Is Social Media Scraping Allowed?

Updated June 2026
Scraping publicly available social media data without logging in is generally legal in the United States under current federal law. The Ninth Circuit ruled in hiQ v. LinkedIn that the Computer Fraud and Abuse Act does not prohibit accessing public web data, and the Meta v. Bright Data ruling in 2024 confirmed that scraping public Facebook and Instagram data while logged out does not violate platform terms of service. However, scraping behind login walls, collecting personal data in the EU without GDPR compliance, or violating platform terms through authenticated scraping can create legal liability under contract law, privacy regulations, or state tort claims.

The Legal Framework in the United States

The legality of social media scraping in the U.S. is primarily governed by the Computer Fraud and Abuse Act (CFAA), state contract law, and common law torts like trespass to chattels. Three landmark court cases have shaped the current legal landscape, and understanding them is essential for anyone collecting social media data at scale.

The Computer Fraud and Abuse Act (CFAA) is the federal statute most commonly invoked against scrapers. Enacted in 1986, the CFAA criminalizes accessing a computer "without authorization" or "exceeding authorized access." Social media platforms have historically argued that scraping violates the CFAA because it exceeds the authorization granted to website visitors. However, court rulings in the past several years have significantly narrowed this interpretation when applied to public data.

The Supreme Court's 2021 decision in Van Buren v. United States clarified that the CFAA's "exceeds authorized access" provision applies only to someone who accesses data they are not entitled to access, not to someone who accesses data they are allowed to see but uses it in ways that violate a policy or agreement. This distinction is critical for scraping: if data is publicly visible to any visitor, accessing it programmatically rather than manually does not "exceed authorized access" under the CFAA as interpreted by Van Buren.

What did the hiQ v. LinkedIn case establish?
The hiQ v. LinkedIn case is the most important U.S. precedent for scraping legality. hiQ Labs scraped public LinkedIn profiles to provide workforce analytics services. LinkedIn sent a cease-and-desist letter and blocked hiQ's access, and hiQ sued for an injunction. The Ninth Circuit Court of Appeals ruled in 2022 that scraping publicly accessible LinkedIn profiles does not violate the CFAA because the CFAA's "without authorization" provision applies only to data behind access controls (like login requirements), not to data that anyone can view in a browser. The court reasoned that when a website makes data publicly accessible, there is no "gate" to circumvent, and therefore no authorization barrier to violate. However, the case ultimately settled with LinkedIn obtaining a permanent injunction against hiQ, with hiQ paying $500,000 and agreeing to destroy its scraped data. The settlement demonstrates that while the CFAA does not prohibit public data scraping, state law claims (trespass to chattels, misappropriation, breach of contract) remain available to platforms.
What did the Meta v. Bright Data ruling decide?
In January 2024, Judge Edward Chen of the Northern District of California granted summary judgment to Bright Data in Meta's lawsuit alleging that Bright Data violated Meta's terms of service by scraping public Facebook and Instagram data. The court held that Meta's terms of service "do not bar logged-off scraping of public data" and therefore do not prohibit the sale of such data. The ruling specifically distinguished between scraping while logged in (where the user has agreed to terms of service) and scraping while logged out (where no contractual relationship exists). Meta dropped the case in February 2024 and waived its right to appeal. This ruling reinforced the principle established in hiQ: collecting publicly accessible data without authentication does not create liability under platform terms of service because a non-authenticated scraper has not agreed to those terms.
Can I be sued for scraping social media?
Yes, regardless of CFAA protections for public data scraping. Platforms can still bring state law claims including breach of contract (if you agreed to terms of service by creating an account and then scraping), trespass to chattels (if your scraping imposes measurable burden on the platform's servers), tortious interference (if your scraping competes with the platform's business), and unfair competition under state business codes. The practical risk of litigation depends on scale, commercial purpose, and whether your scraping causes measurable harm to the platform. Small-scale research scraping of public data carries minimal legal risk. Large-scale commercial scraping that competes directly with the platform's data products or that uses authenticated sessions to access restricted data carries substantially higher risk.

European Union: GDPR and Data Protection

The legal landscape for social media scraping in the European Union is governed primarily by the General Data Protection Regulation (GDPR), which applies to any processing of personal data of EU residents, regardless of where the data processor is located. Social media posts, usernames, profile pictures, and any content that can identify an individual constitute personal data under GDPR.

Scraping personal data from social platforms requires a lawful basis under GDPR Article 6. The most commonly invoked basis for scraping is "legitimate interest" (Article 6(1)(f)), which requires a balancing test between the scraper's interest in the data and the data subject's privacy rights. To rely on legitimate interest, you must document the purpose of your data collection, demonstrate that scraping is necessary for that purpose (and that no less intrusive alternative exists), and show that your interest does not override the data subjects' rights and expectations.

GDPR also imposes obligations regardless of the lawful basis. Data subjects have the right to be informed about data collection (even when scraped rather than directly provided), the right to access their data, the right to request deletion, and the right to object to processing. Compliance requires maintaining records of processing activities, implementing appropriate security measures, and potentially appointing a Data Protection Officer if processing personal data at scale.

