such a bonkers and pernicious ruling. More on the 230/First Amendment interface.

Promissory Estoppel

Per Barnes, promissory estoppel isn’t barred by Section 230(c)(1). Nevertheless, it fails on its prima facie elements:

The Complaint does not identify anything that I can reasonably interpret as a “promise” by X to not suspend his account in the manner that it did. Those “unambiguous personal promises and assurances” alleged in the Complaint included, by Ryan’s own account, statements that X “reserved the right to remove Content that violates the User Agreement.” And X told Ryan it suspended his accounts because one or more of those accounts “broke the X Rules.” Id. Moreover, as discussed, X’s Terms stated explicitly that it could suspend accounts for “any … or no reason.”

The 230 promissory estoppel workaround is almost always a dead-end for plaintiffs.

Twitter’s TOS

In the December ruling, the court says flatly: “All of Ryan’s claims are barred by the Terms, which provide that the platform may stop
providing its services to users for any or no reason….All of Ryan’s claims arise from his inability to access X’s services after it suspended his
accounts.” Another reminder that (1) Section 230 isn’t required to resolve this case (though it makes things easier), and (2) the Section 230 workarounds in Calise and YOLO will most likely result in jurisprudential dead-ends for plaintiffs.

Implications

The 230/Promises Interface. My Internet Law students were pretty annoyed with how I taught the Barnes/Calise/YOLO cases this semester. They wanted nice, clean rules, when all I could give them was scattered and dubious data points. This ruling shows that maybe the Calise and YOLO opinions didn’t have as much impact as I thought. At minimum, it’s a sign that, for now, lower court judges may be rebelling against the precedent.

Section 230 Workarounds Make More Work But Don’t Get Around Very Often. Getting around Section 230 is a major accomplishment for plaintiffs, but only when the substantive prima facie claims are also tenable. The swiss-cheesed exceptions to Section 230 largely force plaintiffs to state claims they can’t win on the merits, even if they get around Section 230. No one wins in those circumstances–everyone spends more time and money to reach the same result.

But “AI”… Automated account or content flags are an integral part of content moderation. Both Twitter and Facebook have reduced their reliance on humans to do the first-level review and depend more heavily on automated filters. For me personally, this has produced a string of silly flags at Facebook of my posts (sometimes LinkedIn too). Automated content moderation is hard. But it’s not actionable.

Another Failed Account Termination/Content Removal Case. This case adds to the burgeoning list of failed account termination and content removal cases. The line of defense successes remains effectively unbroken.

Case Citation: Ryan v. X Corp., No. 24-cv-03553-WHO (N.D. Cal. Sept. 4, 2024) and Ryan v. X Corp., 2024 U.S. Dist. LEXIS 222459 (N.D. Cal. Dec. 9, 2024). The CourtListener page.

The post Suspended Twitter User Loses Lawsuit Due to Section 230–Ryan v. X appeared first on Technology & Marketing Law Blog.