Web scraping is legal when you access publicly available data without bypassing authentication, but the boundaries keep shifting through court rulings. The most important cases — hiQ v. LinkedIn, Meta v. Bright Data, and Van Buren v. United States — have established that scraping public data doesn't violate the Computer Fraud and Abuse Act. However, violating a site's terms of service or scraping behind login walls can still trigger legal liability.
What Are the Most Important Web Scraping Court Cases?
Six landmark cases have shaped how courts treat web scraping. Each one clarified a different aspect of the law, from CFAA applicability to terms-of-service enforcement. Here's a summary of the rulings that matter most.
| Case | Year | Key Ruling | Impact on Scraping |
|---|---|---|---|
| hiQ Labs v. LinkedIn | 2017-2022 | Scraping public data doesn't violate CFAA | Established that public data is fair game |
| Van Buren v. United States | 2021 | CFAA only applies to bypassing access gates | Narrowed CFAA scope, helped scrapers |
| Meta v. Bright Data | 2024 | Meta lost — couldn't prove login-wall bypass | Reaffirmed public data scraping is defensible |
| Air Canada v. Seats.aero | 2024 | Terms of service violations as basis for claims | Strengthened ToS enforcement against scrapers |
| X Corp v. Anonymous Scrapers | 2024 | Server strain from aggressive scraping | Rate limiting and server impact matter legally |
| Google v. SerpAPI | 2025 | Pending — challenges SERP data extraction | Could reshape SEO tool industry if Google wins |
According to Apify's case law analysis, the hiQ v. LinkedIn case remains the single most important precedent for web scraping. But the legal landscape keeps evolving. Let's examine the cases that matter most.
What Did hiQ v. LinkedIn Establish?
The hiQ v. LinkedIn case is the foundation of modern web scraping law. hiQ Labs, a data analytics company, scraped publicly available LinkedIn profiles to provide workforce analytics services. LinkedIn sent a cease-and-desist letter and blocked hiQ's access. hiQ sued, arguing that scraping public data was legal.
The Ninth Circuit Court ruled that accessing publicly available data does not constitute "unauthorized access" under the CFAA. The court reasoned that when a website makes data available to the general public without requiring login credentials, automated access to that data isn't fundamentally different from manual access.
Key legal principles established:
- The CFAA's "without authorization" clause doesn't apply to publicly accessible websites
- A cease-and-desist letter alone doesn't create a CFAA violation
- Public data scraping is distinguishable from hacking into protected systems
However, the case ended with a practical compromise. According to ZwillGen's analysis of the final settlement, hiQ agreed to stop all scraping, delete all scraped data and derived algorithms, and LinkedIn received $500,000 in damages. The legal precedent survived even though hiQ didn't.
For context on how anti-scraping measures work in practice, see our guide to CAPTCHA bypass methods.
How Did Meta v. Bright Data Change the Rules?
In 2024, Meta (Facebook) sued Bright Data for scraping data from its platforms. Meta argued that Bright Data violated its terms of service and collected user data without authorization. The outcome surprised many in the industry.
Meta lost the case because it couldn't prove that Bright Data scraped data behind login walls. The court held that scraping publicly available data — even from Facebook pages visible without logging in — didn't violate the CFAA. This ruling reinforced the hiQ precedent and extended it to one of the world's largest platforms.
What this means for scrapers:
- Even tech giants can't block scraping of their public pages through CFAA claims alone
- The distinction between public and authenticated data is the critical legal boundary
- Terms of service violations alone may not be enough to win a CFAA case
According to ScrapeCreators' legal guide, this ruling gave significant confidence to data collection companies that operate within the public data boundary.
What Other Recent Cases Should You Know About?
Beyond hiQ and Meta, several 2024-2025 cases are reshaping scraping law in important ways.
Air Canada v. Seats.aero (2024): Air Canada sued Seats.aero, a flight search engine, for scraping award flight availability data. Unlike the hiQ and Meta cases, Air Canada focused on terms-of-service violations and trademark infringement rather than CFAA claims. This case demonstrates that companies are shifting their legal strategy toward contract law when CFAA arguments fail.
X Corp v. Anonymous Scrapers (2024): X (formerly Twitter) sued anonymous individuals who overwhelmed its servers with scraping requests. The case highlights that even if scraping is technically legal, doing it at a scale that degrades service performance can create legal liability. Rate limiting and responsible scraping practices aren't just ethical — they're legally relevant.
Google v. SerpAPI (2025): Google filed suit against SerpAPI for extracting search results data. This case could reshape the entire SEO tools industry. If Google wins, tools that scrape SERP data may need to find alternative data sources or licensing arrangements.
