Is Data on Social Media Public or Private? The 2026 Legal Landscape

TL;DR: Social media data exists on a spectrum. Truly public data (a creator's public posts) is generally legally accessible by anyone, including programmatically. Truly private data (DMs, private profiles) is protected. The interesting fights have been about everything in between — and 2024-2026 court rulings have largely favored the position that public-facing data is fair game for legitimate uses. This is a clear-eyed look at where the lines actually are.

I get a version of this question monthly. A founder, a marketer, a journalist, a researcher asks me: "Is what we're doing legal?" The answer is almost always "yes, but with important nuances," and the nuances have shifted multiple times in the past three years. Most legal advice you can read online is either outdated or written by lawyers being careful in ways that don't help you make decisions.

This post is my honest attempt to summarize the actual legal landscape for social media data in 2026. I'm not your lawyer, and you should consult one for your specific situation. But you should also know the broad strokes, because most people operate in confused fear of legal consequences that don't actually apply to what they're doing.

---

The Public/Private Spectrum

The first useful frame: social media data isn't binary. There's a spectrum.

Truly public. A creator's profile that anyone can view without logging in. Their public posts. Their public follower count. Their public bio. Public hashtag results. Comments on public posts. This is functionally equivalent to a billboard or a magazine — published for the world to see.

Conditionally public. Data visible only when logged in but visible to all logged-in users (no friend/follower relationship required). Some platforms put basic profile info in this bucket.

Restricted public. Data visible only to followers/friends, but where the audience set is large and roughly self-selected. A private account with 50,000 followers is technically restricted but functionally near-public.

Private. DMs, draft posts, group conversations behind walls, anything explicitly shared with a specific small audience.

Different legal protections apply at each level. The biggest legal action — and most of the relevant court rulings — focus on the truly public layer.

---

The Landmark US Cases

A few rulings have set the precedent that defines today's landscape.

hiQ Labs v. LinkedIn (2017-2022)

The most important case. hiQ was a startup that scraped public LinkedIn profiles to provide HR analytics. LinkedIn sent cease-and-desist letters and tried to block them. hiQ sued.

The 9th Circuit Court of Appeals ruled multiple times in favor of hiQ. The core principle: scraping publicly available data does not violate the Computer Fraud and Abuse Act (CFAA). LinkedIn's argument that "we said you can't" doesn't make scraping public data illegal under federal anti-hacking law.

This was a major win for data accessibility. The Supreme Court declined to hear the case in 2022, leaving the 9th Circuit ruling intact.

The case's nuance: LinkedIn won on a narrower terms-of-service breach claim later. So scraping public data isn't a CFAA crime, but doing it after agreeing to a "no scraping" terms of service is a contract breach. Different remedy, very different stakes.

Bright Data v. Meta (2024)

A significant follow-up. Meta sued Bright Data for scraping Facebook and Instagram. Bright Data argued they only scraped public data.

The court ruled in favor of Bright Data, finding that scraping public information without authentication doesn't violate Meta's terms (because no one had agreed to the terms anonymously) and isn't a CFAA violation.

This further solidified the public-data-is-fair-game position. The case is also notable because Bright Data is a profitable company — these aren't small academic researchers but a major commercial scraper.

X Corp v. Bright Data (2024)

X (formerly Twitter) sued Bright Data on similar grounds. The court ruled in favor of Bright Data, citing the hiQ precedent and the public nature of the data.

A pattern emerged: courts in 2024 consistently ruled that scraping public social media data is legal, even at commercial scale.

Van Buren v. United States (2021)

A Supreme Court case about CFAA interpretation. The court ruled narrowly: the CFAA only applies when you access areas of a system you're not authorized to access at all, not when you misuse data you're authorized to view.

This further protects scraping of public data. If you can view the data as a normal visitor, accessing it programmatically isn't unauthorized access under federal law.

---

What This Means in Practice for the US

Putting it together, the practical situation for US-based scraping in 2026:

Legal: Scraping public profiles, public posts, public hashtag results, public comments, public ad libraries, search results. Storing this data. Analyzing it. Selling analytics products derived from it.

Risky but defensible: Scraping after explicitly agreeing to terms that prohibit scraping. The hiQ ruling says this isn't a CFAA violation, but you might face a breach-of-contract claim.

Illegal: Scraping behind authentication that you don't have. Bypassing security measures. Stealing private data. Harassment or defamation enabled by scraping (the underlying conduct is illegal regardless).

Unclear: Scraping at high volume that overwhelms a platform's infrastructure (could be argued as a CFAA violation under the "damage" prong). Most legitimate scrapers don't approach this scale.

For a typical business using social data APIs for market research, competitor analysis, influencer discovery, or brand monitoring: you're firmly in the legal zone.

---

The European Perspective: GDPR

The European framework is different and stricter.

GDPR applies to processing personal data of EU residents, regardless of where the company doing the processing is located. "Personal data" is broadly defined — names, photos, email addresses, IP addresses, online identifiers.

Key GDPR requirements that affect social data scraping:

Lawful basis. You need a legal basis for processing personal data. The relevant ones for scraping:

• Legitimate interest (most common for commercial scraping)
• Public interest (rare, for research)
• Consent (rare, since you can't get consent from people you scrape)

Data subject rights. EU residents can ask you what data you have on them and request deletion. Your scraping operation needs to be able to handle these requests.

Data minimization. Collect only what you need. Scraping everything just in case isn't compliant.

Special categories of data. Sensitive data (health, sexuality, race, etc.) has additional protections. If your scraping might capture this data, additional safeguards apply.

