Reddit v. SerpApi: Scraping's DMCA §1201 Pivot
CFAA died as an anti-scraping weapon; contract failed against logged-out scrapers. Reddit and Google now test DMCA §1201 against SerpApi: if evading anti-bot defenses is 'circumvention,' it's a standalone violation — no public-data defense, no fair use, statutory damages per act.
For a decade, the scraping industry fought its legal war over a single statute — the Computer Fraud and Abuse Act — and, mostly, won. The Supreme Court’s 2021 Van Buren ruling narrowed the CFAA; the hiQ v. LinkedIn line protected public-data scraping; and when platforms pivoted to breach-of-contract, the logged-out doctrine from Bright Data v. Meta defeated that too. The public-data defense and the logged-out posture became the canonical playbook.
Two lawsuits filed in late 2025 suggest that playbook may be aimed at the wrong statute.
Reddit, Inc. v. SerpApi LLC (S.D.N.Y., October 2025) and a parallel Google suit against the same vendor (N.D. Cal., December 2025) both advance a novel theory: that bypassing a platform’s anti-bot defenses — CAPTCHAs, rate limits, IP filtering, bot-detection challenges — is circumvention of a “technological protection measure” under DMCA §1201. Not the CFAA. Not breach of contract. Copyright’s anti-circumvention provision — the one written for DVD encryption and DRM.
If that theory survives, it does something the CFAA fight never could. It makes the act of evading anti-bot defenses — the foundational technique of nearly every commercial scraper — a federal violation in its own right, regardless of whether the underlying data is public, and regardless of whether the scraper ever agreed to a terms of service.
- CFAA 2021-22 Public access narrows the hacking theory
- Contract 2024 Logged-out scraping survives ToS theory
- DMCA §1201 2025-26 Circumvention becomes the heavier test
The decade scrapers spent winning a different war
The industry’s hard-won protections are real, but they are narrow, and they are about two things: access and agreement.
Access (CFAA). Van Buren held that “exceeds authorized access” means reaching data you were never permitted to obtain — not using permitted access for a disfavored purpose. The Ninth Circuit’s hiQ rulings read that for scraping: accessing public-facing pages, without bypassing technical access controls, is not a CFAA violation even where the ToS forbids scraping. Plaintiffs who file CFAA claims against public-data scraping now lose.
Agreement (contract). When platforms switched to contract theories, the logged-out posture held. In Meta v. Bright Data (N.D. Cal., January 2024) the court granted summary judgment for Bright Data because it had never logged in — a non-user is not bound by a terms of service it never accepted. Meta dropped the case weeks later. In X Corp. v. Bright Data (N.D. Cal., May 2024) the contract claims were dismissed and the copyright-flavored claims were held preempted.
The lesson the industry internalized: stay logged out, scrape the public surface, document your downstream use, and you sit in the most defensible position the courts offer. That lesson is entirely about access and agreement. DMCA §1201 is about neither.
The §1201 end-run
The new theory targets the circumvention itself. Reddit’s complaint names SerpApi — a search-results-scraping API vendor — alongside Perplexity (the AI answer engine that allegedly bought the data), the proxy provider Oxylabs, and a fourth infrastructure defendant. The pleaded counts are DMCA §1201(a)(1) (circumvention), §1201(a)(2) (trafficking in circumvention technology), civil conspiracy, unjust enrichment, and unfair competition. Notably absent: breach of contract.
The structural twist is what Reddit calls data laundering through Google. The complaint does not allege the defendants circumvented Reddit’s controls. It alleges they scraped Google’s search results — which contain Reddit content — by defeating Google’s bot-detection: rotating IP addresses, masking identities, and mimicking human browsers. Reddit says it proved the pipeline by planting a honeypot post visible only to Google’s crawler and watching it surface in Perplexity’s answers within hours. Google’s own December 2025 suit runs the same §1201 theory against SerpApi directly. Two of the largest platforms on the internet, one statute, one defendant.
As of this writing the theory is untested: the defendants have moved to dismiss, Reddit filed its opposition in April 2026, and oral argument is set for June 30, 2026. Nothing has been decided. But the reason the theory is worth watching is what a win would unlock.
Why §1201 is the more dangerous statute
Four properties make anti-circumvention a categorically heavier weapon than the CFAA the industry spent a decade neutralizing.
