GDPR turns 8 this year, yet web scraping legality under GDPR is still misunderstood by most developers. Here is a practical breakdown of what is actually legal in 2026.
The Core GDPR Question for Scrapers
GDPR applies to personal data — information that can identify a natural person. The key question for any scraping project: are you collecting personal data?
- Scraping product prices from Amazon: not personal data — GDPR does not apply
- Scraping company job listings: not personal data — GDPR does not apply
- Scraping LinkedIn profiles with names and emails: personal data — GDPR applies
- Scraping news articles: not personal data — GDPR does not apply
- Scraping property listings with owner names: personal data — GDPR applies
The Three Legal Bases Scrapers Actually Use
1. Legitimate Interests (Article 6(1)(f)) — Most Common
This covers most B2B scraping. You can process personal data if:
- You have a legitimate business interest
- The processing is necessary for that interest
- The interest is not overridden by the data subject's rights
When it works: Scraping publicly listed B2B contact info for relevant outreach. The key test: would this person reasonably expect their professional contact info to be used this way?
When it fails: Scraping personal social media for profiling consumers. People do not expect their personal posts to fuel commercial data products.
2. Consent (Article 6(1)(a)) — Rarely Applicable for Scrapers
You need explicit, informed, specific consent. You cannot retroactively get consent for already-scraped data. Not practical for most scraping use cases.
3. Public Interest / Research (Article 6(1)(e)) — Academic Scrapers
Covers legitimate academic research and journalism. Narrow exception, requires genuine public interest.
The Data Minimisation Principle
Under Article 5(1)(c), you must collect only what you need. This has practical implications:
- Scraping full LinkedIn profiles when you only need email + company? Violation risk.
- Storing raw HTML dumps with personal data you do not use? Violation risk.
- Retaining scraped contact data indefinitely? Violation risk.
Practical rule: collect the minimum fields you need, delete what you do not use, set retention limits.
The Right to Erasure Problem
Article 17 gives individuals the right to request deletion of their data. If you scrape contact databases:
- You need a process to handle deletion requests
- You cannot honour deletion if you do not know what you have stored
- Solution: maintain an inventory of what personal data you hold and where
The irony: GDPR compliance requires you to have better data management than non-compliance.
Cross-Border Transfers
If you are in the EU and scraping data to send to a US-based API or storage:
- EU-US Data Privacy Framework (2023) covers many US companies
- Check if your US provider is certified: dataprivacyframework.gov
- Standard Contractual Clauses are the fallback if not certified
For pure data collection stored in EU infrastructure: no cross-border issue.
Practical Compliance Checklist
For a B2B scraping operation:
☐ Identify: does your scraping collect personal data?
☐ Document: write a Legitimate Interests Assessment (LIA)
☐ Minimise: collect only fields you actually use
☐ Notify: include Article 14 notice in first contact (who you are, why you are contacting, how to opt out)
☐ Honour opt-outs: maintain a suppression list, process within 30 days
☐ Retain responsibly: delete data older than 12-24 months
☐ Secure: encrypt personal data at rest and in transit
☐ Document transfers: if using US-based services, verify DPF certification
What Regulators Actually Enforce
Enforcement focuses on:
- Large-scale data breaches (millions of records)
- Sensitive data (health, political views, financial)
- Consumer profiling without consent (ad tech)
- Companies that ignore formal complaints
Small B2B outreach operations using scraped data are extremely low enforcement priority — but a single complaint triggers an inquiry.
The cost of compliance is 2-4 hours of documentation. The max fine is 2% of global annual turnover. The math is clear.
The Tools That Make Compliance Easier
Using scraping tools that export directly to your own database (no third-party data custody) simplifies your GDPR position considerably.
Includes pre-built scrapers with direct database export, GDPR Legitimate Interests Assessment template, suppression list management setup, and data minimisation configuration options.
Running a scraping operation and unsure about your GDPR exposure? Drop the specifics in the comments — I am happy to give a quick assessment.
Top comments (0)