Is Web Scraping Legal? What Proxy Users Need to Know in 2026

The Legal Landscape Is Not Black and White

“Is web scraping legal?” is the wrong question. The right question is: “Is this specific scraping activity, collecting this specific data, from this specific source, in this specific jurisdiction, for this specific purpose, legal?”

Web scraping exists in a legal gray area that is defined by the intersection of computer fraud laws, copyright law, contract law, data protection regulations, and unfair competition doctrine. The answer to whether your scraping project is legal depends on the specifics, and those specifics matter enormously.

This guide covers the major legal frameworks, landmark cases, and practical compliance guidelines that every web scraping practitioner needs to understand. It is not legal advice. Consult an attorney for guidance on your specific situation.

Key Legal Frameworks

The Computer Fraud and Abuse Act (CFAA) – United States

The CFAA is a US federal law originally designed to prosecute computer hacking. It prohibits accessing a computer system “without authorization” or “exceeding authorized access.” The key question for web scraping is: does scraping a publicly accessible website constitute unauthorized access?

The current state: The Supreme Court’s 2021 decision in Van Buren v. United States narrowed the CFAA’s scope, ruling that the law applies to accessing information that a person is not entitled to access, not to misusing information that one is entitled to access. This is generally favorable for web scraping of public data, but it did not directly address scraping.

The hiQ v. LinkedIn case (more on this below) provided clearer guidance specifically for scraping, but the CFAA’s application to scraping remains somewhat uncertain, particularly for scraping data behind authentication.

Practical takeaway: Scraping publicly accessible data (no login required) is unlikely to violate the CFAA. Scraping data behind authentication, especially after being told to stop, carries higher CFAA risk.

General Data Protection Regulation (GDPR) – European Union

GDPR applies to the processing of personal data of EU residents, regardless of where the scraper is located. If you scrape personal data (names, email addresses, job titles, profile photos) of people in the EU, GDPR applies to you.

Key GDPR requirements for scrapers:

  • Lawful basis: You need a legal basis for processing personal data. “Legitimate interest” is the most commonly cited basis for scraping, but it requires a documented balancing test.
  • Data minimization: Collect only the personal data you actually need for your stated purpose.
  • Storage limitation: Do not retain personal data longer than necessary.
  • Transparency: Data subjects have the right to know you are processing their data. This is practically challenging for large-scale scraping operations.
  • Right to erasure: Individuals can request deletion of their data.
  • Data protection impact assessment: Required for large-scale processing of personal data.

Penalties: GDPR violations can result in fines of up to 4% of global annual revenue or 20 million euros, whichever is higher.

Practical takeaway: If you scrape personal data of EU residents, you must comply with GDPR regardless of where your servers or proxies are located. Many scraping operations avoid personal data entirely to sidestep GDPR compliance obligations.

Other Data Protection Laws

GDPR is the most prominent but not the only data protection framework relevant to scraping:

  • CCPA/CPRA (California): Applies to personal information of California residents. Less restrictive than GDPR but still imposes obligations.
  • PDPA (Singapore): Singapore’s Personal Data Protection Act governs collection, use, and disclosure of personal data. Relevant for scrapers targeting Singapore-based data.
  • LGPD (Brazil): Similar to GDPR, applies to personal data of Brazilian residents.
  • PIPL (China): China’s Personal Information Protection Law applies to processing of Chinese citizens’ personal data.

Landmark Cases

hiQ Labs v. LinkedIn (2022)

This is the most significant scraping case to date. hiQ scraped public LinkedIn profiles to provide HR analytics services. LinkedIn sent a cease-and-desist letter and implemented technical blocks. hiQ sued for the right to continue scraping.

Key rulings:

  • Scraping publicly available data does not violate the CFAA
  • LinkedIn could not invoke the CFAA to block access to public profiles
  • The court distinguished between public data (accessible without logging in) and private data (behind authentication)
  • LinkedIn’s Terms of Service alone were not sufficient to criminalize scraping under the CFAA

Limitations of the ruling:

  • The case did not address copyright claims
  • It did not address GDPR or data protection claims
  • It specifically concerned public data, not authenticated scraping
  • The ruling applies in the Ninth Circuit; other circuits may rule differently

Ryanair v. PR Aviation (EU, 2015)

The Court of Justice of the European Union ruled that a database of flight information could be protected under EU database rights, even if individual data points are not copyrightable. This means that systematically extracting and reusing a substantial portion of a database may violate database rights under EU law, regardless of whether the data is publicly accessible.

