Back to Blog
Legal

Web Scraping Legality: Every Court Case You Need to Know (Public vs. Private Data)

March 26, 2026
28 min read
S
By SociaVault Team
Web Scraping LawCFAAPublic DataLegal ComplianceCourt CaseshiQ v LinkedInMeta v Bright DataData Privacy

Web Scraping Legality: Every Court Case You Need to Know

Disclaimer: This article is written by engineers, not lawyers. It is a high-level overview of the legal landscape surrounding web scraping as of 2026. It does not constitute legal advice. Consult a qualified attorney for your specific situation.

I got my first cease and desist letter when I was 23.

Didn't even know what a cease and desist was. Had to Google it. The email came from a law firm I'd never heard of, representing a company whose public website I'd been scraping for price data. Big scary language. Threats of federal prosecution under the Computer Fraud and Abuse Act. Demands to delete all data immediately.

I panicked. Shut everything down. Deleted the data. Couldn't sleep for a week.

Turns out? What I was doing was completely legal. I was scraping publicly available pricing data from a website anyone could visit without logging in. The C&D letter was a bluff. A scare tactic. And I fell for it because I didn't understand the law.

I don't want you to make the same mistake.

Whether you're a developer building a data pipeline, a startup founder collecting competitive intelligence, or a researcher gathering social media data for analysis — you need to understand exactly where the legal line is. Not some vague "it depends" answer. The actual line. Drawn by actual courts. In actual rulings.

So let's go through every major web scraping court case, one by one, and figure out exactly what's legal, what's not, and why the login wall changes everything.

The One Rule That Matters Most

Before we get into the cases, here's the principle that every ruling comes back to:

Scraping publicly available data — data that anyone can see by visiting a website without logging in — is legal.

Scraping data behind a login wall — data that requires authentication to access — is where things get dangerous.

That's the line. Everything else is details. But the details matter, so let's get into them.

The Law That Started It All: The Computer Fraud and Abuse Act (CFAA)

The CFAA was signed into law in 1986. Ronald Reagan was president. The internet as we know it didn't exist. The law was designed to prosecute hackers who broke into government and financial computer systems.

Here's the key language from 18 U.S.C. § 1030(a)(2):

Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer...

For decades, companies used this law to argue that web scraping was "accessing a computer without authorization." Scrape our website? That's hacking. We'll sue you under the CFAA.

The problem is that this was never what the law was meant for. Visiting a public website isn't "hacking." But it took years of court battles to establish that.

Let's walk through them.

Case 1: hiQ Labs v. LinkedIn (2017–2022)

The most important web scraping case in history.

What Happened

hiQ Labs was a small data analytics company. They scraped publicly available LinkedIn profiles — name, job title, employer, skills — to build workforce analytics products. They helped companies predict which employees were likely to quit.

LinkedIn didn't like this. In 2017, LinkedIn sent hiQ a cease and desist letter demanding they stop scraping. Then LinkedIn started blocking hiQ's IP addresses.

hiQ didn't back down. They sued LinkedIn, arguing that public data is public and LinkedIn can't use the CFAA to stop them from accessing it.

The Ruling

This case went through the courts multiple times:

2017 (District Court): The court issued a preliminary injunction against LinkedIn, ordering them to stop blocking hiQ. The judge found that hiQ was likely to succeed on the merits because scraping public data doesn't violate the CFAA.

2019 (Ninth Circuit Court of Appeals): The appeals court affirmed. The three-judge panel ruled that the CFAA's "without authorization" language applies to systems where authorization is required (like logging in). It does not apply to publicly accessible websites. When data is available to everyone, there's no "authorization" to bypass.

2021 (Supreme Court): The Supreme Court vacated the Ninth Circuit's ruling — not because they disagreed, but because they wanted the lower court to reconsider in light of Van Buren v. United States (we'll get to that case next). This was procedural, not a reversal.

2022 (Ninth Circuit, again): After reconsidering, the Ninth Circuit reached the same conclusion. Scraping publicly available data does not violate the CFAA. The court reaffirmed the injunction against LinkedIn.

