Is Web Scraping Legal? What B2B Sales Teams Need to Know (2026)

Web scraping publicly accessible data is legal in the United States — but that one-sentence answer misses most of what B2B sales teams actually need to know. The legality shifts depending on what data you collect, whether it includes personal information, which jurisdictions your prospects are in, and whether you scraped it yourself or bought it from a vendor. Getting this wrong doesn't just create legal exposure. It gets your domain blacklisted, your data vendor contracts voided, and your outreach marked as spam before it reaches an inbox.

Key takeaways

Scraping publicly accessible data does not violate the US Computer Fraud and Abuse Act, per the 2022 Ninth Circuit ruling in hiQ v. LinkedIn.
GDPR applies to any personal data about EU residents regardless of where your company is based — 'legitimate interest' is the standard lawful basis in B2B, but it requires documentation.
Scraping LinkedIn directly violates their ToS and is actively enforced, even if the underlying legal question remains contested.
The safest and most scalable approach for B2B sales teams is intent-signal data from compliant third-party sources — not raw scraping.
What matters most for your pipeline is not whether you can scrape, but whether the data gives you a genuine switching signal. Firmographic data from job postings and technology-use signals is both more compliant and more actionable than contact scrapes.

What does the law actually say about web scraping?

The controlling US precedent is hiQ Labs, Inc. v. LinkedIn Corp., which the Ninth Circuit decided in 2022. The court held that scraping publicly accessible websites — pages that anyone can view without logging in — does not violate the Computer Fraud and Abuse Act (CFAA). The CFAA prohibits unauthorised access to computer systems. Because public web pages require no authorisation to view, scraping them is not "unauthorised access" under the statute.

That ruling was significant. Before hiQ, there was genuine legal uncertainty about whether large-scale scraping of public data could expose a company to federal criminal liability. That uncertainty is largely resolved for public data in the US. The legal risk that remains is narrower and more specific: accessing data behind authentication walls, circumventing technical access controls (like CAPTCHAs or rate limiting), or violating a site's terms of service in a way that creates a separate contractual claim.

Outside the US, the picture is more fragmented. The UK, EU, Canada, and Australia each have their own frameworks, and the question of whether scraping constitutes unfair data processing is decided independently of CFAA-style computer access law. A practice that's legal in the US can still be non-compliant under GDPR or the UK GDPR if personal data is involved.

"The CFAA does not apply to information that is publicly available. Scraping such information, therefore, does not violate the CFAA."
— Ninth Circuit Court of Appeals, hiQ Labs v. LinkedIn, 2022

Yes — if the data includes personal information about people in the EU or UK, GDPR applies. It does not matter whether your company is based in California or Singapore. If you're collecting names, email addresses, job titles, or any other data that can identify a natural person who is in the EU, you are a data controller under GDPR and must satisfy its requirements.

The fact that the data was publicly posted does not make it exempt. Under GDPR Article 6, you need a lawful basis for processing personal data. In B2B sales contexts, most organisations rely on legitimate interest (Article 6(1)(f)) — the argument being that a company has a legitimate commercial interest in contacting relevant business prospects. But legitimate interest is not a blanket permission. It requires a documented Legitimate Interest Assessment (LIA) that demonstrates the processing is necessary, proportionate, and does not override the individual's rights.

The European Data Protection Board's guidelines on legitimate interest make clear that cold outreach to scraped personal data requires that individuals can reasonably expect to receive such contact given the context in which their data was published. A professional's name and employer on LinkedIn is a different context than their personal email address harvested from a forum post.

In practice, this means B2B sales teams targeting EU prospects should: (1) rely on compliant data vendors who have conducted their own GDPR assessments, (2) use business email addresses rather than personal ones where possible, (3) include a clear opt-out mechanism in every communication, and (4) honour deletion requests promptly. The UK ICO's guidance on B2B direct marketing is a useful practical reference even for non-UK teams, as it translates the regulation into operational decisions.

Can you legally scrape LinkedIn for B2B sales data?

This is the question most SDRs actually mean when they ask about web scraping legality — and the honest answer is: technically contested, practically inadvisable.

The hiQ ruling established that scraping LinkedIn's public pages does not violate the CFAA. LinkedIn cannot use federal computer fraud law to block scraping of data that any unauthenticated visitor can see. However, that ruling only addresses one narrow legal question. LinkedIn's position is multi-layered:

Terms of service: LinkedIn's user agreement prohibits scraping. Whether ToS violations create enforceable legal liability (beyond contract claims between you and LinkedIn) varies, but it gives LinkedIn grounds to terminate accounts and pursue civil action.
Technical enforcement: LinkedIn actively blocks scraping at the infrastructure level — IP blocking, bot detection, rate limiting. Even if scraping is legally permissible, the technical barriers make it unreliable at scale.
GDPR: The personal data of EU-based LinkedIn users is subject to GDPR regardless of hiQ. LinkedIn itself has faced regulatory scrutiny over data scraping by third parties.

The practical result is that most data enrichment vendors who previously scraped LinkedIn directly have moved to alternative data sourcing — partnerships, user-contributed data, or signals derived from public sources outside LinkedIn. For sales teams, attempting to scrape LinkedIn directly is a fast way to get accounts suspended and data quality degraded. The higher-value signal for competitor intelligence isn't LinkedIn profiles anyway — it's job postings, technology-use data, and public product reviews, which are richer switching signals and less legally fraught.

What actually makes web scraping illegal?

The question is less "is web scraping legal" and more "what specific practices cross the line." The clearest risk factors are:

Accessing data behind authentication

Scraping content that requires a login — even if you have a valid account — is qualitatively different from scraping public pages. The CFAA's "exceeding authorised access" provision applies here. Using your personal LinkedIn account to programmatically extract data at scale almost certainly exceeds the access LinkedIn authorised when you agreed to their terms.

