The Computer Fraud and Abuse Act (CFAA) imposes criminal penalties and establishes a civil cause of action against anyone who “exceeds authorized access” to a computer. 18 U.S.C. § 1030(a)(2). Earlier this year, the Supreme Court held that the CFAA does not apply when individuals who are authorized to access a website then violate the website's “terms of service” by obtaining information from the site's database for an improper purpose. Van Buren v. United States, 141 S. Ct. 1648, 1661 (2021). Did the Supreme Court's interpretation of the CFAA leave the victims of one species of this activity—known as data scraping—helpless? A recent decision, by a lower court, says that the answer to this question may be no, and that they may have another path to relief: good old-fashioned breach of contract claims.

In Southwest Airlines Co. v. Kiwi.com, Inc., a federal district judge granted a preliminary injunction in a data-scraping case based on a breach of contract claim, preventing Kiwi from “harvesting, extracting or scraping information from the Southwest [Airlines] Website.” But to show that a contract existed between the parties, Southwest had to do more than show that Kiwi violated the terms of Southwest's website. Rather, it had to show that Kiwi continued to use Southwest's website after it had actual knowledge of the website's terms.

Kiwi operates an online travel agency. As part of its business, Kiwi would obtain (or, “scrape”) “flight and pricing data” from Southwest's website, purchase tickets from the website, and then resell the tickets—at prices higher than Southwest's. This violated the terms of Southwest's website (“Terms”), which prohibit online travel agents from selling its tickets unless they've been authorized. According to Southwest, prohibiting these sales allows it “to deal directly with its customers, control the customer experience, ensure customer satisfaction, protect customers from misinformation, control costs, and promote other travel services like hotels and car rentals.”

Southwest showed that Kiki's unauthorized sales damaged it by “divert[ing] customers away from Southwest's website” and also by “misrepresent[ing] Southwest's policies and procedures, provid[ing] false booking information, upcharg[ing] customers fees for services and features that Southwest offers for free, and encourag[ing] customers to book “hidden city” fares . . . .” Booking “hidden city” fares was particularly harmful to its business, Southwest asserted. This practice involves situations where the “passenger's intended destination is not the ticketed final destination but instead a connecting city,” yet booking the ticket to the fictional final destination results in a lower fare to the connecting city (where the passenger ends his or her trip, never taking the final leg of the flight as ticketed). Southwest prohibits this practice for numerous reasons, saying that it causes “logistical, operational, and public safety” problems, including “disruptions at the airport gate” and the need for “maintenance adjustments.” As examples, Southwest said that the practice sometimes resulted in it “trying to locate Kiwi passengers for the connecting flight” that they were never taking, and also that it caused the airline to have to deal with confused passengers who wanted to check their bags to their final destination but weren't allowed to (since their final destination was really only a connecting city). Moreover, Southwest asserted that Kiwi's unauthorized sales of Southwest flights had “led to a flood of customer complaints,” including “hundreds of complaints and issues related to flight purchases, travel experiences, or refund requests for trips booked through Kiwi.” According to Southwest, customers complained that they hadn't received notice of schedule changes or delays, that they hadn't been able to make changes to or cancel their reservations, and that they were confused about Southwest's baggage policies and fees—and they blamed Southwest for Kiwi's actions.

While Southwest took pains to make users of its website aware of its Terms, it began sending cease and desist letters—always attaching a copy of its Terms—to Kiwi's predecessor in 2015. And after receiving “escalating reports” of “angry customers” whose “complaints arose from Kiwi bookings,” Southwest sent a cease and desist letter directly to Kiwi in December 2020. Southwest then sued Kiwi the next month for, among other things, both breach of contract (due to Kiwi's violation of the Terms) and violation of the CFAA, and moved for a preliminary injunction. The court considered Southwest's motion using the traditional four-prong standard.

