Web Scrapers And Their Targets Beware. Regulators Are Zeroing In On Privacy Implications

• Published date: 23 November 2021
• Subject Matter: Corporate/Commercial Law, Privacy, Corporate and Company Law, Privacy Protection
• Law Firm: Cozen O'Connor
• Author: Ms Lori Kalani, Mira E. Baylson and Meghan Stoppel

Selling web users' personal data is big business ' with a projected worth of $400 billion by 2025. In industries as diverse as health insurance and automobile manufacturing, companies that collect and aggregate user data to sell it (often referred to as data brokers)¹ are becoming a powerful force. Often, data brokers utilize web scraping to collect this data, frequently without the data subjects' or owners' knowledge or consent. And while certain states have enacted laws to give consumers more control over their data while bringing a modicum of transparency to this industry, the patchwork of applicable laws and regulations can be confusing. Companies doing business with data brokers need to understand the risks associated with web scraping, including the fact that state attorneys general (AGs) are talking about these issues. Below, we provide a primer on web scraping as well as an overview of the legal and regulatory challenges.

What Is Web Scraping?

Web scraping, in general, is the process of collecting data from websites by automated methods. It can occur either with permission from the company or person hosting the website or, as in most cases, without any knowledge or authorization from the website owner. Despite its ubiquity, this topic has received very little public attention from regulators in the last 10 years. In the 2014 Federal Trade Commission Report on Data Brokers,² for example, web scraping is only mentioned in passing, despite the well-known use of web crawlers by data brokers at the time. Part of the reason for this lack of attention is the opaque nature of web scraping. Companies often create web crawlers and unleash them on public websites ' no contract required, no permission requested. However, as regulators zero in on the privacy implications of collecting and disclosing user data, we predict web scraping will begin to draw their increasing attention and questions.

What Laws Could Potentially Regulate the Use of Scraped Data?

Regulatory enforcement actions related to web scraping are still relatively rare, which means there are few "bright line" rules. Most civil litigation on the issue has been brought under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. ' 1030 ' a federal anti-hacking law. To prevail, a plaintiff must establish that the defendant "intentionally accessed" a protected computer "without authorization" or otherwise exceeded his or her "authorized access." The CFAA does not define the term "without authorization" though. And, as a result, the courts' application of the CFAA to data scraping has been anything but uniform. Some courts have interpreted the CFAA to not prohibit accessing (or scraping) public information from websites, so long as it can be done without bypassing a...