Website Scraper

Is Web Scraping Legal? What the Law Actually Says in 2026

By · Updated

Every few weeks someone asks me whether the thing I build for a living is legal. The honest answer is the one nobody wants: it depends, and it depends on specifics that change the answer completely. But "it depends" isn't useful on its own, so this guide maps out what it actually depends on — the difference between the scraping that's done millions of times a day without incident and the scraping that gets companies sued.

One disclaimer I mean literally: I write code, not legal briefs. What follows is orientation drawn from the cases and rules that shape this space, not legal advice for your situation. If the stakes are high — you're building a business on scraped data, or scraping anything close to personal information — talk to a lawyer who knows your jurisdiction. With that said, here's the map.

Is web scraping legal at all?

Start with the reassuring part, because it's the part most people get wrong. Reading a public web page with an automated tool is not, by itself, illegal in the United States or most of the places its law gets compared to. A scraper requests a page the same way your browser does; the server sends it the same way it sends it to anyone. Courts have been reluctant to call that "unauthorized access," and the trend of the last several years has been to narrow, not widen, the laws people reach for to stop it.

The instinct to treat scraping as inherently shady usually comes from conflating four very different things: accessing a public page, reproducing the content on it, collecting personal data, and straining someone's servers. Each has its own rules. Bundle them together and scraping sounds lawless; separate them and a clear, defensible zone appears in the middle — public, factual data, gathered politely. Most legitimate scraping lives there.

What does the Computer Fraud and Abuse Act say?

In the U.S., the law people fear most is the Computer Fraud and Abuse Act (CFAA), which criminalizes accessing a computer "without authorization" or in a way that "exceeds authorized access." For years, companies argued that scraping their public sites — especially after a cease-and-desist letter — crossed that line.

Two developments cut that argument down. In hiQ Labs v. LinkedIn, the Ninth Circuit held that scraping data LinkedIn had made publicly available was unlikely to violate the CFAA, reasoning that information open to the public isn't accessed "without authorization" in the statute's sense. (Worth knowing the full story: the same litigation later found hiQ had breached LinkedIn's user agreement, so the company lost on contract grounds even as it won the CFAA point — a neat illustration that "not a CFAA violation" and "allowed" are different sentences.) Then in Van Buren v. United States, the Supreme Court read "exceeds authorized access" narrowly, rejecting the theory that merely violating a website's terms turns ordinary access into a federal crime.

The takeaway: for genuinely public pages, the CFAA is a weak weapon against scraping, and it keeps getting weaker. Log in to a site, though — accept its terms, use credentials, click through a paywall — and you've stepped out of the "public access" analysis and into a place where authorization actually means something.

Do a website's terms of service bind me?

This is where a lot of scrapers trip. Terms of service are a contract, and contracts don't need a statute to be enforceable. Courts distinguish two kinds. "Browsewrap" terms — a link buried in the footer that you never click — are hard for a site to enforce, because you plausibly never agreed to them. "Clickwrap" terms — the ones you actively accept when you create an account or check a box — are readily enforceable.

So the terms that matter most attach to accounts. Scrape a public page you reached without logging in, and a browsewrap ToS is a weak basis for a claim. Scrape from behind a login where you clicked "I agree," and you've likely made a promise a court will hold you to — which is exactly what happened to hiQ on the contract question above. The practical rule writes itself: the moment scraping requires an account, assume the terms bind you, and read them.

Is the scraped data copyrighted?

Copyright protects creative expression, not facts. This distinction is the quiet foundation under most data scraping. In Feist Publications v. Rural Telephone Service, the Supreme Court held that a plain alphabetical phone directory wasn't copyrightable because facts and a "sweat of the brow" compilation of them lack the originality copyright requires. Prices, stock levels, addresses, statistics, scores — raw facts — are generally free to extract and reuse.

What copyright does protect is the original expression wrapped around those facts: an article's prose, a photograph, a review's actual text, a creatively curated selection. Scraping a product's price is one thing; republishing the paragraph of marketing copy beside it, or a gallery of its photos, is another. Take the data; leave the creative work. When in doubt, ask whether you're copying a fact or someone's writing.

What about personal data, GDPR, and CCPA?

Here the ground gets genuinely dangerous, and it's where I tell people to stop and think hardest. The moment you scrape personal data — anything that identifies a person, like names, emails, phone numbers, or profile details — you leave the comfortable world of public facts and enter privacy law.

