The Rise of Bots and Evolving Law Create Traps for the Unwary

Users of automation technology, beware: The technology that improves performance and quality can also lead the unwary into legal hot water. Certain actions that are legal when undertaken by human hands may cross the line when turned over to “bots” (computer programs that mechanize repetitive tasks).

Rapid changes involving statutes like the Computer Fraud and Abuse Act (CFAA), which addresses computer hacking, and the Telephone Consumer Protection Act (TCPA), which addresses automated calls and text messaging, illustrate the importance of staying up-to-date on not only evolving technologies but also the laws that govern them.

The CFAA: Not Just for Hackers?

Congress enacted the CFAA in 1984 to address “hacking” or “trespassing” onto private, password-protected mainframe computers. The statute prohibits the knowing access of a “protected computer” without authorization. A “protected computer” is defined broadly, encompassing computers used by the government, financial institutions, and those “used in or affecting interstate or foreign commerce or communication.” What constitutes “access” or “authorization” under the statute is not defined and has been the subject of much litigation.

Companies often define the types of access to their websites that they consider to be “authorized” through a terms of use agreement, which typically prohibits access via automated methods. Thus, accessing some business websites with a bot could result in a violation of the site’s terms of use—and the CFAA.

Because violation of the CFAA can result in criminal fines, imprisonment, and civil liability, at least one court has expressed concern that companies could potentially “weaponize” the CFAA simply by revoking authorization for website access. In hiQ Labs, Inc. v. LinkedIn Corp., for example, LinkedIn claimed that a data analysis company violated LinkedIn’s user agreement by using bots to take, or “scrape,” data from LinkedIn users’ public profiles. The company used LinkedIn’s public profile data to generate analyses of employees who were potential flight risks. LinkedIn sent a cease-and-desist letter and restricted the company’s access, claiming that the company’s use of automation violated LinkedIn’s user agreement. In response, the company filed suit seeking a declaration that its access of LinkedIn’s site did not violate the CFAA, and moved for a preliminary injunction.

The court granted the company’s motion for preliminary injunction, finding that the company had shown it was likely to prevail on the merits. The court first considered whether the company’s continued access of LinkedIn’s public profiles constituted “access of a computer without authorization” under the CFAA. Though the court acknowledged there was a colorable basis for LinkedIn’s position, it concluded that “[t]he CFAA was not intended to police traffic to publicly available websites on the Internet,” but instead applies only where access is restricted by passwords or other technology. The court noted the potential for abuse should the CFAA apply to public sites, including using the CFAA for discriminatory and anticompetitive purposes. In so holding, the court relied on the U.S. Court of Appeals for the Ninth Circuit’s 2012 decision in United States v. Nosal, in which the appellate court held that an overbroad interpretation of the CFAA would “expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer” and “[make] criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”

The hiQ court likewise rejected LinkedIn’s argument that the company’s automated scraping of user data violated the CFAA. It reasoned that the CFAA’s definition of “authorization” referred to “the identity of the person accessing the computer or website, not how access occurs.” Because this ruling has been appealed to the Ninth Circuit, uncertainty remains over the legality of automated website access.

Texts and Phone Calls Can Violate the TCPA

Similarly, the scope and application of the TCPA remain in flux as this area of law rapidly evolves. Originally enacted in 1991 to address the rise in random telemarketing calls through automatic dialing systems, the statute’s broad reach has ensnared more than just telemarketers. The consequences for violating the TCPA can be severe—each offending call or text message carries $500 in statutory damages, with treble damages if there is a finding of a willful violation. There is no cap on the amount of statutory damages that can accrue.

Generally, the TCPA makes it “unlawful . . . to make any call (other than a call . . . made with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice . . . to any telephone number assigned to a cellular telephone service”—with some exemptions. Covered calls include text messages. An automatic telephone dialing system (ATDS) is “equipment which has the capacity to store or produce telephone numbers to be called using a random or sequential number generator; and to dial such numbers.” What constitutes an ATDS subject to the TCPA has been, and continues to be, extensively litigated.

The D.C. Circuit Court of Appeals recently clarified what types of calling equipment are subject to the TCPA in ACA International v. Federal Communications Commission, but left other questions unanswered. The ACA decision addressed multiple challenges to the Federal Communication Commission’s (FCC’s) 2015 Declaratory Order, in which it had interpreted the term “capacity” in the ATDS definition as including equipment with the potential to store and produce numbers to be called with a number generator—not just the machine’s present, actual capabilities. The D.C. Circuit vacated the FCC’s interpretation of “capacity” because it would “subject ordinary calls from any conventional smartphone to the Act’s coverage, an unreasonably expansive interpretation of the statute.”

Significantly, the D.C. Circuit also vacated the FCC’s 2003 and 2008 Declaratory Orders in which the FCC found that “predictive dialers” constitute an ATDS. Predictive dialers are “equipment that can dial automatically from a given list of telephone numbers using algorithms to predict ‘when a sales agent will be available.’” The ACA court did not, however, provide any affirmative guidance on the term “capacity,” or what does or does not constitute an ATDS.

In the wake of ACA, a new circuit split is emerging. Courts following the D.C. Circuit in adopting a narrow definition of ATDS include the Second Circuit Court of Appeals in King v. Time Warner Cable, Inc., and the Third Circuit Court of Appeals in Dominguez v. Yahoo!, Inc. For example, in Dominguez, the Third Circuit found Yahoo’s text messaging equipment did not constitute an ATDS because it could not generate and dial random or sequential telephone numbers. By contrast, the Ninth Circuit held in Marks v. Crunch San Diego, LLC, that an ATDS “means equipment which has the capacity—(1) to store numbers to be called or (2) to produce numbers to be called, using a random or sequential number generator—and to dial such numbers.”

Moral of the Story

Businesses that use automated processes to mine data from the Internet, or to make calls or send text messages, would be well advised to stay on top of changes in the law. They should also continually review the functions and capabilities of their systems, as the addition of new software, or the activation of latent features, may lead to costly legal consequences.