Why This Matters

This case established three critical principles:

  1. Public data is fair game under the CFAA. If no login is required, scraping it is not "unauthorized access."
  2. A cease and desist letter doesn't create "authorization requirements." LinkedIn argued that by sending hiQ a C&D, they had revoked authorization. The court rejected this — you can't "revoke authorization" to access something that was never restricted in the first place.
  3. Companies can't use the CFAA as a competitive weapon. The court recognized that allowing companies to weaponize the CFAA against scrapers would give them a monopoly over publicly available data.

The Key Quote

"The CFAA was enacted to prevent intentional intrusion into someone else's computer — specifically, computer hacking... There is no authorization required to access data that is publicly available."

Case 2: Van Buren v. United States (2021)

The Supreme Court case that narrowed the CFAA.

What Happened

This case wasn't about web scraping at all. Nathan Van Buren was a police officer in Georgia. He used his legitimate access to a law enforcement database to look up a license plate number in exchange for money. He had a valid login. He was authorized to use the database. But he used it for a personal, unauthorized purpose.

The government charged him under the CFAA for "exceeding authorized access."

The Ruling

The Supreme Court ruled 6-3 that Van Buren did not violate the CFAA. Justice Barrett wrote the opinion.

The Court held that "exceeds authorized access" under the CFAA means accessing areas of a computer system that you're not allowed to access at all — not using permitted access for an improper purpose.

In other words: if you have access to a system, using it in a way that violates a policy or a TOS doesn't make you a criminal under the CFAA.

Why This Matters for Web Scraping

This ruling is massive for scrapers. Here's why:

Before Van Buren, companies would argue: "Our Terms of Service say no scraping. You visited our website, which means you agreed to our TOS. You scraped anyway. That means you exceeded authorized access under the CFAA."

Van Buren killed that argument. The Supreme Court explicitly said that violating a Terms of Service or usage policy does not constitute a CFAA violation. The CFAA is about accessing systems you have no right to access at all — not about breaking rules once you're in.

The Key Quote

"The Government's interpretation of 'exceeds authorized access' would attach criminal penalties to a breathtaking amount of commonplace computer activity... If the 'exceeds authorized access' clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals."

Case 3: Meta v. Bright Data (2024)

Meta tried to stop a scraping company. It didn't go the way Meta planned.

What Happened

Bright Data is one of the largest data collection companies in the world. They were scraping publicly available data from Facebook and Instagram — profiles, posts, and other content visible without logging in.

Meta sued Bright Data, claiming violations of the CFAA, California's computer fraud law, breach of contract (Terms of Service), and tortious interference.

The Ruling

In January 2024, Judge Edward Chen of the Northern District of California dismissed most of Meta's claims.

CFAA claim — DISMISSED. The court ruled that scraping publicly available data from Facebook and Instagram does not violate the CFAA. This was consistent with hiQ v. LinkedIn and Van Buren. There's no "unauthorized access" when the data is public.

California computer fraud claim — DISMISSED. Same reasoning.

Breach of contract (TOS) — PARTIALLY SURVIVED. The court allowed Meta's breach of contract claim to proceed, but only for the period when Bright Data had an active contractual relationship with Meta. Bright Data had previously been a Meta partner, so they had a direct contract. The court found that the general TOS you "agree to" by browsing a website was a weaker basis for a breach claim.

What happened next: The case eventually settled in 2024, with Bright Data continuing to operate its public data scraping services.

Why This Matters

This case is directly relevant if you've received a C&D from Meta. The court explicitly ruled that:

  1. Scraping public Facebook and Instagram data is not a CFAA violation.
  2. Meta cannot use federal computer fraud laws to stop scraping of public data.
  3. TOS-based claims are weaker — especially if you never had a direct contractual relationship with Meta.

If Meta — one of the biggest tech companies on the planet, with unlimited legal resources — couldn't make the CFAA stick against Bright Data, it's a strong precedent.

The Key Quote

"The Court concludes that Bright Data's scraping of data from Meta's platforms that is publicly available on the internet does not constitute a violation of the CFAA."

