Business & Legal 12 min read

Is Web Scraping Legal? Scraping, Selling Data, Coding Tools

Is web scraping legal? What about selling scraped data or coding scrapers for clients? Get a practical look at the laws, court cases, and safe practices.

ST
Scraping.Pro Team
Data collection for business needs
Published: 2 June 2025

"Is web scraping legal?" is the first question almost everyone asks before they start a project — and the honest answer is: it depends on what you scrape, how you scrape it, and what you do with the results. Scraping publicly available data is broadly defensible and has been repeatedly protected in US courts. But wrap the wrong data (personal, copyrighted, or paywalled) or the wrong behavior (breaking a contract, hammering a server) around it, and the same activity can land you in real trouble.

This article breaks the question into the three scenarios people actually worry about — scraping data, selling scraped data, and writing scraper code for a client — then walks through the laws and the landmark scraping court cases that shape the answer in 2026. It is a practical overview, not legal advice; for a specific project, talk to a lawyer in your jurisdiction.

The short answer, three ways

The original version of this question came in as a puzzle. Suppose a website's Terms of Use say "no crawling or scraping." Which of these is illegal?

  1. Scrape data from the site and use it yourself (for example, collect public contact details and email them).
  2. Scrape data and sell it to someone else.
  3. Write and sell a scraper without ever running it yourself.

The old answer leaned on a weapons-manufacturer analogy: the toolmaker is fine, the operator carries the liability. That instinct is roughly right for #3, but the reality across all three is more nuanced, because "legality" here is not one law — it is a stack of them:

  • Computer-access law (in the US, the Computer Fraud and Abuse Act) — did you access a computer "without authorization"?
  • Contract law — did you agree to Terms of Use that forbid scraping?
  • Copyright and database law — is the content itself protected?
  • Privacy law (GDPR, CCPA/CPRA, and others) — is it personal data?
  • Downstream-use law (anti-spam, consumer protection) — what you do with the data.

You can be clean on one layer and exposed on another. Let's go layer by layer, then return to the three scenarios.

What the web scraping laws actually say

Computer access: the CFAA (US)

The Computer Fraud and Abuse Act (CFAA), a 1986 statute written to punish malicious break-ins, is the law most often waved at scrapers. It criminalizes accessing a computer "without authorization" or in a way that "exceeds authorized access." For years, companies argued that scraping in violation of their Terms of Use was itself a CFAA violation.

Two things gutted that argument for public data:

  • In Van Buren v. United States (2021), the Supreme Court adopted a narrow "gates-up-or-down" reading: you don't "exceed authorized access" merely by using access you legitimately have for a purpose the owner dislikes. Improper motive is not a computer crime.
  • Courts have repeatedly held that data posted openly on the public web, with no login wall, is not accessed "without authorization" just because a scraper collected it.

The practical takeaway: for genuinely public pages, a CFAA claim is weak. The moment you log in, bypass a technical barrier, or use credentials you weren't given, the analysis flips — that is where CFAA exposure is real.

Contract law: Terms of Use

This is the layer people underestimate. Even when scraping public data is not a computer crime, a site's Terms of Use may be an enforceable contract, and scraping in breach of it can be a breach-of-contract claim. Whether the terms bind you often turns on how they were presented — a "browsewrap" buried in a footer is far weaker than a "clickwrap" you actively accepted by creating an account. This distinction is the hinge of several recent cases below.

Copyright and database rights

Raw facts are generally not copyrightable — in the US, Feist v. Rural (1991) established that a bare compilation of facts (like a phone directory) lacks the originality copyright protects. But the creative expression around those facts — article text, photos, reviews, curated descriptions — usually is protected, and copying it wholesale can infringe.

Outside the US, watch for the EU/UK sui generis database right, which can protect a substantial extraction from a database even when the individual data points aren't copyrighted. "It's just facts" is not a safe assumption in Europe.