The practical implications for social media scraping in Europe are significant. Scraping aggregated, anonymized data (trending topics, post volumes, engagement statistics without identifying individual users) carries lower GDPR risk than scraping identifiable user data (profiles, posts linked to usernames, comments with author information). Organizations that scrape personal data from social platforms must implement GDPR compliance measures, including data minimization, purpose limitation, storage limitation, and mechanisms for honoring data subject requests.

Other International Regulations

California (CCPA/CPRA). The California Consumer Privacy Act and its successor, the California Privacy Rights Act, give California residents rights over their personal information, including data collected through scraping. Businesses that meet CCPA thresholds (annual revenue over $25 million, or processing data of 100,000+ California consumers) must comply with consumer rights requests, including the right to know what data is collected, the right to delete, and the right to opt out of data sales.

Brazil (LGPD). Brazil's Lei Geral de Protecao de Dados mirrors GDPR in many respects, requiring a lawful basis for processing personal data and granting data subjects similar rights. Organizations scraping social media data that includes personal information of Brazilian residents must comply with LGPD requirements.

Canada (PIPEDA). Canada's Personal Information Protection and Electronic Documents Act requires meaningful consent for the collection of personal information, though it includes exceptions for publicly available information when collected for journalistic, artistic, or literary purposes. Commercial scraping of Canadian social media profiles requires compliance with PIPEDA's accountability and purpose limitation principles.

Platform-Specific Policies

Each social media platform maintains its own terms of service and data policies that address automated data collection. While violating these terms does not create criminal liability under the CFAA (per the hiQ and Bright Data rulings), they can form the basis for civil breach of contract claims if you have agreed to the terms by creating an account.

X (Twitter) prohibits scraping in its terms of service but offers paid API access as the sanctioned data access channel. X has aggressively rate-limited and blocked scrapers since 2023, but the legal precedent from hiQ and Bright Data suggests that scraping public tweets without authentication does not violate the CFAA.

Instagram and Facebook (Meta) prohibit automated data collection in their terms. However, the Bright Data ruling established that these terms do not bind users who scrape without logging in. Scraping while logged into a Meta account would subject you to the terms you agreed to upon registration.

LinkedIn prohibits scraping and actively blocks automated access. LinkedIn has a history of legal action against scrapers, and the hiQ settlement demonstrates that even when CFAA claims fail, LinkedIn can pursue state law claims effectively. LinkedIn scraping carries the highest legal risk among major social platforms.

Reddit updated its terms in 2023 to restrict automated data collection, particularly for AI training purposes. Reddit has filed lawsuits against AI companies that scraped Reddit content for model training, including cases against Anthropic and Perplexity AI in 2025 that allege breach of contract, unjust enrichment, and DMCA violations.

TikTok prohibits scraping in its terms but offers the Research API for approved academic researchers. Commercial scraping of TikTok operates in a gray area similar to Instagram scraping before the Bright Data ruling.

AI Training and Copyright Considerations

A new dimension of scraping legality has emerged around the use of scraped social media data for training artificial intelligence models. Several lawsuits filed in 2025 and 2026 challenge the use of scraped web content (including social media posts) for AI training, alleging copyright infringement under the DMCA and related statutes. These cases are still being litigated and no definitive rulings have been issued, but they signal that using scraped social media content to train commercial AI models carries additional legal risk beyond the established framework for data collection and analysis.

The fair use doctrine may protect some uses of scraped data for AI training, particularly for research and non-commercial purposes, but the boundaries remain unclear. Organizations using scraped social media data for AI training should monitor these cases closely and seek legal counsel on their specific use case.

Practical Guidelines for Reducing Legal Risk

Based on the current legal landscape, these practices minimize your legal exposure when scraping social media data.

Scrape only public data without authentication. The strongest legal protection applies to data collected without logging in. When you scrape while logged out, you have not agreed to the platform's terms of service, and the CFAA does not prohibit accessing publicly visible data. This is the single most important risk reduction measure.

Avoid causing technical harm. Do not scrape at rates that could degrade platform performance. Implement rate limiting, use reasonable concurrency, and respect robots.txt directives. Trespass to chattels claims require demonstrating that the scraping caused measurable harm to the platform's systems, so respectful scraping practices reduce this exposure.

Minimize personal data collection. Collect only the data fields you need. If your analysis does not require individual user identification, strip or anonymize personal identifiers at the collection stage. This reduces exposure under GDPR, CCPA, and other privacy regulations.

Document your purpose and methodology. Maintain records of what you scrape, why, how you use the data, and how you protect it. This documentation supports a legitimate interest claim under GDPR and demonstrates good faith in any legal proceeding.

Implement data retention and deletion policies. Do not retain scraped data indefinitely. Define retention periods based on your use case and delete data when it is no longer needed. This aligns with GDPR's storage limitation principle and reduces your exposure if a platform or data subject challenges your data practices.

Monitor legal developments. Scraping law is evolving rapidly, particularly around AI training use cases. The cases filed in 2025 and 2026 may produce rulings that change the legal framework. Stay current with legal developments in your jurisdiction and adjust your practices accordingly.

Key Takeaway

Scraping publicly visible social media data without logging in is protected from CFAA liability under current U.S. federal court precedent. However, state law claims, privacy regulations (GDPR, CCPA), and platform terms of service create legal boundaries that vary by jurisdiction, platform, and use case. The safest approach is to scrape only public data, minimize personal information collection, and comply with applicable privacy regulations.