Is web scraping legal in the UK?
By SuLe · Updated 12 May 2026
There is no single UK law that makes web scraping legal or illegal — its lawfulness depends on a stack of overlapping rules, and the answer turns on what you scrape and how. The risk stack runs through UK GDPR, copyright and database right, the site's contract terms, and the Computer Misuse Act 1990.
Key facts
- There is no dedicated UK "scraping law"; legality depends on UK GDPR, copyright and database right, site terms, and the Computer Misuse Act 1990.
- Publicly available personal data is still personal data — the ICO has said scraping it needs a lawful basis.
- Substantial extraction from a protected database can infringe database right; copying protected content can infringe copyright.
- Bypassing access controls or scraping behind a login risks the unauthorised-access offence under the Computer Misuse Act 1990.
- Scraping public, non-personal factual data politely, without bypassing any access controls, is the low-risk end.
Is there one law that says whether scraping is legal?
No — and that is the single most important thing to understand. There is no dedicated UK scraping statute, so you cannot point to one rule for a yes or no. Legality emerges from how several separate laws apply to your specific activity.
That means the same tool can be lawful or unlawful depending on what it collects and how. Scraping public train times is a different legal question from scraping profiles behind a login.
Work through the stack below before you build a scraper into your product, because each layer can independently make the activity unlawful.
Does scraping personal data breach UK GDPR?
It can, and "it was already public" is not the get-out founders assume. Under UK GDPR, publicly available personal data is still personal data, and the ICO's guidance for organisations has been clear that scraping it needs a lawful basis.
So if your scraper collects names, contact details or profile information, you are processing personal data and must justify it — with a lawful basis, transparency, and the other UK GDPR duties that follow.
Transparency is genuinely hard here, because you rarely have a relationship with the people whose data you scraped. That difficulty is itself a signal to think twice before scraping personal data at all — compare what UK GDPR requires from an early-stage startup.
Can scraping infringe copyright or database right?
Yes. Two intellectual-property rules bite. Copying protected content — text, images, structured entries — can infringe copyright under the Copyright, Designs and Patents Act 1988.
Separately, UK law protects databases: substantial extraction from a protected database can infringe database right, independently of copyright. Many websites are, in law, structured databases, so pulling large volumes of their content is squarely within range.
Note that the UK's text-and-data-mining copyright exception covers non-commercial research only — there is no commercial TDM exception, so a startup scraping to build a product cannot rely on it.
When does scraping become a criminal offence?
At the point you bypass access controls. Scraping behind a login, defeating rate limits designed to block bots, or otherwise accessing what you were not authorised to access can amount to an offence under the Computer Misuse Act 1990.
That moves the issue from a civil dispute to potential criminal liability, which is a different order of risk for a founder. Accepting a site's terms through an account can also bind you contractually, adding a breach-of-contract claim on top.
The safest ground is narrow: genuinely public, non-personal factual data, collected politely, without bypassing any controls. Even there, read the site's terms and avoid taking a substantial part of a protected database.
| Risk layer | What triggers it | How to lower the risk |
|---|---|---|
| UK GDPR | Scraping personal data, even if public | Have a lawful basis; avoid personal data where possible |
| Copyright (CDPA 1988) | Copying protected text, images, content | Take only facts; don't reproduce protected content |
| Database right | Substantial extraction from a protected database | Limit volume; don't take a substantial part |
| Contract (site terms) | Terms accepted via account or click-wrap | Read the terms; respect prohibitions on scraping |
| Computer Misuse Act 1990 | Bypassing logins or access controls | Never scrape behind authentication you must defeat |
Worked example
Chloe's proptech startup wants a feed of rental listings to power a search tool. Her first plan is to scrape a large portal that requires an account, defeating its bot protections to reach the listings behind the login.
Her solicitor flags two problems: bypassing those access controls risks an offence under the Computer Misuse Act 1990, and the portal's structured listings are likely a protected database whose substantial extraction infringes database right — plus the account terms ban scraping. Chloe pivots. She licenses a listings feed from one source for £900 a month and, elsewhere, collects only genuinely public, non-personal price statistics at a gentle rate. The product ships on lower-risk footing, and she documents the approach for future due diligence.
Where founders go wrong
Believing "public means fair game"
— publicly available personal data is still personal data, and scraping it needs a lawful basis.Ignoring database right
— you can infringe by extracting a substantial part of a structured site even without copying creative content.Scraping behind a login
— defeating access controls can be a criminal offence under the Computer Misuse Act 1990, not just a terms breach.Relying on the TDM exception
— the UK text-and-data-mining exception is non-commercial research only, so it does not cover a commercial product.
Related questions
Is there a single UK law that bans web scraping?
No. There is no dedicated UK scraping law. Instead the legality depends on a stack of overlapping rules — UK GDPR, copyright and database right, the site's contract terms, and the Computer Misuse Act 1990 — so the answer turns on what you scrape and how.
Can I scrape personal data if it is publicly available?
Publicly available personal data is still personal data under UK GDPR. The ICO has said scraping it needs a lawful basis, so "it was public" is not a defence. You would need to justify the processing and meet transparency and other duties. [More: What does UK GDPR require from an early-stage startup?]
Does scraping breach copyright or database right?
It can. Substantial extraction from a protected database can infringe database right, and copying protected content can infringe copyright. Many websites are structured databases, so pulling large volumes of their content carries real risk.
Is scraping behind a login illegal?
It is the highest-risk end. Bypassing access controls or scraping behind a login can amount to unauthorised access under the Computer Misuse Act 1990, a criminal offence. Site terms accepted through an account can also bind you contractually.
What kind of scraping is lowest-risk?
Scraping genuinely public, non-personal factual data, politely and without bypassing any access controls, sits at the low-risk end. Even then, check the site's terms and avoid taking a substantial part of a protected database. [More: Can I train an AI model on customer or user data?]
Scraping sits at the intersection of data protection, IP and criminal law, and the line between clever growth hack and unauthorised access is not always obvious from the outside. A SuLe solicitor can pressure-test your data-collection plan against the whole risk stack before you build it in. Book a free consultation about your product's legals and get a regulated startup lawyer to review your scraping approach.
Keep reading: Can I train an AI model on customer or user data? · Can I legally use open-source code in my commercial product? · Who owns AI-generated code or content? · What does UK GDPR require from an early-stage startup? · Can I send cold emails under UK GDPR and PECR? · Do I need an AI use policy for my startup?
Primary sources: Copyright, Designs and Patents Act 1988 · ICO — For organisations (UK GDPR guidance incl. AI)


