Davitashvili v. Grubhub

Plain English (For Everyone)

A lawsuit against Grubhub was dismissed because the court found that when you agree to use their service, you give them permission to access your data as described in their terms. Therefore, their actions weren't considered unauthorized, and your claims under federal and state laws were unsuccessful.

For Legal Practitioners

The Second Circuit affirmed dismissal, holding that plaintiffs failed to plead unauthorized access under the CFAA, as assent to Grubhub's Terms of Service constituted authorization for the data practices. State law claims were also dismissed due to preemption or failure to state a claim.

For Law Students

This case illustrates that agreeing to a service's Terms of Service can grant authorization for data collection practices, defeating claims of 'unauthorized access' under the CFAA. Plaintiffs must plead specific facts showing access exceeded granted permissions, not just disagreement with data use.

Newsroom Summary

A federal appeals court ruled that Grubhub did not illegally access user data, finding that customers agree to data collection when they sign up for the service. The decision upholds the dismissal of a lawsuit against the food delivery company.

Standard of Review

De novo review, as the appeal concerns the interpretation of statutes and the sufficiency of pleadings, which are legal questions reviewed independently by the appellate court.

Procedural Posture

The case reached the Second Circuit on appeal from the United States District Court for the Southern District of New York, which dismissed the plaintiffs' class action complaint.

Burden of Proof

The plaintiffs, as the party seeking to bring the claims, bore the burden of proof. They needed to demonstrate sufficient facts to meet the pleading standards for their claims under the CFAA and state law.

Legal Tests Applied

Statutory References

Key Legal Definitions

Rule Statements

By agreeing to the Terms of Service, users grant Grubhub permission to access and use their data in the manner described, which means that Grubhub’s access to user data was authorized.

The plaintiffs have not alleged facts sufficient to establish that Grubhub accessed their accounts without authorization or exceeded authorized access.

Because the plaintiffs’ state law claims are based on the same alleged conduct that forms the basis of their CFAA claim, and because the plaintiffs have failed to state a claim under the CFAA, the state law claims fail.

Remedies

Affirmed the dismissal of the class action lawsuit.

Scenario: You use a popular app and later discover it collects more data than you expected. You want to sue the app company for unauthorized data access.

Your Rights: Your right to privacy regarding data collected by apps is limited by the terms of service you agree to. If the app's terms clearly state they can collect and use your data in the way they did, your ability to sue for unauthorized access is significantly weakened.

What To Do: Carefully read the Terms of Service and Privacy Policy before agreeing to use any online service. If you disagree with the data practices, consider not using the service or exploring alternatives with more favorable terms.

Is it legal for a company to collect data about my usage of their service?

Depends. It is generally legal if the company clearly discloses its data collection practices in its Terms of Service or Privacy Policy, and you agree to those terms. If the collection or use of data goes beyond what was disclosed or authorized, it could be illegal.

This depends on the specific terms of service, the nature of the data collected, and applicable federal and state privacy laws.

For Users of online platforms and apps

Users should be aware that agreeing to Terms of Service grants significant permission to companies regarding data collection and usage. This ruling makes it harder to challenge data practices as 'unauthorized' if they are disclosed in the ToS, even if users didn't fully read or understand them.

For Technology companies and service providers

This ruling reinforces the importance of clear and comprehensive Terms of Service and Privacy Policies. Companies can rely on user agreement to these documents as authorization for their data practices, strengthening their defense against claims of unauthorized access.

Q: What is Davitashvili v. Grubhub about?

Davitashvili v. Grubhub is a case decided by Second Circuit on March 13, 2025.

Q: What court decided Davitashvili v. Grubhub?

Davitashvili v. Grubhub was decided by the Second Circuit, which is part of the federal judiciary. This is a federal appellate court.

Q: When was Davitashvili v. Grubhub decided?

Davitashvili v. Grubhub was decided on March 13, 2025.

Q: What is the citation for Davitashvili v. Grubhub?

The citation for Davitashvili v. Grubhub is 131 F.4th 109. Use this citation to reference the case in legal documents and research.

Q: What was the main issue in Davitashvili v. Grubhub?

The main issue was whether Grubhub's collection and use of user data constituted 'unauthorized access' under the Computer Fraud and Abuse Act (CFAA), or violated state laws.

Q: Is Davitashvili v. Grubhub published?

Davitashvili v. Grubhub is a published, precedential opinion. Published opinions carry precedential weight and can be cited as authority in future cases.

Q: What topics does Davitashvili v. Grubhub cover?

Davitashvili v. Grubhub covers the following legal topics: Computer Fraud and Abuse Act (CFAA), Unauthorized access under CFAA, Terms of service interpretation, Data scraping, Preemption of state law claims, New York General Business Law § 349, Pleading standards for fraud and deceptive practices.

Q: What was the ruling in Davitashvili v. Grubhub?

The court ruled in favor of the defendant in Davitashvili v. Grubhub. Key holdings: The court affirmed the dismissal of the Computer Fraud and Abuse Act (CFAA) claims, holding that the plaintiffs did not sufficiently plead unauthorized access because Grubhub's terms of service permitted the data collection practices at issue.; Plaintiffs failed to establish that Grubhub's alleged data scraping and use of information from third-party websites constituted unauthorized access under the CFAA, as the terms of service provided a license for such activities.; The court found that the state law claims for unjust enrichment and conversion were preempted by the CFAA, as they arose from the same alleged conduct that the CFAA governed.; Even if not preempted, the state law claims failed for lack of particularity in pleading, as the plaintiffs did not adequately allege how Grubhub's actions caused them specific harm or resulted in unjust enrichment.; The court rejected the plaintiffs' argument that Grubhub's alleged circumvention of technological measures constituted unauthorized access, finding the allegations conclusory and unsupported by factual detail..

