What Is Scraping? UK Legal Overview

If you’ve heard people talk about “scraping” (or “web scraping”) and wondered what it means for your business, you’re not alone.

Plenty of UK businesses use scraping tools to gather public information at scale - think price monitoring, lead lists, or market research. Others worry about bots copying their content or harvesting customer data.

Either way, it’s important to understand how scraping intersects with UK law so you can stay compliant and protect your business from day one.

In this guide, we’ll explain what scraping is in practical terms, when it’s legal (and when it isn’t), how GDPR and marketing rules apply, and the steps you can take whether you plan to use scraped data or you’re trying to stop third parties from scraping your site.

What Is Scraping And How Do Businesses Use It?

Scraping is the automated collection of information from websites or apps using software tools (often called “bots” or “crawlers”). Instead of manually copying information, a scraper fetches pages, extracts specific data (like prices, product descriptions, contact details or reviews), and saves it for analysis or use in another system.

Legitimate business uses include:

• Competitor and price monitoring across marketplaces or retail sites.
• Market research and trend tracking (e.g. product availability or features over time).
• Gathering public information from official registers or directories to maintain your own database.
• Due diligence (e.g. verifying publicly posted business details).

Scraping can also be misused - for example, cloning content to pass off as your own, harvesting personal data without a lawful basis, or hammering a site’s servers and disrupting service.

From a legal perspective, the key questions are: what data is being collected, how is it collected, how is it used, and what rules (including a site’s terms) apply?

Is Web Scraping Legal In The UK?

There’s no single “Scraping Act.” Instead, several areas of UK law can apply depending on the facts. Scraping can be lawful in many scenarios, but crossing certain lines can create real risk. Here are the main legal touchpoints to consider.

1) Contract Law And Website Terms

Most websites and apps have Terms of Use that set the rules for access. Those terms often restrict automated access, reuse of content, or commercial exploitation. If your scraper accesses the site in a way that binds you to those terms (for example, through a click‑through, sign‑in, API key, or clear browse‑wrap acceptance), scraping in breach of those terms may amount to breach of contract.

If you run a website or app, strong, well‑drafted Website Terms of Use help you set clear boundaries around bots, rate limits and reuse of content - and give you a contractual lever if someone ignores them.

2) Database Rights And Copyright

UK law protects databases and original content. Two rights matter here:

• Copyright (Copyright, Designs and Patents Act 1988) protects original literary works (e.g. original product descriptions, articles, blog posts). If scraping lifts a “substantial part” of a protected work, that can infringe copyright.
• Database right (created by the UK’s Database Regulations) protects databases where there’s been a substantial investment in obtaining, verifying or presenting the contents. Systematic extraction or reutilisation of a substantial part (or repeated extraction of insubstantial parts) can infringe this right.

Not every list or dataset is protected, but many commercial catalogues and curated datasets will be. If your goal is to reproduce or republish another business’s content at scale, that’s a red flag.

3) Computer Misuse And Technical Access Controls

The Computer Misuse Act 1990 prohibits unauthorised access to computer material. If a scraper bypasses access controls, uses stolen credentials, exploits vulnerabilities, or otherwise accesses systems “without authorisation,” you may stray into criminal territory. Even if content is public, breaching login gates, session tokens or technical protections is risky.

At a practical level, respect robots.txt, don’t hammer servers, and don’t try to evade technical controls. If a site provides an API with specific rules, use that rather than scraping around it.

4) Passing Off And Unfair Competition

Using scraped content to imitate another brand or mislead customers (e.g. copying product imagery and descriptions to masquerade as an authorised seller) can trigger passing off and other unfair trading risks, as well as consumer law issues around accuracy and transparency.

5) Other Sector‑Specific Rules

Some sectors (like financial services, health, or education) have additional data and content rules. If you’re scraping regulated information or working with data from regulated environments, get tailored advice before you proceed.