The GDPR doesn't prohibit social media scraping outright. It does require you to think carefully about what you're scraping, why, and how you handle data subject rights. Companies like Bright Data, Apify, and SociaVault navigate this through their own compliance frameworks.

For US-based companies scraping non-EU data: GDPR doesn't apply. For US-based companies scraping data that might include EU residents: you should have a GDPR compliance position.

---

Other International Considerations

UK

Post-Brexit, the UK has its own GDPR (UK GDPR) which closely mirrors the EU version but is administered separately.

California (CCPA / CPRA)

California's privacy laws apply to companies handling data of California residents. They're less restrictive than GDPR but still meaningful. Right to know, right to delete, right to opt out of sale.

Other US States

Roughly a dozen US states have passed comprehensive privacy laws since 2020 (Virginia, Colorado, Connecticut, Utah, Texas, etc.). They generally follow CCPA's framework with variations.

Canada (PIPEDA)

Canadian federal privacy law. Less stringent than GDPR but still requires lawful basis for processing personal data.

For most businesses, the practical approach is: comply with GDPR (the strictest standard) globally and you're roughly fine everywhere.

---

Where Companies Actually Get in Trouble

Reviewing the cases that have led to legal problems for scraping operations:

Aggressive automation that overwhelms platforms

If your scraping volume is so high that it materially affects platform infrastructure, you might face CFAA "damage" claims. Most legitimate scrapers operate at volumes that don't approach this.

Specific contractual breaches

If you signed a contract or agreed to terms (e.g., paid for an enterprise plan that came with anti-scraping clauses), and then scraped, that's a contract breach. Different from public scraping.

Private data access

If you breach authentication (steal credentials, exploit vulnerabilities), that's a CFAA violation regardless of what data you access.

Specific tort claims

Defamation, false attribution, harassment — these are illegal regardless of how the data was acquired. Scraping doesn't make them legal; it doesn't make them more illegal either.

Specific industry regulations

Healthcare data (HIPAA), children's data (COPPA), financial data (various) have specific rules that override general privacy law. Scraping into these regulated categories without compliance creates problems.

---

What Smart Operators Do

Companies that operate sustainably in this space follow some patterns.

Scrape only public data. No authentication, no bypassing, no exploiting vulnerabilities. Stick to what a logged-out user can see.

Have clear terms of service for users. Prohibit harmful uses contractually. Most reputable APIs do this. SociaVault's terms include explicit prohibitions on stalking, harassment, and misuse.

Maintain a deletion process. When someone (especially in EU/UK/California) requests deletion of their data, you should be able to comply. Even if you don't strictly need to under your jurisdiction, it's reputationally important.

Don't store more than needed. If you're providing data on demand, don't accumulate massive stockpiles. Cache for performance, not for hoarding.

Decline obviously bad use cases. When customers ask for things that look like stalking, mass spam, or election manipulation, refuse the business. Your reputation and legal exposure both matter.

Have legal counsel. Even informal — an attorney you can call when something unusual comes up. Most decisions don't require legal review, but the ones that do, you want to be ready.

---

Common Misconceptions

A few things that get repeated as truth but aren't.

"Scraping is illegal." Categorically false in the US for public data. Heavily nuanced elsewhere. Anyone telling you scraping is straightforwardly illegal is wrong.

"Terms of service make it illegal." Terms of service are contracts. Violating them might be a contract breach but isn't a federal crime under CFAA (per Van Buren and hiQ). The remedy is typically a private lawsuit, not criminal charges.

"GDPR makes scraping illegal in Europe." False. GDPR makes scraping that doesn't comply with GDPR illegal. Compliant scraping (with lawful basis, proper data subject rights handling, etc.) is legal.

"Big Tech can shut down any scraper." They can sue, but as recent cases show, they often lose. They can also block specific IPs, but serious scraping operations route around blocks.

"You need permission from each user." No. Public data is public; you don't need each user's consent to view what they've already shared with the world.

---

Frequently Asked Questions

Can I scrape data for a commercial product?

For US scraping of public data: yes, established by hiQ and Bright Data rulings. For products affecting EU residents: yes with GDPR compliance.

Should I tell users when their data is being scraped?

Not for public scraping. The data is already public; the scraping doesn't change that. For EU residents, GDPR may require notice in some contexts.

Can I sell data products built from scraped data?

Yes, in most jurisdictions, with appropriate compliance. ZoomInfo, Bright Data, Apollo — all do this at scale.

What if a platform sends me a cease and desist?

Don't panic. Many cease-and-desist letters are speculative or based on terms of service rather than law. Get legal counsel to evaluate the specific claim. Many companies have ignored these letters and never faced actual legal action.

Are there any platforms where scraping is clearly illegal?

Almost no platforms have legal protections specifically against scraping public data. Some have specific contractual prohibitions in their terms, but those are contract breaches, not statutory violations.

What about scraping with my own logged-in account?

This is more legally risky than scraping public data without logging in. By logging in, you've agreed to the terms of service, which usually prohibit automated access. The CFAA implications are murkier when you have authorized access that you're misusing.

Most professional scraping operations don't use logged-in accounts for exactly this reason.

Will this landscape change?

Possibly. There's ongoing legislative activity in the US (potential federal privacy law) and continued case-by-case litigation. The trend has been toward solidifying public-data scraping rights, but this could shift. If you operate in this space, follow the major cases.

---

Try SociaVault free → — 50 free credits with clear terms of service.

Related: Is Web Scraping Legal · Web Scraping Legality Court Cases · LinkedIn Scraping Legal Guide