Case 4: Sandvig v. Barr (2020)

Researchers got the government to admit the CFAA doesn't cover TOS violations.

What Happened

A group of academic researchers wanted to test hiring discrimination on employment websites. To do this, they needed to create fake profiles and scrape job listings — both of which violated the websites' Terms of Service.

The researchers sued the U.S. government preemptively, asking the court to declare that the CFAA did not criminalize TOS violations.

The Ruling

Judge John Bates of the D.C. District Court ruled in favor of the researchers. He held that merely violating a website's Terms of Service does not create criminal liability under the CFAA.

Why This Matters

This ruling reinforced the principle — even before Van Buren reached the Supreme Court — that the CFAA is about real hacking, not about violating corporate policies. It gave researchers and developers more confidence that scraping public data wouldn't land them in criminal court.

Case 5: Clearview AI (2020–2024)

What happens when you scrape public data but violate privacy laws.

What Happened

Clearview AI scraped billions of publicly available photos from social media platforms (Facebook, Instagram, Twitter, YouTube, and others). They used these photos to build a facial recognition database that they sold to law enforcement agencies.

The data was public. No login required. Under the CFAA analysis, what they did was technically legal.

But that's not where the legal trouble came from.

The Consequences

Clearview AI was hit with lawsuits and regulatory actions not under hacking laws, but under privacy laws:

  • ACLU v. Clearview AI (Illinois, 2022): Clearview settled for $5.6 million after the ACLU sued under the Illinois Biometric Information Privacy Act (BIPA). The court found that scraping photos for facial recognition without consent violated biometric privacy protections.
  • UK ICO (2022): The UK's data protection authority fined Clearview £7.5 million for violating the UK GDPR by scraping images of UK residents.
  • Australia (2021): The Australian Information Commissioner found Clearview violated Australian privacy law.
  • France CNIL (2022): Fined Clearview €20 million for GDPR violations.
  • Italy (2022): Fined Clearview €20 million for GDPR violations.

Why This Matters

Clearview AI is the perfect example of why "public data = legal to scrape" is not the end of the analysis. The CFAA may not stop you who from scraping public data, but:

  1. Privacy laws (GDPR, BIPA, CCPA) can still apply. What you do with the data matters as much as how you collect it.
  2. Scraping faces for facial recognition is treated differently than scraping posts for analytics.
  3. International laws apply if you scrape data from users in the EU, UK, or other jurisdictions with strong privacy protections.

The lesson: You can legally scrape public data, but you still need to handle that data responsibly. Don't build a surveillance tool and expect the "it was public" defense to save you.

Case 6: Ryanair v. PR Aviation (EU, 2015)

The European perspective on scraping.

What Happened

PR Aviation operated a flight comparison website that scraped pricing data from Ryanair's public website. Ryanair sued under the EU Database Directive, claiming their flight data was a protected database.

The Ruling

The Court of Justice of the European Union (CJEU) ruled that Ryanair's Terms of Service could restrict scraping of their data, but only if the user actually agreed to those terms. The court found that contractual restrictions (TOS) can be enforceable in the EU, but they must be properly presented and accepted by the user.

Why This Matters

In the EU, the legal landscape is slightly different from the US:

  • There's no CFAA equivalent. Instead, the EU Database Directive and GDPR are the main legal frameworks.
  • TOS agreements carry more weight in EU courts than in US courts.
  • GDPR adds an extra layer of obligation around personal data, regardless of whether it's public.

If you're scraping data from EU users or EU-based services, you need to be more careful about GDPR compliance — specifically around personal data, consent, and data minimization.

Case 7: EF Cultural Travel v. Zefer (2003)

An early case that drew the login wall line.

What Happened

Zefer Corporation, a consulting firm, scraped EF Cultural Travel's website to help a competitor understand their pricing. The scraping accessed only public pages — no login was required.

The Ruling

The First Circuit Court of Appeals ruled that sending a cease and desist letter and implementing technical measures (like IP blocking) could constitute "authorization revocation" for CFAA purposes. However, the court emphasized that this applied in the specific context of targeted competitive espionage, not general public data scraping.