Clearview AI Settlement (2025): Clearview AI settled a class action lawsuit for approximately $51 million and 23% of company equity. The case centered on facial recognition data scraped from social media platforms, setting a major precedent for scraping personally identifiable information.
For more on which websites face the most scraping activity, see our most scraped websites in 2025 analysis.
What Legal Framework Governs Web Scraping in 2025?
Web scraping law varies significantly by jurisdiction. According to GroupBWT's 2025 compliance guide, there's no single global law that covers web scraping — instead, multiple overlapping frameworks apply depending on where you operate and where the target website is hosted.
| Law/Regulation | Jurisdiction | Key Provision for Scrapers | Risk Level |
|---|---|---|---|
| CFAA | United States | Prohibits "unauthorized access" to computers | Low for public data, high for authenticated |
| GDPR | European Union | Requires lawful basis for processing personal data | High if scraping personal information |
| CCPA/CPRA | California | Consumer rights over personal data collection | Medium for business-to-consumer scraping |
| Copyright Law | Global | Protects original content from reproduction | Medium — depends on how data is used |
| Contract Law (ToS) | Global | Websites can prohibit scraping via terms | Medium — enforceability varies by jurisdiction |
The practical rule of thumb in 2025: scraping publicly available, non-personal data without bypassing technical barriers is generally legal in the US. In the EU, GDPR compliance adds significant requirements when any personal data is involved. Our ethical web scraping guide covers the compliance requirements in detail.
What Is Legal vs. What Can Get You Sued?
Understanding the legal boundaries requires knowing not just what courts have ruled, but what practices commonly trigger lawsuits. Here's a practical framework based on current case law.
| Activity | Legal Status (US) | Risk of Lawsuit | Relevant Case |
|---|---|---|---|
| Scraping public pages without login | Generally legal | Low | hiQ v. LinkedIn, Meta v. Bright Data |
| Scraping behind login walls | Likely illegal under CFAA | High | Van Buren v. US |
| Scraping despite cease-and-desist | Gray area — not CFAA violation alone | Medium | hiQ v. LinkedIn |
| Violating website terms of service | Contract violation, not criminal | Medium | Air Canada v. Seats.aero |
| Scraping personal/PII data | Legal risk under GDPR/CCPA | High | Clearview AI settlement |
| Overloading servers with requests | Can trigger CFAA and tort claims | High | X Corp v. Scrapers |
| Using scraped data for AI training | Emerging area — unclear precedent | Medium-High | Multiple pending cases |
How Can You Scrape Data Legally in 2025?
Based on current case law, here are the practices that keep scraping operations on the right side of the law. According to Browserless's 2025 legal analysis, federal judges continue to allow scraping of public, non-password-protected content if no circumvention of security controls occurs.
| Best Practice | Why It Matters | Legal Basis |
|---|---|---|
| Only scrape publicly accessible pages | Avoids CFAA unauthorized access claims | hiQ v. LinkedIn, Van Buren |
| Respect robots.txt directives | Shows good faith, reduces legal exposure | Multiple court considerations |
| Implement rate limiting | Prevents server overload claims | X Corp v. Scrapers |
| Avoid scraping personal data (PII) | Reduces GDPR/CCPA exposure | Clearview AI precedent |
| Don't bypass CAPTCHAs or login walls | Bypassing access controls triggers CFAA | Van Buren v. US |
| Document your compliance process | Demonstrates responsible practices in court | General legal defense |
| Use a reputable scraping API | Shared legal infrastructure and compliance | Industry best practice |
Using a managed scraping API like ScrapingAPI.ai helps with compliance because the provider handles proxy rotation, rate limiting, and robots.txt respect on your behalf. Compare API options in our best web scraping API guide.
For teams building AI training datasets through scraping, the legal landscape is still forming. Several pending cases will clarify whether scraping for LLM training falls under fair use. Until then, we recommend focusing on public, non-copyrighted data sources. See our guide on scraping websites for LLM training for practical approaches.
What Are the Key Takeaways?
Web scraping law in 2025 rests on a few clear principles. Scraping publicly available data without bypassing access controls is generally legal in the US. The CFAA doesn't apply to public websites. But terms-of-service violations, personal data collection, and server overload can all create legal liability through other legal theories.
The trend since hiQ v. LinkedIn is toward more permissive scraping of public data and stricter enforcement around authenticated data and personal information. Companies shifting from CFAA to contract law claims means scrapers need to pay attention to terms of service, not just technical access controls.
Stay compliant by scraping only public data, respecting rate limits, avoiding personal information, and using reputable tools that build compliance into their infrastructure. The legal landscape will continue evolving, but these fundamentals protect you against the claims that courts are most likely to enforce.
