Is Scraping LinkedIn Legal in 2026? hiQ, Van Buren, ToS, and Public Data
Search this question and you will find confident answers in both directions. "Courts ruled scraping LinkedIn is legal." "LinkedIn sues scrapers and wins." Both cite real cases. Both are misleading, because they collapse a genuinely layered legal picture into a slogan.
The honest answer is that "scraping LinkedIn" is not one legal question but at least four, and clearing one does not clear the others. This article walks each of them — the computer-access law, the terms of service, the privacy regime, and the surrounding torts — using the actual cases, and it is careful about what those cases did and did not establish. The aim is to leave you able to reason about your specific use, not to hand you a false blanket answer.
This is informational, not legal advice. Web-scraping law is unsettled and jurisdiction-specific. For anything you plan to run at scale, talk to a qualified lawyer about your facts.
TL;DR: There is no blanket "it's legal." In the US Ninth Circuit, scraping public data generally is not a CFAA violation (hiQ, after Van Buren) — but the same act can still breach LinkedIn's terms of service, violate GDPR/CCPA for personal data, or trigger other claims. hiQ won the CFAA point and lost on contract, then settled. Legality depends on what you collect, how (logged-out vs fake accounts), where, and what you do with it. Full map below.
Four legal fronts, not one
The reason there is no simple answer is that scraping sits at the intersection of four separate bodies of law. Each has its own test, and you have to pass all of them:
| Front | The question it asks | Public-data status (US) |
|---|---|---|
| CFAA (computer-access crime) | Did you access a computer "without authorization"? | Public pages: generally no violation |
| Contract / Terms of Service | Did you breach the site's user agreement? | Scraping can be a breach, even of public data |
| Privacy law (GDPR/CCPA) | Are you processing personal data lawfully? | "Public" is not a blanket exemption |
| Torts & IP | Trespass to chattels, misappropriation, copyright? | Fact-specific; can apply |
Most "is it legal" arguments online are really about just the first row — and they treat a win there as a win everywhere. It isn't. The cases below show exactly how a scraper can be right about the CFAA and still lose.
hiQ v. LinkedIn: won the point, lost the war
The hiQ Labs v. LinkedIn saga is the case everyone cites, usually for only half of it. Here is the full arc:
| Stage | When | What happened |
|---|---|---|
| 9th Circuit (I) | 2019 | Scraping public profiles likely not a CFAA violation — "no gates to lift or lower." |
| Supreme Court | 2021 | Vacated and remanded for reconsideration under Van Buren. |
| 9th Circuit (II) | 2022 | Reaffirmed: public-data scraping still likely not a CFAA violation. |
| District court | Nov 2022 | hiQ breached LinkedIn's User Agreement — via automated scraping and creating fake accounts. |
| Settlement | Dec 2022 | Case ends: permanent injunction, hiQ deletes scraped data, pays LinkedIn $500,000. |
So the accurate summary is this: hiQ won the CFAA/public-data question at the appeals court — a genuinely important precedent — and then lost on breach of contract at the district court, because it had agreed to LinkedIn's User Agreement and violated it (and had used fake accounts). The case ended in a settlement, not a triumphant vindication.
Two things to carry forward. First, a website's terms prohibiting scraping are enforceable as a contract claim, independent of the CFAA. Second — and this is widely misreported — the CFAA "stipulation" in the final settlement was a private agreement between the parties and is not legal precedent. The case did not make scraping a CFAA crime.
Van Buren: how the CFAA narrowed
The reason hiQ's CFAA position held up is Van Buren v. United States (2021), a Supreme Court decision that reshaped the whole statute. A police officer had looked up a license plate in a database he was allowed to use, but for a corrupt purpose. The government said that "improper purpose" made his authorized access a federal crime. The Court, 6–3, disagreed.
The holding introduced the "gates-up-or-down" test: you "exceed authorized access" only when you obtain information from areas of a system that are off-limits to you — not when you access information you are allowed to reach but for a disfavored reason. Applied to scraping, the logic is direct: a public web page has no gate, so reading it is not access "without authorization."
But note the boundary the Court expressly left open: it did not decide whether a site's terms of service alone can define the limits of "authorization." That open question is precisely why the fight moved from the CFAA to contract law — and why the terms-of-service front below is the one that actually decides most disputes.
Meta v. Bright Data: logged-out public data
The most recent data point is Meta Platforms v. Bright Data (N.D. Cal., 2024). Meta sued the data-collection firm Bright Data for scraping public Facebook and Instagram data; the court granted summary judgment for Bright Data on Meta's breach-of-contract claims.
