Is Lead Scraping Legal?
The Legal Landscape in the United States
The most significant legal development for lead scraping in the United States is the hiQ Labs v. LinkedIn case, which reached the Ninth Circuit Court of Appeals in 2022. hiQ Labs was a data analytics company that scraped publicly visible LinkedIn profiles to provide workforce analytics services. When LinkedIn sent a cease-and-desist letter and began blocking hiQ's scrapers, hiQ sued for an injunction allowing it to continue scraping.
The Ninth Circuit ruled in hiQ's favor, holding that accessing publicly available data on the open internet does not constitute "unauthorized access" under the Computer Fraud and Abuse Act (CFAA). The court reasoned that the CFAA's prohibition on accessing computers "without authorization" was designed to address hacking into protected systems, not accessing information that is freely available to anyone with a web browser. This ruling established an important precedent: scraping publicly visible web content is not a federal computer crime under the CFAA.
The hiQ decision has important limitations that lead generation teams should understand. It applies specifically to data that is publicly visible without any login requirement. Data behind authentication walls, paywalls, or access controls receives different legal treatment. Accessing data that requires a login means you are subject to the platform's terms of service, and violating those terms could create liability under different legal theories including breach of contract and trespass to chattels.
The CFAA itself remains the primary federal statute governing unauthorized computer access. The Supreme Court narrowed its scope in the 2021 Van Buren v. United States decision, ruling that the law prohibits accessing information on a computer that a person is not entitled to access, rather than using information obtained through authorized access in an unauthorized way. This narrowing generally favors scraping of public data but reinforces the distinction between public and access-controlled information.
State laws add another layer of complexity. California's Computer Data Access and Fraud Act mirrors many CFAA provisions at the state level. Some states have enacted their own computer access statutes with varying definitions of "unauthorized access." While no state has specifically outlawed the scraping of public data following the hiQ precedent, the patchwork of state laws means that the legal risk profile differs depending on where you operate and where the servers you scrape are located.
European Data Protection: GDPR
The General Data Protection Regulation (GDPR) applies to the processing of personal data of individuals in the European Economic Area (EEA), regardless of where the processing organization is located. This means that a company based in the United States that scrapes contact information for European business professionals must comply with GDPR.
Under GDPR, processing personal data requires a lawful basis. The six lawful bases are consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interest. For B2B lead generation scraping, the most relevant basis is legitimate interest (Article 6(1)(f)), which allows processing when the organization has a legitimate interest that is not overridden by the data subject's rights and freedoms.
Using legitimate interest as your lawful basis requires conducting a Legitimate Interest Assessment (LIA), a documented analysis that weighs your business interest against the impact on the individual. For B2B lead generation, the argument is that identifying and contacting potential business customers is a recognized commercial interest, and that business professionals generally expect to be contacted about relevant services in their professional capacity. The LIA must be specific to your processing activities, documented, and available for review by supervisory authorities.
GDPR also imposes specific obligations on data controllers regardless of lawful basis. You must inform data subjects about your data collection (transparency principle), typically through your privacy policy. You must respond to subject access requests (SARs) within one month, providing individuals with a copy of their data upon request. You must honor deletion requests (right to erasure) unless you have a compelling legitimate interest that overrides the request. And you must implement appropriate security measures to protect the personal data you process.
The practical implications for lead scraping are significant. You need a privacy policy that accurately describes your data collection practices. You need a process for handling SARs and deletion requests. You need to maintain records of processing activities. And you need to conduct and document a legitimate interest assessment before you begin scraping. Organizations that skip these requirements face potential fines of up to 20 million euros or four percent of global annual revenue, whichever is higher.
CCPA and U.S. State Privacy Laws
The California Consumer Privacy Act (CCPA) and its 2023 amendment, the California Privacy Rights Act (CPRA), give California residents rights over their personal information, including the right to know what data is collected about them, the right to delete their data, and the right to opt out of the sale or sharing of their personal information. Businesses that collect personal information of California residents, even through scraping public sources, may be subject to these requirements if they meet CCPA's applicability thresholds (annual revenue over $25 million, processing data of 100,000 or more consumers, or deriving 50% or more of revenue from selling personal information).
Several other U.S. states have enacted comprehensive privacy laws modeled on CCPA, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA). Each law has slightly different requirements, applicability thresholds, and enforcement mechanisms, but they share common themes: transparency about data collection, consumer rights to access and delete data, and requirements for data protection practices.
