Is Web Scraping Legal?

Updated June 2026
Web scraping is generally legal when it targets publicly accessible data and does not circumvent technical access controls. In the United States, the Ninth Circuit ruled in hiQ v. LinkedIn that scraping public web pages does not violate the Computer Fraud and Abuse Act. However, legality depends on jurisdiction, the type of data collected, compliance with data protection laws like GDPR and CCPA, and whether the scraping violates enforceable Terms of Service.

The Detailed Answer

The legal status of web scraping is not a simple yes or no question. It sits at the intersection of computer fraud law, contract law, intellectual property, and data protection regulation, each of which applies differently depending on the jurisdiction, the nature of the data being collected, the methods used, and the purpose of the collection. The clearest way to understand the landscape is to examine each legal framework separately and then consider how they interact.

What did the hiQ v. LinkedIn ruling establish?
The hiQ Labs v. LinkedIn case, decided by the Ninth Circuit Court of Appeals in 2022 after years of litigation, is the most significant US court ruling on web scraping legality. hiQ, a data analytics company, scraped publicly visible LinkedIn profiles to build workforce analytics products. LinkedIn sent a cease-and-desist letter and implemented technical measures to block hiQ's access. hiQ sued, and the court ruled that scraping publicly accessible data does not violate the Computer Fraud and Abuse Act (CFAA) because the CFAA's "without authorization" language applies to private, access-controlled systems, not to data that anyone with a web browser can view. The court also granted a preliminary injunction preventing LinkedIn from blocking hiQ's access. This ruling established an important precedent: accessing publicly available web data through automated means is not a federal crime under the CFAA.
Can websites block scraping through their Terms of Service?
Many websites include language in their Terms of Service (ToS) that prohibits automated access, data collection, or use of bots. Whether these provisions are legally enforceable against scrapers is a contested area of law. "Clickwrap" agreements, where the user explicitly clicks "I agree" before accessing the service, are generally enforceable as contracts. "Browsewrap" agreements, where the ToS are posted on the site but the user never affirmatively accepts them, have a much weaker legal standing. Courts have frequently declined to enforce browsewrap terms against users who were not aware of them or did not take any affirmative action to agree. However, if you create an account and accept the ToS during registration, and then scrape using that account, the ToS restrictions are more likely to be enforceable as a contractual obligation.
How do GDPR and CCPA affect web scraping?
Data protection regulations impose additional legal requirements when the scraped data contains personal information. The GDPR, which applies to data about EU residents regardless of where the scraping occurs, requires a lawful basis for processing personal data. The most commonly invoked basis for scraping is "legitimate interest," but this requires a documented assessment showing that the data collection purpose outweighs the privacy impact on the individuals whose data is being collected. The scraper must also provide mechanisms for data subjects to exercise their rights (access, deletion, correction) and implement appropriate security measures. The California Consumer Privacy Act (CCPA) similarly gives California residents rights over their personal information and imposes transparency obligations on businesses that collect it. Scraping personal data without addressing these requirements can result in fines of up to 4% of global annual revenue under GDPR or up to $7,500 per intentional violation under CCPA.
Does robots.txt have legal force?
The robots.txt protocol is a voluntary standard that website operators use to communicate their preferences about automated access. It is not a legally binding contract in most jurisdictions, and violating robots.txt directives is not, by itself, illegal. However, courts have considered robots.txt compliance as one factor when evaluating the reasonableness and good faith of scraping activity. Respecting robots.txt demonstrates that the scraper made a reasonable effort to honor the website's preferences, which can strengthen the scraper's legal position if a dispute arises. Conversely, deliberately ignoring robots.txt restrictions can be cited as evidence of bad faith, even if the violation alone does not constitute a legal claim.

Key US Legal Precedents

Beyond hiQ v. LinkedIn, several other US court cases have shaped the legal landscape for web scraping. In Van Buren v. United States (2021), the Supreme Court narrowed the scope of the CFAA by ruling that the law only applies to accessing computer systems that a person is not authorized to access at all, not to exceeding authorized access on systems where the person has some legitimate access. This ruling reinforced the principle that accessing publicly available information does not violate federal computer fraud law.

