Legal updates

Web scraping legal updates: cases, regulations, and compliance.

A working tracker of the rulings, regulations, and enforcement actions that shape what data collection is actually defensible. Updated as material developments happen — not a quarterly blog cadence.

Read the 2026 guide Our compliance policy

Featured

Foundational guideMarch 14, 2026

Is Web Scraping Legal in 2026? A Practical Guide

From hiQ v. LinkedIn to GDPR — what's actually legal in 2026, what's a grey area, and how compliant data collection is actually structured.

Landmark cases

The rulings that most data teams cite when scoping a project. Read these first; the rest is regional adaptation and enforcement nuance.

US Ninth Circuit · 2022

hiQ Labs v. LinkedIn

Confirmed that scraping publicly accessible data does not violate the Computer Fraud and Abuse Act. The most cited precedent for US web scraping legality.

US Supreme Court · 2021

Van Buren v. United States

Narrowed the CFAA's "exceeds authorized access" clause. Reinforced the public-data carve-out that hiQ later relied on.

US ND California · 2024

Meta Platforms v. Bright Data

Court declined to enforce Meta's Terms of Service against a scraper of public data, citing hiQ. Ongoing — watch for appellate decisions.

EU Court of Justice · 2015

Ryanair v. PR Aviation (CJEU)

Confirmed that database-rights and contract claims can apply in EU jurisdictions even where US precedent allows scraping. Routinely cited in EU enforcement.

Regulations by region

United States

CFAA — public data carve-out per hiQ (Ninth Circuit, 2022)
CCPA / CPRA — California consumer rights for personal data, including scraped sources
State privacy laws — Virginia, Colorado, Connecticut, Utah, Texas (2024+) all add disclosure / opt-out obligations

European Union & UK

GDPR — lawful basis required for any personal-data scraping (Art. 6); legitimate interest needs documented balancing test
ePrivacy Directive — affects scraping that reads cookies or local storage
EU Data Act (2025) — new rules on B2B data access and re-use
UK GDPR — diverging slowly post-Brexit; ICO enforcement guidance specifically addresses scraping

Asia-Pacific

China PIPL — strict consent rules for personal data; cross-border transfer adds another layer
Japan APPI — amended 2022 with extraterritorial effect on data about Japanese residents
Australia Privacy Act — under reform; OAIC has issued guidance on scraping
Singapore PDPA — consent-based, with limited public-interest exceptions

On the watchlist

Active developments we are tracking. None of these have settled into clear precedent yet, but each is likely to materially shift defensible practice within the next 12 months.

EU AI Act — training-data provenance disclosures (article 50) take effect for general-purpose models
FTC enforcement — public statements signal scrutiny of scraped personal data used in AI training
Italian DPA scraping ruling — early enforcement action against AI training data providers
Anti-scraping bills — periodic state-level proposals in California, New York, Texas

FAQ

Is web scraping legal?

Scraping publicly accessible, non-personal data for legitimate business purposes is legal in the US under hiQ v. LinkedIn (2022) and most common-law jurisdictions. Personal data triggers GDPR / CCPA obligations. Authenticated content, paywalled content, and Terms-of-Service violations occupy separate legal categories. There is no single yes-or-no answer — it depends on what data, what jurisdiction, and what use.

Does robots.txt have legal force?

Not on its own. Robots.txt is a technical convention, not a statute. US courts have not held that ignoring robots.txt is illegal under the CFAA, but compliance has been cited as evidence of good faith in some rulings. Treat it as one signal among several when assessing risk.

What changes for AI training data?

AI-training scraping is the area of fastest legal change in 2025–2026. The EU AI Act, NYT v. OpenAI, copyright class actions, and FTC inquiries are all reshaping what's defensible. If you're collecting data for model training, the safe assumption is that this guide will be out of date in 90 days — read every monthly update.

How does VStock Data approach legal risk?

Public data only by default; client attestation required for any personal-data project; documented data-minimization; Article 30 records on file. We are infrastructure, not legal counsel — clients are responsible for compliance with applicable law in their jurisdiction.

This page tracks public legal developments and is published for informational purposes only. It is not legal advice. Engage qualified counsel in your jurisdiction before acting on any of this material.

VStock Data

Managed web data API — collect, structure, and deliver at scale.

APIs

Resources

Company

Legal

Built for data-driven teams worldwide.