Privacy law: the big one for personal data

If what you scrape identifies people — names, emails, profiles, photos — you are in the world of GDPR (EU/UK), the CCPA/CPRA (California), and a growing list of US state privacy laws. Crucially, "publicly available" is not a free pass under GDPR. You still need a lawful basis to process personal data, and regulators have made examples of companies that scraped personal data at scale. The facial-recognition firm Clearview AI has been fined tens of millions of euros by multiple European regulators (France's CNIL, Italy's Garante, and the Netherlands' DPA among them) for scraping biometric and personal data without a lawful basis. Scraping people is a different risk category from scraping prices.

Trespass and server load

An older theory, trespass to chattels (as in eBay v. Bidder's Edge), targets scrapers that overload a server. It shows up less often now, but the lesson survives: aggressive, high-rate crawling that degrades a site's service creates its own liability, independent of what data you collect. Scrape politely.

The landmark scraping court cases

A handful of decisions do most of the work in shaping today's rules.

hiQ Labs v. LinkedIn — public data and the CFAA

The defining modern case. hiQ scraped public LinkedIn profiles to build analytics products. The Ninth Circuit held that scraping publicly available data likely does not violate the CFAA, because public data isn't accessed "without authorization." That is the ruling everyone quotes.

But read the whole story: after remand, the district court found in 2022 that hiQ had nonetheless breached LinkedIn's User Agreement — a contract claim, not a CFAA claim — partly by creating fake accounts and scraping while logged in. The case then settled with terms unfavorable to hiQ. The lesson is precise: public scraping may clear the CFAA hurdle and still lose on contract.

Sandvig v. Barr — violating Terms of Service is not a crime

In this case, a group of academic researchers and a media organization challenged the government, worried that auditing websites for discrimination (by scraping and creating test accounts against site terms) could expose them to CFAA prosecution. The US District Court for the District of Columbia ruled that merely violating a website's Terms of Service is not a criminal CFAA violation. The court reasoned that information posted on the open web — even on privately owned sites that invite the public in — sits in something like a public forum, and that collecting it with automated tools is not meaningfully different from a person taking notes or photographs. Recording and gathering public information carries a constitutional interest; a private site's terms alone don't turn that into a computer crime. It is a strong statement that moderate scraping of public data, even against ToS, is not criminal — while leaving civil contract questions untouched.

Meta v. Bright Data and X Corp. v. Bright Data — the 2024 line

Two 2024 decisions from the Northern District of California reinforced the trend. In Meta v. Bright Data, the court sided with the scraping company on Meta's breach-of-contract claims, drawing a sharp line: a platform's terms are hard to enforce against someone scraping public, logged-out data they never contractually agreed to protect. In X Corp. v. Bright Data, the court dismissed X's claims over public-data scraping, with the judge warning that letting platforms fully control public data could entrench information monopolies. The through-line of the modern cases: public + logged-out + facts = defensible; logged-in + contract + personal/creative content = risky.

Back to the three scenarios

1. Scraping data and using it yourself

Collecting public data for your own analysis is the safest of the three — provided the data is genuinely public, not personal, and you don't break a login wall or overload the site. The catch is the downstream use. The classic example — scrape public email addresses, then email them — is where a fresh set of laws kicks in: the US CAN-SPAM Act and, for EU recipients, GDPR/ePrivacy rules on unsolicited marketing. Scraping the address might be fine; blasting it with cold marketing can be the actual violation. Separate the act of collection from the act of use — each is judged on its own terms.

2. Selling scraped data

This is where risk concentrates, and where an old reader question — "is this a legal way to acquire insurance leads from the web?" — is instructive. The answer there was the right one: it depends on the site and the nature of the data.