Regarding the first prong—likelihood of success—the court found that Southwest established a substantial likelihood of prevailing on its breach of contract claim. Initially, the court discussed an opinion from another judge in the Northern district of Texas, Southwest Airlines Co. v. BoardFirst, No. 3:06-CV-0891-B, 2007 WL 4823761 (N.D. Tex. Sept. 12, 2007), in which that judge had found that the defendant's use of Southwest's website, with actual knowledge of its terms (acquired via a cease and desist letter), constituted acceptance of the terms. Kiwi argued that the law had changed since that opinion, relying on a Ninth Circuit case—hiQ Labs v. LinkedIn, 938 F.3d 985 (9th Cir. 2019)—but the court rejected that argument. The court held that hiQ involved the CFAA (the court had held that the CFAA did not prohibit a defendant from extracting public data “when a computer network generally permits public access to its data”), but that it did not preclude Southwest's breach of contract claim. Indeed, the court noted that the hiQ opinion acknowledge[d] [that] a plaintiff could have a breach of contract claim even in the absence of a CFAA violation.” The court also noted that the Supreme Court vacated and remanded hiQ for further consideration in light of its decision regarding the CFAA in Van Buren.

Still discussing the first prong, the court then turned to whether a contract had been formed between Kiwi and Southwest, and said that “when Kiwi continued to use the Southwest website in connection with Kiwi's business with actual knowledge of the Terms, Kiwi ‘bound itself to the contractual obligations imposed by the Terms.'” Indeed, in concluding that Kiwi had actual knowledge of the Terms, the court had a lot to point to, including (1) the notice on Southwest's website stating that “Use of the Southwest websites and our Company Information constitutes acceptance of our Terms”; (2) the fact that in purchasing Southwest tickets, which Kiwi did over 20,000 times, it had to click on a button stating that it was agreeing to the Terms; (3) Kiwi's own statement, when selling Southwest tickets on its own website, that “All services provided by Southwest Airlines are subject to their Terms”; and (4) Kiwi's receipt of Southwest's cease and desist letters, each of which included a copy of the Terms. The court further found that Southwest had demonstrated its own performance under the Terms and that Kiwi had breached them. The court concluded, as a result, that Southwest had established a likelihood of success on its breach of contract claim.

As to the second prong—irreparable injury—the court found, for all the reasons previously discussed (and a few others), that Southwest had suffered damage to “its reputation and goodwill and these damages cannot be quantified.” Moreover, in reaching its conclusion, the court rejected Kiwi's principal argument in contesting irreparable injury—that Southwest unreasonably delayed in bringing suit. Specifically, Kiwi argued that because Southwest decided to wait until 2021 to sue Kiwi, even though it was aware of Kiwi's conduct since at least 2015 (when it sent its first cease and desist letter to Kiwi's predecessor), that means that “any harms it face[d were] not irreparable.” As the court noted, however, Southwest presented evidence that “the situation changed fundamentally in late 2020, when Southwest received escalating reports” of “angry customers” attributable to Kiwi. Accordingly, the court concluded that Southwest had provided “a reasonable explanation” for not suing Kiwi earlier, and that it should not be denied injunctive relief on this ground.

On the third prong—balance of harms—the court found that it weighed in favor of granting the preliminary injunction. The court concluded that Southwest had “shown that Kiwi's unauthorized sales of its flights poses a significant disruption to its customer operations,” while Kiwi did not even list Southwest “as one of [its] ‘top 20 airlines.'”

Concerning the fourth and final prong—the public interest—the court found that an injunction would protect consumers from “being deceived and overcharged” and that it would further the “expectation that parties to contracts will honor their contractual obligations.”

The court thus entered a preliminary injunction preventing Kiwi from engaging in various activities, including data-scraping Southwest's website, publishing Southwest's flight or fare information on its (Kiwi's) website, or selling any Southwest flights (either on its website, through its mobile applications, or anywhere else). Moreover, the preliminary injunction included two other, very broad clauses, one preventing Kiwi from “otherwise accessing and using Southwest's Website and data for any commercial purpose” and the other prohibiting Kiwi from “committing any other acts in violation of Southwest's Terms & Conditions.”

This decision demonstrates that regardless of how significantly the Supreme Court's Van Buren decision limited the CFAA, data-scraping victims may still have a viable remedy for breach of contract. But the case demonstrates that good practices are the key to victory. Southwest made its Terms readily accessible and required users to acknowledge them when buying tickets. And Southwest sent multiple cease and desist letters to Kiwi, making sure to attach its Terms to the letters. In this situation, where the plaintiff can easily establish actual knowledge of a website's terms, a properly pleaded breach of contract claim can succeed even where a CFAA claim might not.

The case is Southwest Airlines Co. v. Kiwi.com, Inc., No. 3:21-cv-00098 (N.D. Tex. Sept. 30, 2021).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.