Circumventing technical access controls

Bypassing CAPTCHAs, rotating proxies to evade IP blocks, or using automated tools to defeat rate limiting are all actions that courts and regulators treat as evidence of unauthorised access. The intent to circumvent demonstrates awareness that the access is not permitted.

Collecting personal data without a lawful basis

In GDPR jurisdictions, scraping personal data — even from public sources — without a documented lawful basis and a compliant process for handling data subject requests creates regulatory exposure. The fines are real: under GDPR Article 83, serious violations carry penalties up to €20 million or 4% of global annual turnover, whichever is higher.

Misappropriating trade secrets or proprietary data

If a competitor's website includes pricing that they actively keep confidential, customer lists, or data that qualifies as a trade secret under applicable law, scraping it may create liability independent of computer access law.

What are compliant alternatives to web scraping for B2B sales?

For B2B sales teams, the goal of web scraping is almost always the same: find companies that fit your ICP and show buying signals. The good news is that the most actionable signals — technology use, hiring activity, recent funding, product reviews — are available through compliant data infrastructure without building or running a scraper yourself.

The most reliable signal for competitor intelligence is technology-use data derived from public sources: job postings that name a specific tool, G2 and Capterra reviews that mention a competitor, or vendor directories. A company that posts a job requiring "experience with [Competitor X]" is a confirmed active user. That signal is public, constantly refreshed, and requires no personal data processing — it's firmographic, not individual-level.

This is the approach behind tools like Stealery — you search a competitor name and get a list of companies currently using it, derived from public signals and filtered by size, location, and hiring activity. The output is a company-level list, not a personal data scrape, which means the GDPR exposure is categorically lower. What would take hours of manual research takes about 30 seconds, and the data is structured for outreach rather than requiring cleanup.

Other compliant data sources worth understanding:

Intent data platforms (Bombora, G2 Buyer Intent): track which companies are researching specific categories based on anonymous content consumption signals.
Public API data: many platforms — Crunchbase, Companies House, SEC EDGAR — provide structured data access through documented APIs with explicit terms of use.
Review platforms: G2 and Capterra publicly list which companies have reviewed competing products. This is some of the highest-confidence competitor intelligence available.
Job posting aggregators: platforms like Adzuna or Indeed's public data surface technology-use signals at scale without personal data exposure.

What practical rules should B2B sales teams follow in 2026?

The legal landscape around web scraping legality and data scraping compliance is still evolving, but the practical rules for B2B sales teams are stable enough to act on now.

Don't build your own scraper for personal data

The technical effort, legal exposure, and maintenance overhead of running a custom scraper targeting personal contact data is almost never worth it relative to using a compliant data vendor. The unit economics don't work, and the GDPR risk is real.

Vet your data vendors seriously

If a vendor can't clearly explain how they sourced their data, what their GDPR lawful basis is, and how they handle data subject requests, don't use them. Under GDPR, if your vendor is processing personal data on your behalf, you are jointly liable for their compliance failures as a data controller. Demand a Data Processing Agreement (DPA) from every vendor handling personal data of EU residents.

Prefer company-level signals over personal contact scrapes

The most actionable competitor intelligence — which companies are actively using a competitor's product — is firmographic, not personal. You don't need a specific person's email to build your target list. You need the company. Find the companies first, then use your existing enrichment stack to find the right contact at each one through compliant means.

Document your legitimate interest basis

If you're contacting EU-based prospects by cold email, you need a documented LIA on file. This doesn't need to be complex, but it does need to exist. Most B2B sales teams don't have one. Creating it takes a few hours and eliminates the clearest regulatory risk.

Stay current — this area moves fast

The hiQ precedent applies in the Ninth Circuit. Other circuits haven't necessarily followed it. State-level privacy laws — California's CPRA, Colorado's CPA, Virginia's CDPA — add another layer. The EU's ongoing enforcement actions against data brokers will continue to reshape what's commercially viable. The IAPP (International Association of Privacy Professionals) is the most reliable ongoing source for tracking how data scraping legal standards are developing across jurisdictions.

Frequently asked questions

Web scraping publicly accessible data is generally legal in the US following the Ninth Circuit's hiQ v. LinkedIn ruling, which held that scraping public websites does not violate the Computer Fraud and Abuse Act. However, legality depends on what data you collect, how you use it, and whether the site's terms of service are contractually enforceable against you.

Yes. If you scrape personal data — names, email addresses, job titles — belonging to EU residents, GDPR applies regardless of where your company is based. You need a lawful basis for processing, and 'legitimate interest' is the most commonly used basis in B2B contexts, but it requires a documented balancing test.

Scraping LinkedIn directly violates their terms of service and has been actively litigated. While the hiQ ruling found that scraping public LinkedIn data does not violate the CFAA, LinkedIn continues to send cease-and-desist letters and block scraping at the network level. Most legal and compliance teams recommend using third-party data providers who have licensed or independently sourced this data instead.

Web scraping refers specifically to automated extraction of data from websites via HTTP requests and HTML parsing. Data scraping is a broader term that includes extracting data from any source — APIs, databases, documents, or web pages. In a legal context, the distinction matters: accessing data through a public API under documented terms is treated very differently from automated scraping that bypasses a site's access controls.

Scraping publicly visible information from competitor websites — pricing pages, customer logos, product listings — is generally legal in the US under hiQ precedent, provided you're not circumventing login walls, violating the CFAA, or misappropriating trade secrets. In the EU, you must also satisfy GDPR if any personal data is involved. Always review the site's terms of service and consult legal counsel before building automated scraping workflows.

Ready to build your first competitor list?

Type in any competitor and see every company using it — filtered by size, location, and hiring signals.

Try Stealery for free →