Q: Why is Davitashvili v. Grubhub important?

Davitashvili v. Grubhub has an impact score of 30/100, indicating limited broader impact. This decision reinforces the importance of carefully analyzing terms of service and pleading specific factual allegations of unauthorized access to survive motions to dismiss under the CFAA. It also clarifies the scope of federal preemption for state law claims arising from similar conduct, potentially limiting plaintiffs' ability to pursue such claims in state courts.

Q: What precedent does Davitashvili v. Grubhub set?

Davitashvili v. Grubhub established the following key holdings: (1) The court affirmed the dismissal of the Computer Fraud and Abuse Act (CFAA) claims, holding that the plaintiffs did not sufficiently plead unauthorized access because Grubhub's terms of service permitted the data collection practices at issue. (2) Plaintiffs failed to establish that Grubhub's alleged data scraping and use of information from third-party websites constituted unauthorized access under the CFAA, as the terms of service provided a license for such activities. (3) The court found that the state law claims for unjust enrichment and conversion were preempted by the CFAA, as they arose from the same alleged conduct that the CFAA governed. (4) Even if not preempted, the state law claims failed for lack of particularity in pleading, as the plaintiffs did not adequately allege how Grubhub's actions caused them specific harm or resulted in unjust enrichment. (5) The court rejected the plaintiffs' argument that Grubhub's alleged circumvention of technological measures constituted unauthorized access, finding the allegations conclusory and unsupported by factual detail.

Q: What are the key holdings in Davitashvili v. Grubhub?

1. The court affirmed the dismissal of the Computer Fraud and Abuse Act (CFAA) claims, holding that the plaintiffs did not sufficiently plead unauthorized access because Grubhub's terms of service permitted the data collection practices at issue. 2. Plaintiffs failed to establish that Grubhub's alleged data scraping and use of information from third-party websites constituted unauthorized access under the CFAA, as the terms of service provided a license for such activities. 3. The court found that the state law claims for unjust enrichment and conversion were preempted by the CFAA, as they arose from the same alleged conduct that the CFAA governed. 4. Even if not preempted, the state law claims failed for lack of particularity in pleading, as the plaintiffs did not adequately allege how Grubhub's actions caused them specific harm or resulted in unjust enrichment. 5. The court rejected the plaintiffs' argument that Grubhub's alleged circumvention of technological measures constituted unauthorized access, finding the allegations conclusory and unsupported by factual detail.

Q: What cases are related to Davitashvili v. Grubhub?

Precedent cases cited or related to Davitashvili v. Grubhub: 17 U.S.C. § 1030; Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007); Ashcroft v. Iqbal, 556 U.S. 662 (2009).

Q: Did the court find that Grubhub accessed user data without authorization?

No, the Second Circuit found that Grubhub's access was authorized because users agreed to the company's Terms of Service, which permitted such data practices.

Q: What is the Computer Fraud and Abuse Act (CFAA)?

The CFAA is a U.S. federal law that prohibits intentionally accessing a computer without authorization or exceeding authorized access to obtain information.

Q: How did the court interpret the Terms of Service in this case?

The court interpreted the Terms of Service as a contract where users granted Grubhub permission to access and use their data in the ways described within the agreement.

Q: What happened to the state law claims against Grubhub?

The court dismissed the state law claims, finding they were either preempted by federal law or failed for similar pleading deficiencies as the federal claims.

Q: What does 'unauthorized access' mean under the CFAA?

It means accessing a computer system without permission or exceeding the scope of permission granted. In this case, agreeing to the Terms of Service was deemed sufficient authorization.

Q: How does Davitashvili v. Grubhub affect me?

This decision reinforces the importance of carefully analyzing terms of service and pleading specific factual allegations of unauthorized access to survive motions to dismiss under the CFAA. It also clarifies the scope of federal preemption for state law claims arising from similar conduct, potentially limiting plaintiffs' ability to pursue such claims in state courts. As a decision from a federal appellate court, its reach is national. This case is moderate in legal complexity to understand.

Q: Can I sue a company if I didn't read their Terms of Service?

Generally, no. By using the service after agreeing to the terms, you are typically bound by them, even if you didn't read them. This ruling emphasizes that agreement constitutes authorization.

Q: What should I do if I'm concerned about how an app uses my data?

Before using any service, carefully read its Terms of Service and Privacy Policy. If you disagree with the data practices, consider not using the service or seeking alternatives.

Q: Does this ruling mean companies can do anything they want with my data?

No, companies must still comply with applicable privacy laws and their own stated policies. However, this ruling suggests that data practices disclosed and agreed to in Terms of Service are less likely to be deemed illegal 'unauthorized access'.

Q: What is the significance of this ruling for users?

It highlights the importance of user awareness regarding the permissions granted through Terms of Service agreements and makes it more difficult to challenge data practices if they are disclosed in those terms.

Q: What was the docket number in Davitashvili v. Grubhub?

The docket number for Davitashvili v. Grubhub is 23-521. This identifier is used to track the case through the court system.

Q: Can Davitashvili v. Grubhub be appealed?

Potentially — decisions from federal appellate courts can be appealed to the Supreme Court of the United States via a petition for certiorari, though the Court accepts very few cases.

Q: What is the standard of review used by the Second Circuit?

The Second Circuit reviewed the case de novo, meaning they examined the legal questions independently without giving deference to the lower court's decisions.

Q: What is 'de novo' review?

De novo review means the appellate court considers the legal issues from scratch, as if the trial court had not made any decision on them.