Is Web Scraping Legal? Laws, Cases & Compliance (2026 Guide) | DataImpulse

Is web scraping legal? The short answer: scraping publicly available, non-personal data is broadly legal in most jurisdictions — but the details decide everything. What you scrape (product prices vs. personal profiles), how you scrape it (public pages vs. behind a login), where you operate (the US’s CFAA logic vs. Europe’s GDPR), and what you do with the data (price monitoring vs. AI training) each move you between “defensible business practice” and “regulatory action.” This hub walks through the landmark cases, the 2025-2026 AI-era lawsuits, every major regulator’s position, and a practical framework — drawing on the legal sections we’ve fact-checked across 25+ country and platform guides.

One thing up front: this is general information, not legal advice. Before scaling a commercial scraping pipeline, consult counsel in your jurisdiction and your targets’.

The Short Answer, by Question

United States: the CFAA, hiQ, and the Contract Layer

The foundational US question was whether scraping public pages is “unauthorized access” under the Computer Fraud and Abuse Act — the anti-hacking statute. The Ninth Circuit answered in hiQ Labs v. LinkedIn (2022, applying the Supreme Court’s Van Buren logic): no. Where a page is open to anyone without credentials, there is no authorization gate to breach, so public-data scraping is not a CFAA violation.

But hiQ’s full story is the real lesson. After winning the CFAA battle, hiQ lost the war: in November 2022 the court found it had breached LinkedIn’s User Agreement (which it had accepted by creating accounts), and the case ended in a consent judgment — hiQ paid and agreed to a permanent injunction. The CFAA protects you from hacking claims on public pages; it does not protect you from contracts you’ve agreed to.

Meta v. Bright Data (January 2024) sharpened the line further: the court declined to find Bright Data in breach for scraping public, logged-out Facebook and Instagram pages, reasoning that the platforms’ terms govern account holders acting as such — not logged-out visitors collecting public content. The practical rule that emerged: logged-out public scraping is defensible; logged-in scraping against accepted terms is not. Older trespass-to-chattels cases (eBay v. Bidder’s Edge, 2000) still matter at extreme volumes — if your crawl burdens a site’s servers, you re-open that door. And state-level privacy laws (California’s CCPA/CPRA, Virginia’s VCDPA and others) add personal-data obligations on top.

The AI Era: 2025-2026 Lawsuits That Changed the Map

AI training created a second wave of scraping litigation — less about “was access authorized” and more about contracts, licensing, and copyright:

• Bartz v. Anthropic (June 2025, Judge Alsup): training an LLM on lawfully obtained books is “exceedingly transformative” fair use — but the ruling explicitly carved out pirated source copies. How you obtained the data matters as much as what you did with it.
• Kadrey v. Meta (June 2025, Judge Chhabria): plaintiffs lost on the record they brought, but the opinion warned this was not broad permission for AI training — a narrow win, not a doctrine.
• Reddit v. Anthropic (filed June 2025): notable because Reddit sued over terms-of-service and unjust-enrichment theories, not copyright. In late March 2026 a federal judge remanded the case to California state court, holding Reddit’s claims are not preempted by the Copyright Act — confirming that contract-based scraping claims have independent life.
• Reddit v. Perplexity, SerpApi, Oxylabs & AWMProxy (Oct 2025, S.D.N.Y.): the first case to name scraping infrastructure vendors as co-defendants alongside the AI company. As of spring 2026 it sits at the motion-to-dismiss stage. For proxy buyers, the takeaway is about supply chains: who collects your data, and how, is now part of your legal exposure.
• NYT v. OpenAI (consolidated, S.D.N.Y.): in January 2026 the court ordered OpenAI to produce a 20-million-conversation log sample in discovery; the case is testing whether model “regurgitation” of articles undermines fair use. No final ruling yet — but it’s the case most likely to define AI-training boundaries.
• The licensing economy is the flip side: Reddit licenses its data to Google (~$60M/yr) and OpenAI; Cloudflare and Stack Overflow launched pay-per-crawl; the RSL protocol (2025) gives publishers a standard way to price machine access. “Free to scrape” and “licensed to train” are diverging tracks.

