Is Web Scraping Legal In The UK?

If your business depends on data, you’ve probably asked: is web scraping legal? It’s a fair question. Scraping tools can speed up research, monitor prices and collect public information at scale - but doing it wrong can land you in hot water.

In this guide, we’ll break down when scraping is lawful in the UK, the key laws you need to know, practical guardrails to put in place, and how to protect your own site from being scraped. The aim is to help you stay compliant and confident, without slowing down your growth.

Is Web Scraping Legal In The UK?

Yes - web scraping can be legal in the UK, but it depends on what data you collect, how you collect it, and what you do with it.

Think of scraping as a method (like copy and paste, but automated). The method isn’t automatically unlawful. The risks arise from the rules around access, content and use. In practice, most legal issues fall into one or more of these buckets:

• Contract: ignoring or breaching a website’s Terms of Use that restrict scraping or automated access.
• Intellectual property (IP): copying protected content (copyright) or extracting substantial parts of a protected database (database right) without permission.
• Data protection: collecting or processing personal data in a way that doesn’t comply with UK GDPR and the Data Protection Act 2018.
• Computer misuse: bypassing technical measures to access data you’re not allowed to access (for example, hacking, credential stuffing or evading access controls).
• Confidentiality: scraping and using information that is confidential or subject to a duty of confidence.

If you design your scraping to respect these rules (and you document your compliance), web scraping can be a perfectly legitimate tool for a UK business.

The Main Laws You Need To Consider

1) Contracts And Website Terms

Most websites have Terms of Use that form a contract with visitors. It’s common for these terms to limit or prohibit scraping, crawling or automated access; to set rate limits; and to restrict copying or reuse of content.

If your scraping ignores clear contractual restrictions, you may be in breach of contract. That can result in takedown demands, account blocks, claims for damages, or being cut off from the platform - none of which are good for business. Build a habit of reading and respecting the site’s terms before you scrape. If you run a website yourself, you can deter abusive scraping by publishing clear, enforceable Website Terms of Use that set out your rules on bots, rate limits and content reuse.

2) Copyright And Database Right

Two IP rights are especially relevant:

• Copyright (Copyright, Designs and Patents Act 1988) protects original content like text, images, code and some structured materials.
• Database right (Copyright and Rights in Databases Regulations 1997) protects databases where there’s been a substantial investment in obtaining, verifying or presenting the contents.

Scraping that simply identifies facts (e.g. the price shown today) is less risky than scraping and reproducing the creative expression (e.g. long-form content, photos, product descriptions) or repeatedly extracting a substantial part of a protected database. Even if each extraction is small, systematic extraction of a “substantial part” over time can infringe database rights.

Practical tips: avoid copying creative content; don’t republish someone else’s dataset; and consider storing only what you need (e.g. derived metrics or aggregated stats). If you need to use protected content at scale, get a licence.

3) Data Protection (UK GDPR And Data Protection Act 2018)

If your scraping gathers any information that identifies a living person (names, contact details, photos, usernames, identifiers combined with other data), you’re processing personal data. That triggers obligations under the UK GDPR and the Data Protection Act 2018. Core duties include lawfulness, transparency, purpose limitation, data minimisation, accuracy, storage limitation and security.

Key points for scrapers handling personal data:

• Lawful basis: have a lawful basis for processing (legitimate interests, consent, or another basis). Run a legitimate interests assessment if you rely on legitimate interests.
• Transparency: clearly explain your data uses in a concise, accessible Privacy Policy, especially if you collect data indirectly (via scraping).
• Respect rights: be ready to handle access, deletion and objection requests within deadlines. If you’re unsure when you can share personal information without consent, get advice.
• Minimise and secure: collect only what you need; implement appropriate security; and avoid scraping special category data (health, biometrics, political opinions) unless you meet strict conditions.
• Processors and sharing: if a vendor processes scraped personal data for you, put a compliant Data Processing Agreement in place. If you share data with another controller, use a clear Data Sharing Agreement.
• Registration and fees: most controllers must pay an ICO fee unless exempt.

Remember: data from public sources can still be personal data. Public doesn’t mean free-for-all. You still need a lawful basis, transparency and safeguards.

4) Computer Misuse Act 1990

The Computer Misuse Act (CMA) criminalises unauthorised access to computer material. Basic scraping of publicly accessible pages is unlikely to be “unauthorised”. But scraping that bypasses authentication, evades access controls, exploits vulnerabilities, or ignores technical blocks (for example, using stolen credentials or brute-forcing session tokens) risks breaching the CMA. Stay firmly on the right side of access controls.

5) Confidential Information

Scraping content behind paywalls or login systems can raise breach of confidence issues, especially if the site imposes confidentiality obligations. Even if a password is shared with you by a customer or partner, scraping content for broader commercial use may breach confidence. If in doubt, get express permission from the rights holder.

What’s Usually Allowed (And What Isn’t)

Likely To Be Low-Risk

• Scraping non-copyrightable facts that are publicly accessible without login, and using them internally (for example, checking listed prices to monitor market trends), while respecting rate limits and Terms of Use.
• Scraping your own websites, apps or platforms (especially to migrate data or build search indexes).
• Scraping under a licence or written permission that allows automated collection for defined purposes.
• Scraping public data to generate aggregated, non-identifiable statistics (e.g. market averages), ensuring you don’t re-publish protected content or reconstitute another party’s database.