Practical takeaway: In the EU, scraping a significant portion of a database may violate database rights even if each individual data point is a public fact. This is a significant difference from US law, where facts are generally not copyrightable (Feist Publications v. Rural Telephone Service, 1991).

Meta v. Bright Data (2024)

Meta (Facebook) sued Bright Data for scraping Instagram and Facebook data. The court ruled that scraping publicly available data from Facebook and Instagram did not violate the CFAA, reinforcing the hiQ precedent. However, the case highlighted that scraping combined with other activities (selling data that enables impersonation, for example) can create liability under other legal theories.

Other Relevant Cases

  • Clearview AI: Multiple jurisdictions have found Clearview AI’s scraping of facial images from social media to violate data protection laws, even though the images were publicly posted.
  • X Corp (Twitter) v. Bright Data (2024): Ongoing litigation over scraping of Twitter/X data, testing the boundaries of the hiQ precedent.
  • Meta Platforms v. Octopus Group: EU case addressing scraping of social media data under GDPR.

Terms of Service vs Law

Almost every website prohibits scraping in its Terms of Service. The critical question is whether ToS violations create legal liability.

ToS as Contract

Terms of Service are contracts. Violating them is a breach of contract, which is a civil matter. The damages in a breach of contract claim are typically limited to actual damages caused by the breach, which can be difficult for the website operator to prove.

ToS and the CFAA

Post-hiQ, it is generally accepted that merely violating a website’s ToS does not constitute “unauthorized access” under the CFAA. However, continuing to access a website after receiving an explicit cease-and-desist notice creates additional risk, as it could be argued that continued access is “without authorization.”

ToS and Injunctive Relief

Website operators can seek injunctive relief (a court order to stop scraping) based on ToS violations, even without proving monetary damages. This is a practical risk that scrapers should take seriously.

Practical Approach

  • Read the ToS of every site you scrape
  • Document your legal basis for scraping (public data, legitimate interest, transformative use)
  • Be prepared to cease scraping if you receive a cease-and-desist letter (at least until you consult legal counsel)
  • Consider whether your use case involves competition with the data source (this increases legal risk)

Scraping Public vs Private Data

The public/private distinction is the most important legal boundary for scraping.

Public Data

Data is generally considered “public” if:

  • It is accessible without creating an account or logging in
  • It is not behind a paywall
  • It is not restricted by technical access controls (other than standard anti-bot measures)
  • It is indexed by search engines

Scraping public data is the legally safest form of scraping. The hiQ case and its progeny support this position.

Private/Authenticated Data

Data behind authentication is more legally risky to scrape:

  • Accessing it requires agreeing to ToS (creating a contractual relationship)
  • The user account provides identity and accountability
  • Creating accounts for the purpose of scraping may violate ToS
  • Using someone else’s credentials is clearly unauthorized access

The Gray Area: Semi-Public Data

Some data is public but gated:

  • Content visible only after dismissing a cookie consent dialog
  • Data that requires scrolling or clicking “show more” (but no login)
  • Content served only to users with specific cookies but no authentication
  • Paywall-gated content where a limited number of articles are free

This gray area has not been clearly addressed by courts. The safest approach is to treat gated-but-unauthenticated content similarly to public data, while being more cautious with content that clearly requires a user relationship (account creation, subscription).

Jurisdictional Differences

Web scraping legality varies significantly by jurisdiction, and when you use proxies, you may be subject to the laws of multiple jurisdictions simultaneously.

United States

  • CFAA is the primary federal law; hiQ precedent favors scraping public data
  • State laws vary (California has additional protections under CCPA)
  • Facts are not copyrightable (Feist doctrine)
  • Strong First Amendment considerations for data collection as part of journalism or research

European Union

  • GDPR applies to personal data processing
  • Database Directive provides sui generis database rights (no US equivalent)
  • ePrivacy Directive may apply to certain tracking-related scraping
  • Individual member states may have additional laws

Singapore

  • Personal Data Protection Act (PDPA) governs personal data collection
  • Computer Misuse Act prohibits unauthorized computer access
  • Scraping publicly available data that does not constitute personal data is generally lower risk
  • Singapore courts have not yet produced landmark scraping cases

Practical Jurisdiction Considerations

When you use proxies, you introduce multiple jurisdictions:

  • The jurisdiction where you (the scraper) are located
  • The jurisdiction where the target website operator is located
  • The jurisdiction where the proxy server is located
  • The jurisdiction where the data subjects (if personal data) are located

Each jurisdiction’s laws may apply. Using a proxy in a specific jurisdiction does not generally make that jurisdiction’s laws apply to you, but it could complicate enforcement and legal analysis.