When Scraping Involves Personal Data: GDPR And PECR Basics

If the data you collect relates to an identifiable individual (names, emails, phone numbers, social handles tied to a person, photos, etc.), UK data protection law applies - even if that data was publicly available online.

UK GDPR/Data Protection Act 2018

Under UK GDPR and the Data Protection Act 2018, you need a lawful basis to collect and use personal data. For scraping, businesses often consider “legitimate interests”, but you must conduct and document a balancing test to show your interests aren’t overridden by the individual’s rights. Key obligations include:

• Transparency: You must provide privacy information to individuals within a reasonable period after collection (Article 14 obligations). If providing notice would be impossible or involve disproportionate effort, limited exemptions may apply - but you’ll need to meet specific conditions and document your reasoning.
• Purpose limitation: Don’t repurpose scraped data for unrelated uses unless you can rely on a compatible lawful basis.
• Data minimisation: Collect only what you genuinely need.
• Security: Implement appropriate technical and organisational measures to protect the dataset.
• Individual rights: Respect rights of access, objection, and erasure where applicable.
• DPIA: For higher‑risk scraping (e.g. large‑scale profiling), consider a Data Protection Impact Assessment.

Make sure your Privacy Policy clearly explains the categories of data you collect, your lawful bases, retention, and rights - and that your internal processes match the policy.

Direct Marketing And PECR

If you intend to use scraped personal data for marketing, the Privacy and Electronic Communications Regulations (PECR) impose extra rules on electronic marketing (email, SMS, some calls). In many cases you’ll need prior consent for B2C emails and must include clear opt‑out mechanisms. For B2B marketing, the rules differ but you still need to meet fair processing and opt‑out requirements.

Before contacting prospects, check the UK rules on email marketing laws and make sure each campaign is compliant. Non‑compliance can invite complaints, fines, and reputational damage.

Special Category And Children’s Data

If your scraping captures data that reveals someone’s health, religion, political views or other “special category” data, you’ll need an additional lawful basis and stronger safeguards. Extra care also applies if any data relates to children - targeted profiling or marketing here can be particularly high risk.

Protecting Your Own Website Or App From Scrapers

Worried about competitors or third parties scraping your site? A mix of legal and technical measures gives you the best protection.

Legal Foundations

• Terms that bite: Publish clear Website Terms of Use that prohibit automated access, content reuse, rate limit breaches, and reverse engineering - and apply them through click‑wrap or sign‑in flows where feasible.
• IP notices: Assert copyright and database rights on your site, and identify any content your users upload (and the licence you need to host it).
• Acceptable use rules: If you run an account‑based platform or API, an Acceptable Use Policy can spell out permitted access methods, bot behaviour and anti‑scraping measures.
• Privacy coverage: If you collect personal data (including IP addresses used for anti‑fraud), your Privacy Policy should explain what you collect and why.

Technical Controls

• Deploy rate limiting, CAPTCHAs, bot detection and geo/IP blocking to slow or stop automated requests.
• Use robots.txt and meta tags to indicate no‑scrape areas (while not legally binding, they support your argument that access is unauthorised).
• Serve core content via authenticated flows where appropriate, and log user activity for evidence gathering.
• Offer an API with suitable authentication and usage caps so legitimate developers have a lawful route without scraping.

Enforcement Options

If you detect scraping and have evidence:

• Send a cease‑and‑desist referencing your terms, IP rights and technical controls. Keep server logs, timestamps and screenshots.
• Consider blocking offending IPs or API keys and escalating to the relevant hosting provider for abuse handling.
• Where there’s clear harm or persistence, explore legal claims (breach of contract, database right or copyright infringement, and where relevant, Computer Misuse Act). A well‑timed breach of contract letter often focuses attention.

Choosing the right path depends on your evidence, the scale of harm and the scraper’s location. Getting tailored advice early can save time and cost.

