On July 18, 2024, a federal jury in Delaware found that an online travel booking company violated the Computer Fraud and Abuse Act (CFAA) by accessing portions of a European airline’s website without permission and “with intent to defraud” the airline. In particular, the jury unanimously found that the online travel company violated the CFAA by using a third-party service provider to scrape the airline’s website to find and resell airline tickets to its own customers at an additional charge. The jury further found that the online travel company’s scraping activity caused damage to the airline of at least $5,000, which the airline alleged resulted from service interruptions to its website, data and/or underlying database, amounts spent by the company attempting to prevent the unauthorized scraping, and other losses.
This ruling continues to offer guideposts in the ever-evolving web-scraping legal landscape, specifically, that companies contracting with third-party service providers to scrape websites without authorization may be found liable under the CFAA, at least where the scrapped data requires account credentials to access. The district court previously provided valuable guidance on the scope of CFAA liability as it relates to web-scraping in its October 2022 order denying the online travel company’s motion to dismiss. There, while the court agreed with Ninth Circuit caselaw holding that CFAA claims cannot be premised on the scraping of public data, the court held that a CFAA claim could prevail if the airline proved that the online travel company scraped data that could only be accessed with a password-protected account. Based on the jury verdict, it appears to have done so.