The Craigslist v. 3Taps case (2013) reached a different conclusion, finding that continuing to scrape after receiving a cease-and-desist letter and being IP-blocked could constitute unauthorized access under the CFAA. This case predated the hiQ ruling and the Van Buren narrowing, so its precedential value has diminished, but it illustrates that the specific circumstances of scraping, including whether the scraper persists after being told to stop, can affect the legal analysis.

In the Meta v. Bright Data case (2024), a court found that Bright Data's scraping of public Facebook and Instagram data did not violate the CFAA or California's computer fraud statute, further reinforcing the principle that public data scraping generally does not constitute unauthorized computer access. These decisions collectively suggest a trend toward permitting scraping of publicly accessible information, though the law continues to evolve.

Copyright Considerations

Web scraping raises copyright questions when the scraped content includes copyrighted material such as articles, images, creative writing, or original databases. Scraping copyrighted content and republishing it can constitute copyright infringement. However, scraping for purposes such as data analysis, research, indexing, or creating transformative derivative works may qualify as fair use under US copyright law.

The fair use analysis considers four factors: the purpose and character of the use (commercial versus educational, transformative versus reproductive), the nature of the copyrighted work, the amount used relative to the whole, and the effect on the market for the original. Scraping product prices to build a comparison tool, for example, involves extracting factual data (which is not copyrightable) rather than creative expression. Scraping entire articles to republish them under your own brand, on the other hand, is clearly infringing.

The EU Database Directive creates an additional consideration in Europe. It grants copyright-like protection to databases that required substantial investment to compile, even if the individual data points within the database are not copyrightable. Systematically extracting a substantial portion of such a database can infringe this sui generis right, even when individual records are factual.

International Variations

Web scraping legality varies significantly across jurisdictions. In the European Union, the combination of GDPR, the Database Directive, and national computer crime statutes creates a more restrictive environment than the United States for many scraping activities, particularly those involving personal data. Some EU member states have specific laws addressing unauthorized access to computer systems that could apply to aggressive scraping practices.

In Australia, the Privacy Act restricts collection of personal information, and the Copyright Act provides database protection similar to the EU model. In Japan, amendments to copyright law have created broader exceptions for data analysis and machine learning training, making certain types of scraping explicitly legal. China's Personal Information Protection Law (PIPL) and Data Security Law impose strict requirements on data collection that apply to scraping activities involving Chinese residents' data.

The practical implication of these international variations is that scrapers operating across borders must consider the legal requirements of every jurisdiction where their target data originates, where the scraped individuals reside, and where the scraping infrastructure is physically located.

Practical Guidelines for Legal Compliance

While the legal landscape remains complex, several practical guidelines help reduce legal risk when scraping. Focus on publicly accessible data that does not require logging in, creating an account, or bypassing technical access controls. Avoid scraping personal data unless you have a documented legitimate purpose and appropriate safeguards in place. Respect robots.txt directives and crawl-delay settings as a demonstration of good faith. Limit request rates to avoid disrupting the target website's performance, as causing service degradation can invite claims beyond simple data access disputes.

Document your scraping activities, including the purpose of data collection, the types of data collected, your compliance measures, and any legal analysis supporting your position. This documentation serves as evidence of good faith if a dispute ever arises. If you receive a cease-and-desist notice from a website, take it seriously and consult legal counsel before deciding whether to continue. Ignoring explicit requests to stop scraping significantly increases legal exposure.

For activities that involve substantial commercial value, significant volumes of personal data, or legally sensitive domains (healthcare, finance, government), consulting with an attorney who specializes in data privacy and internet law is strongly advisable before beginning a scraping operation.

Key Takeaway

Web scraping of publicly accessible, non-personal data is generally legal in the United States under current precedent, but legality depends on jurisdiction, data type, method, and purpose. Data protection laws add significant requirements when personal information is involved, and Terms of Service can create contractual restrictions even when scraping is not otherwise illegal.