No fair-use defense. Fair use is the AI industry’s primary shield, and it is doing real work — see the fair-use fights over model training. But in Apple v. Corellium the copyright claims fell to fair use while the §1201 claims survived, consistent with the view that there is no fair-use defense to anti-circumvention. §1201 routes around the one doctrine scrapers and AI labs lean on hardest.
Statutory damages, per act. §1201 carries statutory damages of $200 to $2,500 for each act of circumvention. Google’s complaint frames the conduct in the billions of circumvention events. That arithmetic is not survivable for a defendant; it is built to force settlement.
No need to own — or prove infringement of — the data. In MDY Industries v. Blizzard the Ninth Circuit applied §1201 to a bot that circumvented World of Warcraft’s anti-cheat, and pointedly rejected the requirement of a nexus between the circumvention and any underlying copyright infringement. Circumvention alone can be the violation. A plaintiff need not prove it owns the scraped data — which is convenient, because platforms like Reddit do not own their users’ copyrights.
CAPTCHAs already qualify. This is not a clean slate. In Ticketmaster v. Prestige Entertainment a court held that a CAPTCHA is a “technological measure” under §1201. Reddit and Google are extending that holding from a ticket queue to the open web’s entire bot-detection layer.
The weak point: whose front door?
The defense has a serious argument, and it is the reason this is litigation and not a foregone conclusion.
Borrowing from the Lexmark “unlocked front door” reasoning, SerpApi argues that §1201 protects measures controlling access to a copyrighted work — not measures that police conduct. Google’s bot-detection, on this view, governs how you behave (how fast, from which client), not whether you may read public search results that any person can see. It is a traffic cop, not a lock.
There is also a three-party problem. Reddit does not own the access control it says was circumvented — Google’s. Stretching §1201 across that daisy chain, from the circumvented party to a third-party content owner, is genuinely novel.
The honeypot is a useful tell here. In Genius Media v. Google, Genius caught a scraper red-handed with a Morse-code watermark in its lyrics — and still lost, because its contract claim was preempted by the Copyright Act. Reddit’s near-identical honeypot is wired to §1201 precisely because §1201 is a standalone statutory right that sidesteps the preemption that sank Genius. The same trap, pointed at a statute chosen to survive it.
What it means for the Apify Store
The reason this matters to a scraping marketplace is not abstract. The targets most in demand across the Apify Store — Google, the social platforms, the marketplaces, the job boards — are precisely the properties that deploy the anti-bot defenses now being recharacterized as §1201 measures. Browse the scraper leaderboards and the concentration is plain: the most-run actors point at exactly the platforms with the most sophisticated bot-detection. The exposure is not theoretical; it tracks demand.
And the industry’s defensive posture does not transfer. The logged-out doctrine was a CFAA-and-contract answer; §1201 is orthogonal to it. Logging out does not un-circumvent a CAPTCHA. Public data does not become un-access-controlled. A scraper can sit in the most defensible CFAA position available and have no §1201 answer at all, because §1201 never asked whether the data was public.
If the theory holds, the defensible-engineering question shifts. It stops being “am I logged out, is this public” and becomes “am I defeating a technical measure, or consuming an interface that was offered to me.” An actor that reads an official API or a deliberately-open feed sits in a different anti-circumvention posture than one that solves a challenge designed to stop it — though, again, exactly where that line falls is what the courts have not yet decided.
The June 30 hearing is the first read. If the §1201 claims survive the motion to dismiss, expect copycats: every platform with an anti-bot budget gains a statute that ignores the public-data defense, carries no fair-use exit, and prices each bypass by the act. If the claims fail, §1201 stays boxed into the cases where the plaintiff owns the access control it is defending — MDY, Ticketmaster — and the CFAA-era playbook holds.
The scraping industry spent ten years proving the data is public. The §1201 wager is that it never mattered.
Sources
- Reddit, Inc. v. SerpApi LLC — docket (CourtListener)
- Google v. SerpApi — complaint (PDF)
- Eric Goldman: Relitigating hiQ Labs and scraping through DMCA §1201
- MDY Industries v. Blizzard Entertainment (9th Cir. 2010)
- Apple v. Corellium — §1201 and the absence of a fair-use defense (EFF)
- Van Buren v. United States (2021)
- Signal Census: Bright Data v. Meta and the logged-out doctrine
- Signal Census: LinkedIn v. hiQ Ninth Circuit doctrine