CALL US TODAY: 0203 983 8278

We’re all used to those segmented pictures that appear on websites asking us to click on squares with traffic lights, vehicles or some other object. They tend to appear before we can get access to the full content of a particular platform, and they are intended to root out data scrapers. That is, bots trying to pull out publicly available data from a website or social media platform.

Data scraping is not illegal in principle. And a court in the US has just confirmed that it’s permissible for a data scraping company to mine the networking site LinkedIn for the personal data of LinkedIn members – subject to the qualifications we discuss below.

At Nath Solicitors in London we believe this is a significant case that applies particularly to our clients in the US. Even if you are not a large data scraping company it’s likely that you may use data from websites such as LinkedIn for market research and targeted advertising purposes. The LinkedIn case sheds light on when you can and can’t do this.

In the UK and Europe data scraping is allowed so long as it complies with data privacy law, notably GDPR. Again we discuss this below.

THE LinkedIn v hiQ DISPUTE

The professional networking site LinkedIn allows members to determine how much of their personal/professional information is available to non-members. The company uses a range of methods to prevent data scraping of publicly available information. hiQ is a data analytics company that harvests LinkedIn data, including members’ employment history and skills. It then sells that information to third parties. In 2017 LinkedIn requested hiQ to cease its scraping of the platform. It argued firstly that the behaviour contravened LinkedIn’s terms and conditions of use and secondly that it was contrary to the Computer Fraud and Abuse Act (the CFAA). 

hiQ’s profitability  relied almost entirely on the information it took from LinkedIn. It successfully applied to the Californian District Court for an order that it wasn’t acting illegally and an injunction to prevent LinkedIn from thwarting hiQ’s access to the site.

LinkedIn appealed the injunction.

The professional networking platform put forward several arguments. Perhaps most importantly for our clients it argued that once it had sent a cease and desist letter to hiQ any subsequent accessing of LinkedIn by hiQ was unauthorised and therefore contrary to the CFAA. 

In a decision that has attracted widespread commentary the Appeals Court in the US Ninth District has just rejected LinkedIn’s case. The court’s central thesis was this: when a computer network (like LinkedIn) permits public access to its data, a user (like hiQ) who accesses that publicly available data will not be engaging in unauthorised access under the CFAA. Effectively the court determined that the data being sought by hiQ was not actually owned by LinkedIn. Its use could not therefore be restricted by the CFAA.


The decision by the US Ninth District Appeals Court is certainly a move towards greater flexibility on how companies may lawfully use personal information that’s freely available on an online platform. And it would seem to go against current international efforts to give individuals much greater control of their personal information. But it doesn’t herald a free for all when it comes to using and monetizing this type of data. Whether or not data scraping is permitted will depend on the type of data in dispute. Is it owned by a platform for example, or located behind a paywall or password? Such data is much more likely to be viewed as property of the platform and unsuitable for data scraping.

It’s also worth noting that the case has further to run. The Ninth District decision merely confirmed the lower court’s injunction. In addition this decision relates mainly to whether the CFAA had been breached. It didn’t deal with other aspects of the dispute between the parties, including LinkedIn’s breach of contract and unjust enrichment claims.


GDPR applies to companies in the EU and companies elsewhere, including the US, where they process the data of individuals located within the EU. To comply with GDPR, data scraping must be consistent with GDPR which means establishing that the information is processed under one of the six legal bases for processing, including consent, legitimate interests and the purpose limitation principle.


If you use data that has been scraped or your business harvests data for its own commercial reasons you should keep in mind the limitations in the LinkedIn decision outlined above.

For companies subject to GDPR and those that come under the regulation of the UK Information Commissioner care should be taken when using harvested data purchased from third parties. As the Cambridge Analytica case showed in the context of political campaigns the ICO requires organisations to exercise due diligence when using data sets acquired externally. This includes carrying out impact assessments when processing data that may present a risk to the rights of individuals.

For more information in data protection law please contact Shubha Nath on + 44 (0) 203 670 5540 or contact us online.


    I accept the privacy policy

    To prove you are not a robot, please answer the following question:


    Copyright. Nath Solicitors Limited. Registered in England and Wales. Company Number: 08724944. VAT number: 207490711. Office Located at: 35 Berkeley Square, London, W1J 5BF. Nath Solicitors Limited is authorised and regulated by the Solicitors Regulatory Authority. Registration number 608014. Terms Of Use. Privacy Policy. Cookies Policy. Complaints Procedure.