Higher Risk Or Likely Unlawful

• Copying and republishing large portions of protected content (articles, images, product descriptions) without permission.
• Systematic extraction of a substantial part of someone else’s protected database, even if you take small chunks over time.
• Scraping personal data without a lawful basis or transparency, or scraping sensitive categories of personal data without meeting strict conditions.
• Ignoring clear Terms of Use that prohibit automated access or scraping.
• Bypassing paywalls, login systems or other access controls (potentially a CMA offence) or scraping content subject to confidentiality obligations.
• Scraping in a way that imposes an unreasonable load on a website (for example, aggressive request rates that degrade service), which can raise legal and reputational issues and may lead to being blocked.

How To Scrape Lawfully: A Practical Checklist

Here’s a pragmatic process your team can follow before launching a scraping project.

1) Define Your Purpose And Data Scope

• Write a brief: what problem are you solving, what data fields are needed, and how will you use the outputs?
• Minimise: collect only what’s necessary. Prefer derived features or aggregates to raw content where possible.

2) Map Legal Touchpoints

• Terms of Use: check whether the target site allows scraping, rate limits, or requires a licence/API. Document your review.
• IP: identify if you might copy protected content or extract a protected database. Plan to avoid (or licence) protected elements.
• Personal data: identify whether any fields are personal data. If yes, you’ll need UK GDPR compliance from the outset.
• Access controls: confirm the content is publicly accessible without bypassing security or logins.

3) Complete A Data Protection Impact Assessment (If Needed)

• If personal data is involved - especially at scale - conduct a proportionate risk assessment (a DPIA is best practice and sometimes required).
• Choose a lawful basis (often legitimate interests), and record your balancing test.

4) Implement Technical And Organisational Controls

• Rate limiting: throttle requests, respect robots.txt as a courtesy, and avoid imposing load on target servers.
• Filtering: exclude sensitive categories and obvious personal identifiers where possible; hash or pseudonymise identifiers if you only need linkage.
• Security: encrypt data in transit and at rest; control access; log processing activities.
• Retention: set clear retention periods and automatic deletion rules aligned with your purpose.

5) Put Contracts And Notices In Place

• Vendors: where a third party processes data for you, sign a Data Processing Agreement.
• Partners: if you exchange datasets with another controller, use a Data Sharing Agreement to set purposes, security and responsibilities.
• Transparency: publish and keep an up-to-date Privacy Policy that explains indirect data collection and your lawful basis.
• Permissions: if you need protected content, get a licence or signed permission that covers automated collection.

6) Document And Train

• Records: keep a record of your legal checks, DPIA, technical controls and permissions. If challenged, this is your evidence of due diligence.
• Training: ensure engineers and data teams understand the limits (no bypassing access controls, no scraping of sensitive categories, respect for Terms of Use, and escalation paths for borderline calls).

7) Plan For Data Rights And Takedowns

• Rights requests: set up a channel to handle data subject requests relating to scraped data (access, deletion, objection) and define your verification process.
• Takedowns: have a process to pause or adjust scraping if you receive a complaint, platform notice or legal letter, and a route to negotiate licences where appropriate.

What Legal Documents Should You Put In Place?

Whether you’re scraping or protecting your own website from being scraped, putting the right paperwork in place will save you headaches.

For Businesses That Scrape

• Privacy Policy: Explain your purposes, lawful basis, sources (including indirect collection), retention and rights. A clear, compliant Privacy Policy is essential if any personal data is involved.
• Data Processing Agreement: If a vendor or contractor processes scraped data on your behalf, you need a Data Processing Agreement with the mandatory UK GDPR clauses.
• Data Sharing Agreement: If you share scraped datasets with other controllers, set clear responsibilities with a Data Sharing Agreement.
• Internal Policies: Standard operating procedures and an Acceptable Use Policy for tools and data can reduce accidental overreach by your team.
• ICO Registration: Unless exempt, budget for the annual ICO fee as a data controller.

For Businesses That Want To Deter Scraping Of Their Own Site

• Website Terms Of Use: Publish robust Website Terms of Use that prohibit unauthorised scraping, set rate limits, restrict reuse of content and specify consequences for breach.
• Technical Measures: Combine terms with practical steps: rate limiting, bot detection, watermarking for media, and careful pagination or API gateways.
• IP Notices: Make copyright/database notices visible and consider structured licences for legitimate reuse (for example, an API with fair usage terms).
• Privacy, Cookies And Security: Keep your Privacy Policy current, and make sure your cookie and tracking set-up (including any cookie banners) aligns with your data collection.

It can feel like a lot, especially if data operations are new to your team. Don’t stress - with the right foundations, you’ll be protected from day one. If something here doesn’t quite fit your situation, it’s wise to get tailored advice before you launch.

Key Takeaways

• Web scraping is not inherently illegal in the UK - legality depends on access rights, the content you copy, and what you do with the data.
• Always check and respect a target website’s Terms of Use; ignoring clear anti-scraping clauses can lead to breach of contract and blocks.
• Watch IP rights: avoid copying creative content and don’t extract substantial parts of protected databases without permission or a licence.
• If scraping personal data, UK GDPR applies: choose a lawful basis, publish a transparent Privacy Policy, minimise data, secure it, and be ready to handle rights requests.
• Never bypass access controls - evading paywalls or logins risks breaching the Computer Misuse Act.
• Put the right paperwork in place for both sides of the equation: Data Processing Agreement and Data Sharing Agreement for your scraping operations; strong Website Terms of Use to protect your own site.
• Document your due diligence, throttle your requests, and design your scraper to minimise and de-identify data wherever possible.

If you’d like help designing a compliant approach to web scraping (or tightening your website’s protections), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.