When Proxies Add Legal Risk

Proxies are neutral tools, but their use can be relevant in legal proceedings.

Proxies as Circumstantial Evidence

If a website operator sues you for scraping, your use of proxies could be presented as evidence of intent to evade technical access controls. While proxies themselves are legal, using them specifically to circumvent anti-bot protections could undermine a defense that your scraping was “authorized” access.

Proxies and the CFAA

The CFAA prohibits accessing a computer “without authorization.” If a website has blocked your IP and you use a proxy to circumvent that block, this could be argued as accessing the computer “without authorization.” This argument is not settled law, but it is a risk factor.

Proxies and Data Protection

Using proxies does not change your data protection obligations. If you scrape personal data of EU residents through a proxy in Singapore, GDPR still applies to you.

Mitigating Proxy-Related Legal Risk

  • Use proxies for legitimate technical purposes (geographic targeting, load distribution) rather than solely to evade blocks
  • Document your legitimate business purposes for data collection
  • Do not use proxies to circumvent explicit access denials (cease-and-desist letters, IP blocks after notice)
  • Maintain records of your scraping activities and compliance measures

Best Practices for Compliance

Technical Best Practices

  1. Respect robots.txt: While robots.txt is not legally binding, respecting it demonstrates good faith
  2. Identify yourself: Consider using a descriptive User-Agent string that includes contact information (this is not always practical for anti-bot reasons, but it demonstrates good faith)
  3. Rate limit aggressively: Do not overwhelm target servers; this could be construed as a denial-of-service attack
  4. Do not circumvent explicit blocks after notice: If you receive a cease-and-desist, stop and consult legal counsel before continuing
  5. Scrape only what you need: Collecting data you do not need increases risk without benefit

Data Handling Best Practices

  1. Minimize personal data collection: If you do not need names, emails, or photos, do not collect them
  2. Anonymize where possible: Remove or pseudonymize personal identifiers if your use case allows
  3. Implement data retention policies: Delete data when it is no longer needed
  4. Secure stored data: Apply appropriate security measures to scraped data, especially personal data
  5. Document your lawful basis: Under GDPR, document your legitimate interest assessment

Business Best Practices

  1. Consult legal counsel before starting: Especially for large-scale or commercial scraping operations
  2. Consider the competitive dynamic: Scraping a competitor’s data to directly compete with their data product carries the highest legal risk
  3. Build relationships: If possible, approach data sources about partnership or data licensing before resorting to scraping
  4. Maintain compliance documentation: Keep records of your compliance measures, legal analyses, and data handling procedures
  5. Monitor legal developments: Scraping law is evolving. Stay current with relevant court decisions and regulatory guidance

The 2026 Legal Landscape

Several trends are shaping the legal environment for web scraping:

  • AI training data disputes: The rise of large language models has brought scraping into the spotlight, with copyright holders challenging the use of scraped data for AI training. These cases may produce precedents that affect all scraping.
  • Expanding data protection laws: More jurisdictions are adopting GDPR-like regulations, increasing the compliance burden for scrapers collecting personal data.
  • Anti-bot escalation: As anti-bot technology improves, websites argue more aggressively that circumventing these protections constitutes unauthorized access.
  • Regulatory attention: Data protection authorities in the EU and elsewhere are increasingly focused on data scraping, particularly for advertising and AI purposes.

Getting Started Responsibly

Web scraping is a powerful tool for data collection, and when done responsibly, it occupies defensible legal ground. Focus on public data, minimize personal data collection, respect rate limits, maintain compliance documentation, and consult legal counsel for commercial operations.

The proxy infrastructure you choose should support compliant scraping practices. At DataResearchTools, our mobile proxies are designed for legitimate data collection use cases, from market research to competitive intelligence, with the reliability that makes responsible rate limiting and geographic targeting practical.

For the technical side of detection avoidance, see our guide on how anti-bot systems detect scrapers and ensure your technical approach aligns with your legal compliance strategy.

Related Reading

Scroll to Top