Is Web Scraping Legal in 2026? A Practical Guide

The Landmark Ruling: hiQ v. LinkedIn

The most important US case in web scraping law is hiQ Labs v. LinkedIn (2022). The Ninth Circuit held that scraping publicly accessible data — data that does not require a login to view — does not violate the Computer Fraud and Abuse Act (CFAA). This ruling effectively confirmed that scraping public websites is not "unauthorized access" under federal law.

The key phrase is "publicly accessible." Data behind authentication walls, paywalls, or explicit robots.txt restrictions with account-gated enforcement occupies a different legal space.

What's Generally Legal

• Scraping publicly accessible pages (product listings, prices, news articles, job postings)
• Collecting data that is factual and non-copyrightable (prices, addresses, names of businesses)
• Research and academic use of public data
• Competitive intelligence from publicly visible pages

Grey Areas

• Terms of Service violations. Most websites prohibit scraping in their ToS. This is generally a civil contract issue, not criminal — but it can result in account bans, cease-and-desist letters, or civil suits. VStock Data operates without user accounts on target sites, reducing but not eliminating this risk.
• Copyright. Factual data is generally not copyrightable. Curated databases, original editorial content, and creative work are. Scraping and republishing copyrighted content wholesale is a separate issue from data collection.
• robots.txt. Robots.txt is a technical convention, not a legal requirement. Ignoring it is not illegal under current US law, but courts have cited robots.txt compliance as a factor in determining intent and good faith.

What's Not Legal

• Scraping data behind authentication (accounts you didn't create / aren't authorized to use)
• Collecting personal data from EU residents without a lawful basis under GDPR
• Using scraped data to build profiles that violate CCPA opt-out requirements
• Rate-limiting violations that amount to a denial-of-service attack
• Circumventing access controls in ways that constitute unauthorized computer access

GDPR and CCPA: The Privacy Overlay

Even when scraping is legally permissible, privacy law adds a separate compliance layer if your scraped data includes information about identifiable individuals.

Under GDPR (EU), collecting personal data requires a lawful basis: consent, legitimate interest, contract, or legal obligation. "Legitimate interest" is often cited for B2B data collection (public professional profiles, business contact details) but requires a documented balancing test and must not override the individual's fundamental rights.

Under CCPA (California), consumers have the right to know what personal data is collected about them and to opt out of its sale. If you're building consumer-facing datasets from scraped personal data, this applies.

VStock Data's compliance policy is to not scrape personal data by default. Clients who need B2B contact data must attest to their own lawful basis and accept full responsibility for privacy law compliance in their jurisdiction.

How VStock Data Approaches Legal Risk

We are infrastructure, not a legal advisor. Our design choices minimize structural legal risk:

• We target publicly accessible data by default
• We respect robots.txt on standard crawls
• We rate-limit requests to avoid service disruption
• We do not collect, store, or process personal data on behalf of clients
• We document our data minimization practices for GDPR Article 30 compliance

Clients are responsible for ensuring that the data they request us to collect, and how they use it, complies with applicable law in their jurisdiction. Our Terms of Service and Data Compliance policy make this responsibility clear.

Bottom Line

Scraping publicly accessible, non-personal data for legitimate business purposes (price monitoring, market research, competitive intelligence) is on solid legal ground in the US and most common law jurisdictions. The risk increases with personal data, authenticated data, and aggressive collection rates. Work with a lawyer in your jurisdiction if your use case involves any of those factors.