If any of those people are in the EU or UK, the GDPR applies regardless of where you are, and it's demanding: you need a lawful basis to process the data, you owe people transparency about what you've collected, and they have rights to access and deletion that are nearly impossible to honor for data you scraped without ever contacting them. Regulators have levied real fines against companies that built products on scraped personal data. In California, the CCPA and CPRA give residents comparable rights over their personal information.

The line is bright and worth memorizing: facts about products are not personal data; facts about people are. Scraping every price in a catalog is a different universe from scraping every email on a member directory. The first is routine; the second needs a lawyer and probably a rethink.

Can scraping count as trespass or server abuse?

The last theory is "trespass to chattels" — the idea that hammering someone's servers with requests interferes with their property. It rarely succeeds for modest scraping, but it becomes plausible when your crawler is aggressive enough to degrade a site's performance or run up its costs. This one is almost entirely in your control. Scrape at a human-ish pace, cache what you've already fetched, and don't re-request the same page every minute, and you stay clear of it. Abuse a site's bandwidth and you hand it both a technical and a legal grievance.

So how do I scrape responsibly?

Strip away the case names and a short, practical code of conduct remains. None of it is exotic; all of it keeps you in the defensible middle:

  • Prefer public, factual data. Prices, listings, availability, published statistics — the safe core. Treat personal data as radioactive unless you have a lawful basis and a lawyer.
  • Honor robots.txt and rate limits. It isn't a law, but ignoring it is the clearest way to look like a bad actor. Reading it as binding costs you nothing.
  • Stay out of logged-in areas you don't own. The instant scraping needs an account or a paywall, the terms bind you and the "public access" defense evaporates.
  • Be gentle on the server. Reasonable delays, cached repeats, no midnight-to-midnight hammering. Politeness is also a legal defense.
  • Don't republish creative content. Extract the facts; leave the prose, the photos, and the curation. Attribute when you use anything expressive.
  • Read the terms when you're near a line. Especially for anything commercial, high-volume, or personal.

This is exactly the posture we built into Website Scraper, because responsible defaults should be the path of least resistance, not an upsell. It honors robots.txt, refuses sensitive categories like banking, government, and people-search outright, and runs on sensible schedules rather than pummeling a site. Ethics in this niche isn't a compliance checkbox — it's a feature, and it's the reason the tool is comfortable to point at a real page. If you want the hands-on version, the guide on how to scrape data from a website walks through the workflow, and the no-code website scraper on the homepage applies all of these defaults for you.

The one-paragraph version

Scraping public, factual data — prices, listings, published information — on a polite schedule is legal in most places and done constantly without incident. Risk climbs as you move toward personal data (privacy law), content behind a login (contract and access law), creative works (copyright), and heavy request volumes (trespass and server-abuse claims). Stay on the public-and-factual side, respect robots.txt and terms, be gentle, and you're in the zone where scraping is both legal and, frankly, unremarkable. Cross into personal data or logged-in content and you need real legal advice — which, one more time, this article is not.

FAQ

Is web scraping legal?
Scraping publicly available, factual data is generally lawful in the United States and many other jurisdictions, and courts have repeatedly declined to treat access to a public web page as computer fraud. The legality turns on what you scrape and how: public facts are the safe end, while personal data, content behind a login, copyrighted material, and aggressive request rates move you toward real risk. This is general information, not legal advice.
Is it legal to scrape data from websites without permission?
Often yes for public data, because visiting a public page doesn't require permission any more than reading it in a browser does. But 'public' is doing a lot of work in that sentence: a site's terms of service can still create contractual obligations, personal data brings privacy laws into play, and content behind a login is a different legal category entirely. Permission is safest; where you rely on public access, stay on public, factual data.
Can you get sued for web scraping?
Yes, though the common claims are narrower than people assume. The usual theories are breach of a site's terms of service (contract), copyright infringement (for reproducing protected content, not facts), privacy-law violations (for personal data), and trespass to chattels (for overloading a server). Scraping modest amounts of public, factual data on a polite schedule sits far from all four.
Does robots.txt make scraping legal or illegal?
Neither, strictly — robots.txt is a voluntary standard, not a law, so ignoring it isn't automatically a crime. But it's strong evidence of the site owner's wishes, courts and regulators notice when you disregard it, and honoring it is the clearest signal that you're scraping in good faith. Treat it as a binding instruction even though the law doesn't formally require it.
Is scraping personal data legal under GDPR?
Scraping personal data of people in the EU or UK pulls you under the GDPR, which requires a lawful basis, transparency, and respect for individual rights — a high bar for scraped data, since you usually can't inform the people involved. Regulators have fined companies for building databases from scraped personal data. Names, emails, and profiles are the danger zone; anonymous facts like prices are not.

Keep reading