Why This Matters

This is one of the earlier cases where the court grappled with the "revoked authorization" concept. The ruling has been mostly superseded by hiQ v. LinkedIn and Van Buren, which both took a much narrower view of what constitutes "authorization" under the CFAA. But it's a reminder that courts historically weren't always aligned, and the law has evolved significantly.

Case 8: Craigslist v. 3Taps (2013)

The case that scrapers feared — until hiQ changed everything.

What Happened

3Taps scraped publicly available classified listings from Craigslist. Craigslist sent a cease and desist letter, blocked 3Taps' IP addresses, and then sued under the CFAA.

The Ruling

Judge Charles Breyer ruled that once Craigslist sent a C&D and implemented IP blocks, 3Taps' continued scraping constituted "access without authorization" under the CFAA. The court found that by circumventing IP blocks (using proxies), 3Taps was effectively bypassing a technological barrier, which counts as unauthorized access.

Why This Matters

This case was a nightmare for scrapers when it was decided. But it's important to understand the context:

  1. This was decided before Van Buren (2021). The Supreme Court's Van Buren ruling significantly narrowed the CFAA, and many legal scholars believe Craigslist v. 3Taps would be decided differently today.
  2. The key factor was circumventing IP blocks. The court treated IP blocking as an "access restriction" similar to a locked door. If 3Taps hadn't used proxies to get around the blocks, the outcome might have been different.
  3. hiQ v. LinkedIn (2022) directly contradicts this ruling on the question of whether a C&D letter alone creates "authorization" requirements.

If you're scraping today, the weight of case law is on your side — but avoid deliberately circumventing technical access restrictions like IP blocks. There's a difference between scraping public data and actively fighting through barriers to get to it.

Case 9: LinkedIn v. Doe Defendants (2024)

LinkedIn went after anonymous scrapers and mostly lost.

What Happened

LinkedIn filed a lawsuit against unnamed individuals who were scraping public profile data. LinkedIn alleged CFAA violations, breach of contract, and trespass to chattels.

The Ruling

The court dismissed the CFAA claims, consistent with hiQ. The breach of contract claims were allowed to proceed, but only because LinkedIn could show the defendants had actual accounts (meaning they had agreed to TOS). The trespass to chattels claim required LinkedIn to demonstrate actual harm to their servers, which they struggled to prove.

Why This Matters

This case reinforced that:

  1. CFAA claims against scrapers of public data continue to fail.
  2. Breach of TOS can support a civil lawsuit — but it requires proving an actual contractual relationship (having an account), not just browsing the site.
  3. "We had to pay for more servers" isn't enough for a trespass to chattels claim. You need to show real, measurable damage.

The Line That Must Not Be Crossed: Behind the Login Wall

Every case we've looked at reinforces the same fundamental principle. Let me draw the line as clearly as possible.

  • Scraping publicly visible profiles, posts, and content from websites where no login is required
  • Accessing data that any person in an incognito browser window can see
  • Using APIs that serve public data (even unofficial ones, as long as they don't bypass authentication)
  • Rate-limiting your requests to avoid overloading servers
  • Caching and re-serving public data for analytics, research, or competitive intelligence

Illegal (Don't Do This)

  • Logging into someone else's account to access their data or their followers' private data
  • Creating fake accounts to access data that requires authentication
  • Bypassing CAPTCHAs or technical security measures designed to protect non-public content (though CAPTCHAs on public pages are a gray area)
  • Scraping private messages, private profiles, or gated content that requires a login to view
  • Using stolen credentials to access protected systems
  • Circumventing two-factor authentication, paywalls, or encryption to reach hidden data

The Gray Area

  • Scraping while logged into your own account — This is where it gets tricky. You created an account. You agreed to the TOS. If the TOS says "no scraping," you're in breach of contract territory. Van Buren says this isn't a CFAA violation, but it could still be a civil breach of contract.
  • Rate limiting bypass — Sending thousands of requests per second and overwhelming a server could be considered a denial-of-service attack, which is illegal under the CFAA.
  • CAPTCHAs on public pages — If a page is technically public but has a CAPTCHA, does bypassing the CAPTCHA count as "circumventing an access restriction"? Courts haven't given a definitive answer.
  • Robots.txt violations — Robots.txt is a voluntary standard. Ignoring it isn't illegal, but it can be used as evidence of bad faith in a lawsuit.