  • Public, factual, non-personal data (prices, inventory, public offers, specs) is the most defensible thing to resell. This is the bread and butter of legitimate competitor price monitoring and market-research datasets.
  • Copyright-protected content or a substantial database extraction — reselling someone's curated catalog text, reviews, or a big slice of their database — invites copyright and (in the EU/UK) database-right claims.
  • Personal data is the sharpest edge. Reselling scraped personal information can trigger GDPR/CCPA obligations for both you and your buyer, and if a buyer misuses it, the trail leads back to the seller. That insurance-leads question is a good gut check: the sites holding real leads keep them behind paid subscriptions and locked-down access precisely because that data is sensitive and regulated — which is a strong hint that scraping and reselling it is not the clean play it might first appear.

Rule of thumb: selling public facts is a business; selling scraped personal data is a liability.

3. Writing a scraper for a client

Here the old weapons analogy points in the right direction, if we state it more carefully. A scraper is a dual-use tool, like a great many pieces of general-purpose software. Building and delivering the code is generally lawful, and the party who operates it — choosing the targets, the volume, and the use of the data — carries the primary liability. Courts don't usually treat a developer as responsible for a client's later misuse of a neutral tool.

The caveat: that shield thins if you knowingly build something whose only real purpose is an unlawful act — credential stuffing, bypassing a specific site's access controls, harvesting personal data you know will be misused. "I only wrote the code" is a reasonable position for a general scraper; it is a weak one if you engineered it specifically to break the law. When you hire scraping developers or take on client work, scope the build to lawful, public-data use and put the compliance responsibility for operation where it belongs — with the operator.

Practical rules to stay on the safe side

None of this is legal advice, but these habits keep the vast majority of scraping projects well inside the lines:

  • Prefer public, logged-out pages. Don't scrape behind a login you agreed to terms for, and don't defeat technical access controls.
  • Avoid personal data unless you have a lawful basis. Prices, specs, and public listings are low-risk; names, emails, and profiles are regulated.
  • Read the Terms of Use — and don't click-accept them if you plan to scrape. Browsewrap terms you never accepted are far weaker than a clickwrap you agreed to.
  • Respect robots.txt and rate limits. It's not a law, but polite, low-impact crawling avoids trespass-style claims and keeps you off blocklists.
  • Check the jurisdiction. GDPR and EU/UK database rights change the calculus for European sites and data subjects.
  • Mind the downstream use. Anti-spam and consumer-protection rules govern what you do with data, separately from how you got it.
  • Document your basis. Knowing why your collection is lawful is half the battle if anyone ever asks.

FAQ

Is web scraping legal in the US? Scraping publicly available data is broadly legal and has been protected in court (hiQ, Sandvig, the Bright Data cases). It becomes risky when you break a login, violate an enforceable contract, copy protected content, or collect personal data.

Does violating a website's Terms of Service make scraping illegal? Not criminal, per Sandvig v. Barr and Van Buren — a ToS breach alone isn't a CFAA crime. But it can be a civil breach of contract, especially clickwrap terms you actively accepted, as hiQ learned.

Can I sell data I scraped? Public factual data — often yes. Copyrighted content, a substantial database extraction, or personal data — that's where you take on real legal risk.

Is it legal to scrape data that's behind a login? This is the highest-risk zone. You've typically agreed to terms, and defeating access controls can trigger CFAA and contract claims. Avoid it unless you have clear permission.

Bottom line

There is no single yes-or-no answer to "is web scraping legal." Scraping public, factual, non-personal data for your own analysis is well protected in 2026, and building scraper tools for lawful use is fine. The exposure lives in the details: logging in against terms you accepted, copying protected content, and — above all — collecting or reselling personal data. Know which layer of law your project touches, and behave accordingly.

If you'd rather not navigate the technical and compliance minefield yourself, scraping.pro runs public-data collection as a done-for-you web scraping service and delivers clean, structured data as a service — built around lawful, public-data sources so you get the dataset without the guesswork.

This article is general information, not legal advice. Laws vary by country and change over time; consult a qualified attorney for your specific situation.