The Computer Fraud and Abuse Act, a controversial anti-hacking law which bans “exceeding authorized access” on a computer system, was narrowed by the Supreme Court. The court said the law shouldn’t cover people misusing systems they’re allowed to access — and that claiming otherwise would criminalize a “breathtaking amount” of everyday computer use.

The Supreme Court’s majority opinion, delivered by Justice Amy Coney Barrett, concurred. It backed a “gates-up-or-down” approach to authorization: accessing parts of a system that are specifically forbidden breaks CFAA rules, but simply accessing authorized areas in an unapproved way does not.

Barrett’s opinion noted that people routinely bend or break the rules of computers and web services. “The government’s interpretation of the ‘exceeds authorized access’ clause would attach criminal penalties to a breathtaking amount of commonplace computer activity,” she wrote. “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.” The law could cover an employee who sends a personal email on a work computer, for example, or “criminalize everything from embellishing an online dating profile to using a pseudonym on Facebook.”

Legal experts and civil liberties advocates broadly praised the overall ruling. In theory, prosecutors now have to establish that users actually accessed parts of a system they were barred from entering. “I think it’s a really substantial deal,” Cornell University Law School professor James Grimmelmann tells The Verge. “It really clarifies that employees using computers disloyally is not a CFAA issue, and that blows away an enormous piece of criminal and civil use of the CFAA.” The ruling could also affect cases involving scraping, or mass-collecting publicly available data from websites.

The ruling also leaves crucial questions unanswered, though. The court’s decision didn’t ultimately rest on the law’s overall impact or validity. It focused on a dictionary definition of one word to decide if “exceeding authorized access” should be defined like a similar ban on computer use “without authorization” — which uses the gate metaphor. And while it says violators must have bypassed some metaphorical “gate,” it doesn’t firmly define these gates.