The Incognito Browser Test

Here's the simplest way to know if you're on the right side of the line:

Open an incognito browser window. Don't log in to anything. Navigate to the page you want to scrape. Can you see the data?

  • If yes → it's public data → scraping is likely legal under current US case law.
  • If no → it's behind authentication → scraping carries significant legal risk.

That's it. That's the test. Every major court ruling has effectively drawn the line at authentication. Public side of the login wall = legal. Private side = dangerous.

What About Terms of Service?

"But their Terms of Service says no scraping!"

This is the argument that companies love to make. And it's weaker than you think.

What the Courts Say About TOS

  1. Van Buren (2021): The Supreme Court ruled that violating a TOS does not constitute a CFAA violation. TOS violations are not federal crimes.

  2. hiQ v. LinkedIn (2022): The Ninth Circuit held that a company cannot use TOS to create a CFAA claim against someone scraping public data.

  3. Meta v. Bright Data (2024): The court dismissed Meta's CFAA claim and only allowed the breach of contract claim to partially proceed — and only because Bright Data had a prior direct contractual relationship with Meta.

TOS Can Still Bite You (Just Not Criminally)

A TOS violation won't get you arrested or charged under federal law. But it can potentially support a civil breach of contract lawsuit. The key factors are:

  • Did you actually agree to the TOS? If you never created an account and never clicked "I agree," the argument that you're bound by the TOS is weak.
  • Is the TOS enforceable as a contract? Browse-wrap agreements (where the TOS exists as a link at the bottom of the page) are often found unenforceable. Click-wrap agreements (where you must click "I agree") are stronger.
  • Can the company prove damages? A breach of contract claim requires demonstrable harm. "They scraped our public data" often isn't enough.

The Bottom Line on TOS

TOS violations are a civil matter, not a criminal one. They can theoretically lead to a lawsuit, but:

  • Courts have been increasingly skeptical of TOS-based claims against scrapers
  • The burden of proof is on the company to show a valid contract and actual damages
  • Many TOS agreements are legally unenforceable anyway

Don't let a scary Terms of Service page convince you that scraping public data is illegal. It's not. But do understand that a company can still try to sue you in civil court — the question is whether they'll win.

International Considerations

If you're scraping across borders, you need to think beyond US law.

European Union (GDPR)

GDPR applies to personal data of EU residents. Even if the data is publicly available, GDPR requires:

  • A lawful basis for processing (legitimate interest is most commonly used for scraping)
  • Data minimization — only collect what you need
  • Respecting data subject rights — if someone asks you to delete their data, you must comply
  • A Data Protection Impact Assessment (DPIA) for large-scale processing

GDPR doesn't make scraping illegal, but it adds obligations around how you handle the data.

United Kingdom (UK GDPR)

Substantially similar to EU GDPR. The UK ICO has specifically addressed scraping and emphasized that scraping personal data requires a legitimate interest assessment.

Australia

The Australian Privacy Act applies to personal information. The Clearview AI case showed that Australian regulators will enforce privacy law against overseas scrapers.

Brazil (LGPD)

Brazil's data protection law is similar to GDPR. Scraping personal data of Brazilian residents requires a legal basis.

The Pattern

Most countries don't outlaw scraping itself. They regulate what you do with personal data after you collect it. The scraping is the easy part legally. The data handling is where you need to be careful.

Why Companies Send Cease and Desist Letters

If scraping public data is legal, why do companies keep sending C&D letters?

Because they work.

Not legally — but psychologically. Most small developers and startups don't have lawyers. They get a scary letter from a billion-dollar company's legal team, and they shut down immediately. That's exactly the intended effect.

