09/06/2023

Global Privacy Regulators Warn About Data Scraping: What To Know

On August 24, 2023, twelve international data protection and privacy regulators announced a joint statement (the “Statement”) on their global expectations for social media companies and providers of websites to safeguard against unlawful data scraping. The jurisdictions that have promulgated the Statement are the United Kingdom, Australia, Canada, China, Switzerland, Norway, New Zealand, Colombia, Jersey, Morocco, Argentina, and Mexico. The Statement appears to respond to the increased use of data scraping technology and reiterates guidance previously provided by some regulators.

The Statement requests feedback from social media companies by September 24, 2023, where such feedback should include overviews on how social media platforms currently comply or intend to comply with the Statement.

What is Data Scraping?

Data scraping involves the automated extraction of data from the internet. “Data” can include personal information that is publicly accessible. Crucially, under most comprehensive data privacy laws around the world, all personal information is subject to protection, even where the personal information at issue is publicly available.

The adoption of the Statement appears to be in response to the sharp rise in data scraping technologies being used to collect and process vast amounts of individuals’ personal information from the internet. Data scraping is a particularly common practice for training AI models, where the scraped data is used as training data. The Statement is primarily concerned with encouraging social media website providers to take steps to prevent third parties from engaging in illegal data scraping activities on their websites. Oftentimes, third parties engage in these data scraping activities by creating fake accounts or “bots” on a social media website, where the bots then run software to collect personal data from real accounts on the website.

Potential Risks of Data Scraping

The use of data scraping technologies can give rise to potential risks and concerns regarding the protection of users’ information. Privacy concerns arising out of data scraping include:

• Targeted cyberattacks (i.e., social engineering and phishing).
• Identity fraud.
• Monetization through reselling data to third party websites like malicious actors, private analysis, or intelligence gathering (by foreign governments or intelligence agencies).
• Monitoring, profiling, and surveilling individuals (i.e., facial recognition databases and providing authorized access to authorities).
• Unwanted direct marketing or spam.

Takeaways of the Statement

The Statement provides some key takeaways detailing how companies and sites with user information can protect themselves:

• Publicly accessible personal information is still subject to data protection and privacy laws in most jurisdictions; consequently, website providers should take all steps to protect publicly accessible personal information as they would for any other kind of personal information.
• Website providers should be aware that mass data scraping operations that collect personal information may constitute reportable data breaches in some jurisdictions.
• Individuals should be empowered to take steps to protect their personal information from data scraping. Pursuant to that principle, social media companies play a role in enabling users to engage with their services in a privacy-protective manner.

How to Protect Users’ Information from Data Scraping

The Statement outlines protective measures that social media companies and other website operators can implement to mitigate risks from data scraping, including:

• Having designated in-house team/roles focused on data scraping risks.
• Rate limiting the number of visits per hour or day by accounts to other account profiles.
• Monitoring how quickly and aggressively a new account can search for other users and taking steps to respond to abnormal activity.
• Taking steps to detect bots and blocking IP addresses where data scraping activity is identified.
• Taking appropriate legal action against data scrapers.
• Requiring the deletion of scraped information.
• Having a requirement to notify affected individuals and privacy regulators under existing data breach laws.

Individual users can also take steps to protect their personal information, including:

• Reading the policies provided by social media companies or other websites about how they share personal information.
• Thinking about the amount and kinds of information they share with website providers.
• Understanding and managing privacy settings.

The Statement does not outline specific punishments if website providers do not comply with the Statement and its recommendations to protect users’ information, though the Statement does acknowledge that the Statement could be legally binding upon website providers, depending upon the laws of individual jurisdictions that have promulgated the Statement. For businesses with a presence in any of the jurisdictions that are parties to the Statement, a thorough analysis of applicable laws will likely be necessary to determine whether the Statement is legally binding in any given jurisdiction.

Contact one of the privacy experts in McGrath North’s Privacy Cybersecurity team for all your questions related to data scraping and the guidance promulgated by privacy regulators around the world.