Affiliate disclosure: We earn a commission if you sign up through our links. This does not influence our test results or editorial scores. Full disclosure →

Is Web Scraping Legal in 2026? The honest answer.

The honest answer to "is web scraping legal" in 2026: it depends on six variables, and four of them have moved against you since 2022. The 2022 Ninth Circuit hiQ v. LinkedIn permanent injunction concluded — on contract and state-law grounds, not the CFAA — that LinkedIn's terms of service were enforceable against hiQ. That ruling reset the boardroom risk calculus for every B2B scraping pipeline.

Add the CNIL's €240,000 fine of KASPR in 2024 for LinkedIn profile collection without lawful basis, and the EU AI Act's data-sourcing audit requirements taking effect in stages through 2026.

What this means for the buyer

Vendors who can produce a Data Processing Agreement, a sub-processor list, a retention policy and a named privacy officer cost more — and that premium is now actually worth it for any team scraping PII at scale. This page lists the vendors we've confirmed publish a DPA on request and those we've confirmed do not.

Vendors with documented DPAs (confirmed by editorial team)

  • Zyte — DPA available on request. Ethical scraping certification. Named privacy officer. Read review →
  • Bright Data — SOC-2 Type II certified. DPA on request. Sub-processor list published. Read review →
  • Apify — GDPR DPA available. Data retention policy documented. Read review →
  • Oxylabs — DPA available. ISO 27001 in progress as of Q1 2026.

Vendors without confirmed DPAs (as of Jan 2026)

  • ScraperAPI — Terms of service present but no formal DPA published. Acceptable for non-PII personal projects; not acceptable for GDPR-scoped enterprise use. Read review →
  • Octoparse — Privacy policy present; no DPA template publicly available at time of review. Read review →

Six variables that determine legality

  1. Is the data personally identifiable (PII)? Names, email addresses, LinkedIn profiles, location data — these trigger GDPR Art. 5/6, CCPA, and UK DPA obligations regardless of whether the page is "public".
  2. Does the site's ToS prohibit scraping? Post-hiQ, ToS are enforceable under contract law in the US 9th Circuit. Violating ToS is a legal exposure even if CFAA doesn't apply.
  3. Is your jurisdiction subject to GDPR / CCPA? If you're processing EU residents' data or California residents' data, the answer is yes — regardless of where your servers are.
  4. Are you scraping at scale? One-off academic dataset pulls are lower risk than systematic commercial scraping pipelines.
  5. Do you have a documented lawful basis? GDPR Art. 6 requires a lawful basis for processing. "It's publicly available" is not a lawful basis.
  6. Does your vendor have a DPA? Your vendor is a data processor under GDPR. Using a vendor without a DPA is itself a compliance failure.

The KASPR fine — what happened and why it matters

In 2024, the French CNIL fined KASPR €240,000 for collecting LinkedIn profile data — names, job titles, email addresses — without a documented lawful basis under GDPR Art. 6. KASPR's argument that the data was "publicly available" on LinkedIn was rejected. The fine is now a precedent that "public" does not mean "free to collect at scale for commercial purposes."

Read the KASPR decision: GDPR and web scraping →

Privacy and affiliate disclosure

WebScrapingTool.net earns affiliate commissions from vendors listed on this site. Our editorial scoring is independent of affiliate status — we disclose compliance failures (missing DPAs, incomplete privacy policies) for all vendors including those who pay us commissions. This disclosure is compliant with FTC 16 CFR Part 255.

We do not sell user data. Analytics are processed by Plausible Analytics (GDPR-compliant, no cookies by default). Cookie consent is granular — accept analytics only, reject marketing. Last reviewed: January 2026.

Related reading

Go deeper

Stage 3Compare all toolsRead → Stage 5Decision wizardRead →
🧭 Decision wizard