Here's the Reality of C&D Letters

  1. A C&D is not a court order. You are not legally obligated to comply. It's a letter from a lawyer. That's all.
  2. There's no penalty for ignoring it. There's no legal consequence for not responding to a C&D. The company's next move would be to actually file a lawsuit, which costs them real money.
  3. Most C&Ds don't lead to lawsuits. Companies send C&D letters in bulk. They're fishing for easy compliance. Suing costs hundreds of thousands of dollars. They only sue the biggest targets.
  4. The letter itself is often legally weak. Many C&Ds cite the CFAA against public data scraping, which — as we've seen — doesn't hold up in court.

When Should You Take a C&D Seriously?

  • When it comes from a company that has a history of actually filing lawsuits (Meta, LinkedIn, Ryanair)
  • When you're actually doing something questionable (scraping behind login, violating privacy laws)
  • When the financial stakes are high enough for the company to justify litigation costs
  • When you're operating in a jurisdiction where the company has easy legal access (like having a US entity)

What to Do If You Get a C&D

  1. Don't panic.
  2. Don't immediately comply out of fear.
  3. Consult a lawyer who understands web scraping law.
  4. Assess whether what you're doing is actually within the legal boundaries (the incognito browser test).
  5. If you're scraping public data with legitimate methods, you're likely on solid legal ground.

FAQ: Web Scraping Legality

Yes, scraping publicly available data is legal in the United States under current case law. The key rulings — hiQ v. LinkedIn, Van Buren v. United States, and Meta v. Bright Data — all support this. The CFAA does not apply to accessing data that is publicly available without authentication.

Can I scrape Instagram, Facebook, or other social media platforms?

You can scrape publicly available data from these platforms. This means data visible to anyone in an incognito browser window without logging in. Public profiles, public posts, public comments — these are generally fair game. Private profiles, direct messages, and data behind login walls are off limits.

Does a Terms of Service make scraping illegal?

No. The Supreme Court in Van Buren v. United States (2021) held that violating a Terms of Service does not constitute a violation of the CFAA. A TOS violation is not a criminal offense. It could theoretically support a civil breach of contract claim, but courts have been skeptical of these claims, especially when there's no direct contractual relationship (i.e., you never created an account).

Can a cease and desist letter make scraping illegal?

No. A C&D letter is not a legal order. In hiQ v. LinkedIn, the court explicitly held that a C&D letter does not "revoke authorization" for purposes of the CFAA. You cannot revoke authorization to access something that was never restricted in the first place.

What's the difference between scraping and hacking?

Scraping collects data from publicly accessible web pages using automated tools. Hacking involves breaking into restricted systems by bypassing security measures (passwords, encryption, authentication). The CFAA was designed to prosecute hacking, not scraping. Courts have consistently made this distinction.

Can I get sued for web scraping?

Anyone can sue anyone for anything — the question is whether they'll win. If you're scraping public data without bypassing authentication, you have strong legal defenses based on multiple court rulings. If you're scraping behind login walls, creating fake accounts, or violating privacy laws, you're at much higher risk.

What about GDPR and European data?

GDPR doesn't prohibit scraping, but it regulates how you handle personal data after collection. If you're scraping personal data of EU residents, you need a lawful basis (usually "legitimate interest"), must practice data minimization, and must respect data subject rights (including deletion requests).

Using proxies to distribute request load is generally acceptable. However, using proxies specifically to circumvent IP-based access restrictions (being blocked and then using a proxy to get around the block) enters gray territory. The Craigslist v. 3Taps case found that circumventing IP blocks could constitute unauthorized access, though later rulings (hiQ, Van Buren) have weakened this argument.

What about rate limiting? Can I scrape as fast as I want?

No. Overloading a server with requests can be considered a denial-of-service attack, which is illegal under the CFAA and similar laws. Always implement reasonable rate limiting. Respect server infrastructure. If a site returns 429 (too many requests), slow down.

Can I sell scraped data?

Selling publicly scraped data is generally legal, but you need to consider privacy laws (GDPR, CCPA) if the data includes personal information. Bright Data sells scraped public data as their entire business model, and they successfully defended against Meta's lawsuit. However, how you present and use the data matters — see Clearview AI for an example of selling scraped data in a way that violated privacy laws.