Planning To Use Scrapers Or Scraped Data? Practical Steps And Key Documents

If you’re considering scraping as part of your operations, approach it like any other business function: plan, document, and set controls.

1) Define Your Use Case And Risk Level

Start by mapping what you want to collect, from where, how often, and for what purpose. Then assess the risk:

• Low risk: Public, non‑personal, non‑copyrightable facts (e.g. anonymised prices), light frequency, no technical circumvention.
• Medium risk: Public but curated content, potential database right, higher frequency, limited reuse.
• High risk: Personal data, repeated extraction of substantial parts, login‑gated content, competing publication of scraped content.

The higher the risk, the more you should favour official APIs, licensing deals, or manual verification rather than automated scraping.

2) Respect Website Terms And Access Controls

Read the target site’s terms. If scraping is prohibited, you’ll need to weigh legal and reputational risk - or seek permission. If an API exists, use it within the rules instead of scraping around it. Never bypass paywalls, credentials or technical protections.

3) Address GDPR/PECR Before You Collect

If personal data may be captured, pick your lawful basis, draft your transparency wording, and plan how you’ll handle access requests and objections. Complete a DPIA if risks are high. If third‑party providers process the data for you (e.g. data enrichment, cloud storage, analytics), put a Data Processing Agreement in place with each processor.

If you’ll share data with another controller (for example, supplying a partner with datasets), set clear responsibilities in a Data Sharing Agreement.

4) Build Internal Controls

• Throttle your requests to avoid service disruption; log your scraping activity (what was collected, when, and from which URLs) for audit trails.
• Filter out unnecessary personal data and sensitive categories; apply retention limits.
• Quality‑check data to avoid inaccurate outputs that could mislead customers or breach consumer law.
• Document your decisions so you can evidence compliance if regulators ask.

5) Prepare Customer‑Facing Disclosures

If scraped data will be displayed to your customers (e.g. price comparison, product specs), make sure your disclaimers and accuracy statements are clear and not misleading. Your Website Terms of Use can set expectations and limit liability appropriately (to the extent permitted by law).

6) Choose The Right Commercial Path

For ongoing, business‑critical data, a commercial licence or an API subscription is often safer than scraping. Licences reduce IP risk, improve reliability, and typically include service levels. If you’re providing access to your own data or platform, consider robust terms such as SaaS Terms and a clear Acceptable Use Policy for users or partners.

7) Key Documents To Have In Place

• Privacy Policy that covers sources (including public sources), lawful bases, and individual rights.
• Website Terms of Use with IP protection, acceptable use, disclaimers and liability clauses.
• Data Processing Agreement with each vendor that processes personal data for you.
• Data Sharing Agreement where you share datasets with other controllers.
• Supplier terms (or a licence) for any third‑party data sources or APIs you depend on.

Avoid using generic templates or copy‑pasting clauses - these documents need to reflect how your business actually collects and uses data to give you real protection.

Key Takeaways

• Scraping is the automated collection of online information. It can be lawful, but the details matter: what you collect, how you access it, and what you do with it.
• Watch for four main risk areas: contract terms, copyright and database rights, the Computer Misuse Act (unauthorised access), and marketing/consumer issues.
• If scraping involves personal data, UK GDPR and the Data Protection Act 2018 apply - have a lawful basis, be transparent, minimise data, and secure it. PECR rules apply to electronic marketing.
• To protect your own platform, combine technical controls with strong legals: clear Website Terms of Use, IP notices, an Acceptable Use Policy, and consistent enforcement.
• If you plan to use scraped data, prefer official APIs or licences for critical sources, complete a risk assessment (and DPIA where appropriate), and put the right contracts in place - including a Data Processing Agreement and Data Sharing Agreement where relevant.
• Set yourself up for success with a clear Privacy Policy, internal controls, and marketing practices that comply with UK email marketing laws.

If you’d like tailored advice on scraping and data use - or help drafting the documents mentioned above - you can reach our team on 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.