Is web scraping legal in the UK?

By SuLe · Updated 12 May 2026

There is no single UK law that makes web scraping legal or illegal — its lawfulness depends on a stack of overlapping rules, and the answer turns on what you scrape and how. The risk stack runs through UK GDPR, copyright and database right, the site's contract terms, and the Computer Misuse Act 1990.

Get expert legal advice before you sign.

Book a free 20-minute call

Key facts

  • There is no dedicated UK "scraping law"; legality depends on UK GDPR, copyright and database right, site terms, and the Computer Misuse Act 1990.
  • Publicly available personal data is still personal data — the ICO has said scraping it needs a lawful basis.
  • Substantial extraction from a protected database can infringe database right; copying protected content can infringe copyright.
  • Bypassing access controls or scraping behind a login risks the unauthorised-access offence under the Computer Misuse Act 1990.
  • Scraping public, non-personal factual data politely, without bypassing any access controls, is the low-risk end.

Is there one law that says whether scraping is legal?

No — and that is the single most important thing to understand. There is no dedicated UK scraping statute, so you cannot point to one rule for a yes or no. Legality emerges from how several separate laws apply to your specific activity.

That means the same tool can be lawful or unlawful depending on what it collects and how. Scraping public train times is a different legal question from scraping profiles behind a login.

Work through the stack below before you build a scraper into your product, because each layer can independently make the activity unlawful.


Does scraping personal data breach UK GDPR?

It can, and "it was already public" is not the get-out founders assume. Under UK GDPR, publicly available personal data is still personal data, and the ICO's guidance for organisations has been clear that scraping it needs a lawful basis.

So if your scraper collects names, contact details or profile information, you are processing personal data and must justify it — with a lawful basis, transparency, and the other UK GDPR duties that follow.

Transparency is genuinely hard here, because you rarely have a relationship with the people whose data you scraped. That difficulty is itself a signal to think twice before scraping personal data at all — compare what UK GDPR requires from an early-stage startup.


Can scraping infringe copyright or database right?

Yes. Two intellectual-property rules bite. Copying protected content — text, images, structured entries — can infringe copyright under the Copyright, Designs and Patents Act 1988.

Separately, UK law protects databases: substantial extraction from a protected database can infringe database right, independently of copyright. Many websites are, in law, structured databases, so pulling large volumes of their content is squarely within range.

Note that the UK's text-and-data-mining copyright exception covers non-commercial research only — there is no commercial TDM exception, so a startup scraping to build a product cannot rely on it.


When does scraping become a criminal offence?

At the point you bypass access controls. Scraping behind a login, defeating rate limits designed to block bots, or otherwise accessing what you were not authorised to access can amount to an offence under the Computer Misuse Act 1990.

That moves the issue from a civil dispute to potential criminal liability, which is a different order of risk for a founder. Accepting a site's terms through an account can also bind you contractually, adding a breach-of-contract claim on top.

The safest ground is narrow: genuinely public, non-personal factual data, collected politely, without bypassing any controls. Even there, read the site's terms and avoid taking a substantial part of a protected database.

Risk layerWhat triggers itHow to lower the risk
UK GDPRScraping personal data, even if publicHave a lawful basis; avoid personal data where possible
Copyright (CDPA 1988)Copying protected text, images, contentTake only facts; don't reproduce protected content
Database rightSubstantial extraction from a protected databaseLimit volume; don't take a substantial part
Contract (site terms)Terms accepted via account or click-wrapRead the terms; respect prohibitions on scraping
Computer Misuse Act 1990Bypassing logins or access controlsNever scrape behind authentication you must defeat

Worked example

Chloe's proptech startup wants a feed of rental listings to power a search tool. Her first plan is to scrape a large portal that requires an account, defeating its bot protections to reach the listings behind the login.

Her solicitor flags two problems: bypassing those access controls risks an offence under the Computer Misuse Act 1990, and the portal's structured listings are likely a protected database whose substantial extraction infringes database right — plus the account terms ban scraping. Chloe pivots. She licenses a listings feed from one source for £900 a month and, elsewhere, collects only genuinely public, non-personal price statistics at a gentle rate. The product ships on lower-risk footing, and she documents the approach for future due diligence.


Where founders go wrong

  • Believing "public means fair game"

    — publicly available personal data is still personal data, and scraping it needs a lawful basis.
  • Ignoring database right

    — you can infringe by extracting a substantial part of a structured site even without copying creative content.
  • Scraping behind a login

    — defeating access controls can be a criminal offence under the Computer Misuse Act 1990, not just a terms breach.
  • Relying on the TDM exception

    — the UK text-and-data-mining exception is non-commercial research only, so it does not cover a commercial product.

Related questions

Is there a single UK law that bans web scraping?

No. There is no dedicated UK scraping law. Instead the legality depends on a stack of overlapping rules — UK GDPR, copyright and database right, the site's contract terms, and the Computer Misuse Act 1990 — so the answer turns on what you scrape and how.

Can I scrape personal data if it is publicly available?

Publicly available personal data is still personal data under UK GDPR. The ICO has said scraping it needs a lawful basis, so "it was public" is not a defence. You would need to justify the processing and meet transparency and other duties. [More: What does UK GDPR require from an early-stage startup?]

Does scraping breach copyright or database right?

It can. Substantial extraction from a protected database can infringe database right, and copying protected content can infringe copyright. Many websites are structured databases, so pulling large volumes of their content carries real risk.

Is scraping behind a login illegal?

It is the highest-risk end. Bypassing access controls or scraping behind a login can amount to unauthorised access under the Computer Misuse Act 1990, a criminal offence. Site terms accepted through an account can also bind you contractually.

What kind of scraping is lowest-risk?

Scraping genuinely public, non-personal factual data, politely and without bypassing any access controls, sits at the low-risk end. Even then, check the site's terms and avoid taking a substantial part of a protected database. [More: Can I train an AI model on customer or user data?]


Scraping sits at the intersection of data protection, IP and criminal law, and the line between clever growth hack and unauthorised access is not always obvious from the outside. A SuLe solicitor can pressure-test your data-collection plan against the whole risk stack before you build it in. Book a free consultation about your product's legals and get a regulated startup lawyer to review your scraping approach.

Keep reading: Can I train an AI model on customer or user data? · Can I legally use open-source code in my commercial product? · Who owns AI-generated code or content? · What does UK GDPR require from an early-stage startup? · Can I send cold emails under UK GDPR and PECR? · Do I need an AI use policy for my startup?

Primary sources: Copyright, Designs and Patents Act 1988 · ICO — For organisations (UK GDPR guidance incl. AI)

AI-generated content. General information, not legal advice.