For lead generation scraping operations, the practical impact of state privacy laws is primarily procedural. You need a privacy policy that discloses your data collection practices. You need mechanisms to receive and respond to consumer rights requests. And you need to maintain records of your data processing activities. The substantive right to collect publicly available data is generally preserved, but the obligations around transparency and consumer rights add operational requirements.
CAN-SPAM and Email Regulations
The CAN-SPAM Act governs the sending of commercial email in the United States but does not restrict the collection of email addresses. You can legally collect email addresses from public sources, but the emails you send to those addresses must comply with CAN-SPAM requirements: accurate header information, non-deceptive subject lines, identification as an advertisement, inclusion of your physical mailing address, a clear opt-out mechanism, and prompt processing of opt-out requests (within 10 business days).
Canada's Anti-Spam Legislation (CASL) is significantly stricter. CASL requires express or implied consent before sending commercial electronic messages to Canadian recipients. Express consent must be actively given by the recipient. Implied consent exists in limited circumstances, such as an existing business relationship or when the recipient has conspicuously published their email address without indicating they do not want unsolicited messages. CASL's consent requirements are the strictest in North America and apply regardless of where the sender is located.
The distinction between data collection and data use is critical. Most laws do not prohibit collecting publicly available contact information. The restrictions apply to how you use that information, particularly for sending commercial communications. A compliant lead generation operation can scrape email addresses from public sources but must follow applicable email regulations when using those addresses for outreach.
Terms of Service and Contractual Obligations
Beyond statutory law, most websites have terms of service (ToS) that restrict or prohibit automated data collection. Violating a website's ToS does not typically create criminal liability (the hiQ ruling specifically addressed this), but it can create civil liability under contract law theories. If you create an account on a platform and agree to its terms, those terms become a contract, and violating them could support a breach of contract claim.
The practical risk of ToS violations varies significantly. Large platforms like LinkedIn, Facebook, and Google actively enforce their terms against scrapers through technical measures (blocking, rate limiting, CAPTCHA) and occasional legal action against commercial-scale violators. Smaller websites rarely pursue legal action against scrapers, though they may block offending IP addresses.
A risk-aware approach involves several strategies. Prefer scraping sites that do not require account creation, avoiding any contractual relationship. When scraping platforms that require accounts, understand the terms you are agreeing to and assess the enforcement risk. Use official APIs when available, as API terms are typically more permissive than general website ToS for data access. And always prefer publicly available data over data behind login walls, both for legal safety and because the hiQ precedent directly supports public data access.
Practical Compliance Guidelines
Based on the current legal landscape, the following guidelines represent reasonable practices for legally defensible lead generation scraping. These are general principles, not legal advice, and organizations should consult qualified legal counsel for guidance specific to their situation.
Only scrape publicly available data. Restrict your automated collection to information that is visible to any visitor without creating an account, logging in, or bypassing any access controls. This positions your activities squarely within the hiQ precedent and avoids CFAA concerns.
Respect robots.txt and rate limits. While robots.txt is not legally binding, respecting it demonstrates good faith and reduces the likelihood that a website operator will pursue legal action. Implement reasonable rate limits (one to three requests per second for most sites) to avoid placing undue burden on target servers.
Maintain a comprehensive privacy policy. Disclose your data collection practices, the types of data you collect, how you use it, and how individuals can exercise their rights. Make this policy easily accessible on your website.
Implement data subject rights processes. Build and document processes for handling access requests, deletion requests, and opt-out requests from individuals whose data you have collected. Respond within the timeframes required by applicable law (30 days for GDPR, 45 days for CCPA).
Document your legitimate interest assessments. If you rely on legitimate interest as your lawful basis under GDPR, conduct and document a legitimate interest assessment before you begin processing. Update the assessment when your processing activities change.
Comply with email regulations when you use the data. Follow CAN-SPAM requirements for U.S. recipients, CASL requirements for Canadian recipients, and applicable email regulations for other jurisdictions. Include accurate headers, non-deceptive subject lines, physical address, and easy opt-out in every commercial email.
Keep records of everything. Document what data you collect, where you collect it from, when you collected it, your lawful basis for processing, and how you use it. These records are required under GDPR (Article 30) and are valuable evidence of compliance if your practices are ever challenged.
Lead scraping of publicly available data is legal in the United States under the hiQ precedent, but legal everywhere is not the same as risk-free everywhere. GDPR compliance, state privacy laws, email regulations, and terms of service all create obligations that must be addressed through documented processes, transparent policies, and responsible data practices. The legal risk is manageable when you scrape only public data, respect platform boundaries, and build compliance into your workflow from the start.