Europe: GDPR and the Strictest Regulators

In the EU (and the UK), the question is rarely “was access authorized” — it’s “did you process personal data without a lawful basis?” Under the GDPR, scraping any data that identifies a person (names, photos, profiles, contact details) is “processing,” and “it was public” is not a lawful basis by itself. The enforcement record is unambiguous:

• Netherlands (AP) — the hardest line in Europe. Its May 2024 guidance calls scraping personal data “almost always a violation of the GDPR,” and it fined Clearview AI €30.5 million for scraping facial images, with directors warned of personal liability.
• Italy (Garante) — fined Clearview €20 million and a website owner €60,000 for scraping data to build an online telephone directory; its stated principle: “if it’s public, I can take it” is false.
• France (CNIL) — fined contact-data broker KASPR €240,000 (decision Dec 2024) for scraping LinkedIn contact details of users who had limited visibility. Its June 2025 guidance allows scraping publicly accessible personal data under legitimate interest — but only with safeguards (exclusion lists, minimization, transparency).
• UK (ICO) — fined Clearview £7.5 million; the UK GDPR plus the Data (Use and Access) Act 2025 keep the framework aligned with the EU’s.
• EU-wide: the EDPB’s coordinated 2026 enforcement on transparency raises scrutiny further, and the Database Directive adds a separate sui generis right against extracting substantial parts of protected databases — a claim that exists in Europe but not the US.

The crucial nuance: none of this targets non-personal data. Prices, product listings, availability, rankings, and reviews-without-author-data are outside the GDPR’s scope. European price-intelligence and SEO pipelines run legally every day — the line is personal data.

Rest of the World, at a Glance

Every country guide in our blog library — from Germany to Japan — carries a fact-checked local legal section if you need depth on a specific market.

What’s Defensible vs. What’s Risky

Generally defensible

• Public, read-only collection of non-personal data: prices, product specs, stock, rankings, search results, flight fares, real-estate listings
• Logged-out access only — nothing behind authentication
• Human-paced request rates that don’t burden the target’s infrastructure
• Honoring robots.txt and published crawl policies
• Competitive intelligence, market research, SEO monitoring, ad verification, academic research on aggregates

Risky to indefensible

• Scraping personal data — names, photos, emails, phone numbers, profiles — especially at scale, especially in Europe
• Scraping behind a login, against terms you accepted (the hiQ contract lesson)
• Bypassing technical barriers: CAPTCHAs presented as access controls, IP blocks aimed at you specifically, paywalls
• Republishing scraped content wholesale (copyright), or extracting substantial parts of protected databases (EU database right)
• Volume that degrades the target site (trespass-to-chattels exposure)
• Training AI on content you obtained from pirated or terms-breaching sources (Bartz‘s carve-out)

A Compliance Checklist for Scraping Teams

1. Scope the data. If a field can identify a person, treat it as regulated: either drop it, or establish a GDPR lawful basis with documented safeguards (CNIL’s 2025 legitimate-interest sheet is the best template).

2. Stay logged out. Public pages only. The moment you authenticate, you’ve accepted a contract — and contract claims are the ones that win.

3. Respect the site’s signals. robots.txt, rate limits, crawl-delay. Not always legally binding, but the first thing a court or regulator looks at.

4. Engineer for restraint. Human-paced cadence, caching to avoid re-fetching, no hammering. Volume is what turns a scraping dispute into a trespass claim.

5. Mind the supply chain. Reddit v. Perplexity named the scraping vendors, not just the AI buyer. Know how your data providers collect, and prefer infrastructure with ethically sourced, consent-based IP pools — audit-defensibility now extends to your proxy layer.

6. Separate collection from use. Lawful collection doesn’t license every use: republishing, database extraction, and AI training each carry their own analysis.

7. Get counsel before scale. A pipeline that’s fine at 1,000 requests/day may need review at 10 million.

Are Proxies Legal?

Yes. Proxies are standard networking infrastructure — the same intermediary technology behind corporate gateways, CDNs, and privacy tools. Businesses use residential proxies to see localized prices, verify ads actually display in target markets, track search rankings by city, and test websites from other countries — all routine, lawful operations. What the law evaluates is the activity: scraping personal data through a proxy is exactly as regulated as doing it directly, and collecting public prices through a proxy is exactly as defensible. The one provider-side question that matters is sourcing: a network built on consented, ethically sourced residential IPs keeps your collection layer clean — which, post-Reddit v. Perplexity, your lawyers will eventually ask about.