QVC, Inc. v. Resultly, LLC
159 F. Supp. 3d 576, 2016 WL 521199, 2016 U.S. Dist. LEXIS 16053 (2016)
Premium Feature
Subscribe to Lexplug to listen to the Case Podcast.
Rule of Law:
Accessing a publicly available website can be 'without authorization' under the Computer Fraud and Abuse Act (CFAA) if the user is on notice that its method of access is prohibited, which can be established through a contractual obligation to comply with the website owner's terms and conditions, even if that obligation arises from an agreement with a third party.
Facts:
- QVC, an online retailer, operated an affiliate marketing program where third-party websites ('Publishers') could earn commissions.
- VigLink, Inc. became an approved Publisher by agreeing to the QVC Publisher Agreement, which granted a non-transferable right to access QVC's website and prohibited sublicensing.
- The QVC Publisher Agreement also restricted Publishers to using only promotional materials and product information provided to them by QVC.
- Contrary to its agreement, VigLink entered into a deal with Resultly, LLC, allowing Resultly to act as a 'sub-publisher' under VigLink's account.
- Resultly's agreement with VigLink required Resultly to comply with the terms and conditions of merchants in the affiliate program, like QVC.
- Resultly operated a web-crawling program to gather real-time product information from internet shopping websites.
- On May 9 and 11, 2014, Resultly's program 'bombarded' QVC’s website with an extremely high volume of requests, ranging up to 36,000 per minute.
- This high volume of requests overloaded QVC's servers, making the website inaccessible to customers for many hours and causing lost sales.
Procedural Posture:
- QVC, Inc. sued Resultly, LLC, its CEO Ilya Beyrak, and VigLink, Inc. in the United States District Court for the Eastern District of Pennsylvania.
- QVC filed an Amended Complaint alleging claims for breach of contract, violations of the Computer Fraud and Abuse Act (CFAA), and various state law torts.
- All three defendants filed separate motions to dismiss the Amended Complaint for failure to state a claim upon which relief can be granted.
Premium Content
Subscribe to Lexplug to view the complete brief
You're viewing a preview with Rule of Law, Facts, and Procedural Posture
Issue:
Does a web crawler access a publicly available website 'without authorization' under the Computer Fraud and Abuse Act (CFAA) when its access is prohibited by the terms of a publisher agreement that it was contractually obligated to follow through a third-party agreement?
Opinions:
Majority - Beetlestone, District Judge
Yes, a web crawler accesses a publicly available website 'without authorization' under the CFAA when its access is prohibited by terms it was contractually obligated to follow through a third party. While a public website generally grants authorization to the public, that authorization can be rescinded or limited if a party is put on notice of a prohibition. Here, QVC's Publisher Agreement implicitly forbade web-crawling by limiting publishers to using only QVC-provided product information. Although Resultly was not a direct party to that agreement, it had agreed to VigLink's Terms of Service, which required it to comply with QVC's terms. This contractual chain was sufficient to put Resultly on notice that its web-crawling was prohibited, making its access 'without authorization' under the CFAA. Therefore, while the CFAA claims requiring 'intent to damage' or 'intent to defraud' are dismissed as implausible, the claims based on unauthorized access that recklessly caused damage or obtained information are permitted to proceed against Resultly and its CEO. However, all claims against VigLink premised on vicarious liability fail because the complaint does not sufficiently allege a master-servant relationship giving VigLink day-to-day control over Resultly's methods.
Analysis:
This decision is significant for expanding the definition of 'without authorization' under the CFAA in the context of publicly accessible websites. It establishes that notice of prohibited access does not require technological barriers (like a password) or direct communication (like a cease-and-desist letter). Instead, a contractual chain of obligations can create liability for a downstream party, like a sub-publisher, who violates terms they were required to follow. This ruling affects online businesses by highlighting potential CFAA liability for contractors or affiliates who use automated tools in violation of a primary merchant's rules, even without direct privity of contract. It underscores the importance for companies using web scrapers to conduct due diligence on the full scope of contractual limitations that may apply to their activities.