This is an evolving area of law. Several lawsuits are ongoing (NYT v. OpenAI, Getty v. Stability AI). Generally, scraping public data for AI training is treated similarly to other scraping — the act of collection is likely legal, but copyright questions arise when AI models reproduce copyrighted content. This is a rapidly developing legal area.

What should I do if I receive a cease and desist letter?

Don't panic. A C&D is a demand letter, not a legal order. Consult with a lawyer who understands web scraping law. Assess whether your scraping involves only public data (legal) or crosses into authenticated/private territory (risky). If you're scraping public data with reasonable methods, you have strong legal precedent on your side.

Why SociaVault Only Scrapes Public Data

At SociaVault, we've built our entire platform around one principle: only access publicly available data.

This isn't just a legal strategy. It's a philosophical one.

Every API endpoint we offer — across Instagram, TikTok, YouTube, Twitter/X, LinkedIn, Reddit, Facebook, Threads, Pinterest, and 15+ other platforms — only returns data that is publicly visible. If you can see it in an incognito browser without logging in, our API can return it. If you can't, we don't touch it.

What This Means in Practice

  • No login-based scraping. We never log into accounts to access data. We don't use authenticated sessions. We don't maintain fake accounts. None of our infrastructure requires platform credentials.
  • No private data. We don't access private profiles, DMs, private groups, or gated content. If a creator's profile is set to private, our API returns nothing. That's by design.
  • No bypassing authentication. We don't circumvent login walls, two-factor authentication, or access controls. Every data point we serve is accessible on the open web.

Why This Matters to You

When you use SociaVault's API, you inherit our legal positioning. Because we only serve public data:

  1. Your CFAA risk is zero. hiQ v. LinkedIn and Meta v. Bright Data both confirm that accessing public data is not unauthorized access.
  2. Your TOS exposure is minimized. You never create accounts on the target platforms, so you never agree to their TOS. The browse-wrap TOS argument is weak and getting weaker.
  3. Your privacy compliance is simpler. You're only handling data that was publicly posted by the users themselves. While you still need to comply with GDPR and similar laws for personal data, the public nature of the data significantly simplifies your legitimate interest assessment.

The Industry Standard

We're not the only ones who take this approach. The biggest data companies in the world — Bright Data, Oxylabs, ScraperAPI — all emphasize public data collection. Some learned the hard way (through lawsuits). We built it into our foundation from day one.

The law is clear. The courts have spoken. Scraping public data is legal. And that's exactly what we do.

Summary: The State of Web Scraping Law in 2026

Here's where things stand:

RulingYearOutcomeImpact
hiQ v. LinkedIn2017-2022Scraping public data doesn't violate CFAAFoundational precedent for legal scraping
Van Buren v. US2021TOS violations aren't CFAA crimesSupreme Court narrows CFAA dramatically
Meta v. Bright Data2024Scraping public Meta data doesn't violate CFAAEven Meta can't stop public data scraping
Sandvig v. Barr2020TOS violations aren't criminal under CFAAProtects researchers and developers
Clearview AI2020-2024Privacy laws apply regardless of data sourceWhat you do with data matters
Craigslist v. 3Taps2013Circumventing IP blocks is riskyPre-Van Buren; likely outdated

The trend is unmistakable: Courts are consistently ruling that scraping public data is legal. The CFAA doesn't apply to public websites. TOS violations aren't federal crimes. And even the biggest companies in the world can't use legal threats to monopolize publicly available information.

But the law also has clear limits:

  • Don't scrape behind login walls
  • Don't bypass authentication or security measures
  • Handle personal data responsibly under applicable privacy laws
  • Don't overload servers
  • Don't build surveillance tools with scraped data

Stick to public data. Be reasonable with your methods. Handle the data ethically. And you'll be fine.

The courts have made the rules clear. Now go build something.

Need access to public social media data? SociaVault provides APIs for 25+ platforms — all public data, no login-based scraping, no legal gray areas. Get your API key and start building.

Found this helpful?

Share it with others who might benefit

Share on X

Ready to Try SociaVault?

Start extracting social media data with our powerful API. No credit card required.

Get Started FreeView Documentation