The pivotal distinction was logged-in versus logged-out. Meta's terms govern what a user does while logged into an account; they do not prohibit scraping public data while logged out, nor selling that public data. The purpose of the terms, the court reasoned, was to stop account holders from abusing their access — not to bar collection of public information by someone not using an account at all.
It is a helpful signal for the logged-out, public-data approach — but keep it in proportion. It is a district-court ruling, specific to Meta's particular terms wording, and about contract rather than a sweeping declaration that "scraping is legal." It strengthens the pattern; it does not settle the field.
The terms-of-service front
This is the front that actually decides most LinkedIn disputes, and it is the one the "it's legal" takes ignore. LinkedIn's User Agreement prohibits scraping, bots, and copying profile data, and courts have treated those terms as enforceable. That means violating them is a breach-of-contract exposure even when the data is public and the CFAA does not apply.
How LinkedIn actually wins is instructive. In January 2025 it sued a well-known LinkedIn data provider, alleging the company ran hundreds of thousands of fake accounts and made vast numbers of automated requests to harvest member data. The case settled in mid-2025 with a court-entered permanent injunction to delete the scraped data and stop, and the provider shut down. LinkedIn's winning theory there was not "public scraping is a CFAA crime" — it was contract breach plus the fake accounts. The lesson: the legal danger concentrates around how you collect (fake accounts, logged-in automation, defeating technical barriers), far more than the raw fact of reading public data.
The privacy front (GDPR & CCPA)
Even a perfectly clean, logged-out, public-only collection method runs into a separate body of law the moment the data is about people. A LinkedIn profile is personal data, and under the GDPR, "publicly available" is not a blanket exemption.
European regulators have made this concrete. They have issued significant fines against companies that built datasets by scraping public personal data — the facial-recognition firm Clearview AI drew multi-million-euro penalties from several EU authorities, and France's CNIL has penalized a company that scraped contact data from public professional profiles. The through-line: collecting personal data of people in the EU triggers GDPR obligations (lawful basis, transparency, individual rights) regardless of the data having been public. In the US, California's CCPA imposes its own rules, and its "publicly available" carve-out is narrower than many assume.
Practically, this makes the content of what you collect the biggest risk lever. Company firmographics — size, industry, headquarters — carry far less privacy weight than the personal profiles of named individuals. If you can accomplish your goal with company-level data, you sidestep most of this front entirely.
What this means in practice
Put the four fronts together and a usable mental model emerges. Legality is not a property of "scraping LinkedIn" in the abstract; it is a function of four variables:
- What you collect — public company data is far lower-risk than personal profile data, which pulls in privacy law.
- How you collect it — reading public pages logged-out is on the strongest footing; creating fake accounts, automating a logged-in session, or defeating technical barriers is where scrapers actually lose.
- Where you and your subjects are — EU personal data triggers GDPR; California triggers CCPA; the CFAA analysis is US-specific and strongest in the Ninth Circuit.
- What you do with it — internal analysis differs from building and reselling an aggregated database of member profiles, which terms and privacy law treat most harshly.
The honest bottom line: public-data scraping generally survives the CFAA, but that is only one of four fronts. The same act can still be a contract breach, a privacy violation, or a tort. There is no jurisdiction-wide rule that "scraping LinkedIn is legal," and any source that tells you otherwise is selling a simplification.
Where a public-data API stands
It is fair to ask where a tool like ours fits, so here it is plainly. Serpent's LinkedIn API reads only publicly available data, uses no LinkedIn login, cookie, or credential, and does not create accounts — you send a public URL or identifier and your own API key. That posture sits on the cleaner side of every front above: it is the logged-out, public-data model the CFAA cases favor, it avoids the fake-account conduct that has sunk other providers, and its richest dataset is company-level firmographics rather than personal profiles.
But a clean collection method is not a compliance guarantee, and we will not pretend it is. You remain responsible for honoring applicable terms and for privacy-law compliance in how you store and use what you collect — especially any personal data. An API can keep your method clean; it cannot make your particular use lawful on your behalf. If you are choosing an approach, our companion piece on the official API versus public-data APIs covers the technical trade-offs alongside this legal one.
Read public LinkedIn data on the cleaner side of the line
Company firmographics, public job postings, and profile basics as structured JSON — public data only, no login, no credentials, no fake accounts. One REST endpoint and one key. You stay responsible for your use; we keep the method clean.
Get Your Free API KeyExplore: LinkedIn API · Social Media APIs · Pricing
FAQ
Is scraping LinkedIn legal?
There is no single yes-or-no answer, and anyone who gives you one is oversimplifying. In the US Ninth Circuit, scraping publicly available data generally does not violate the Computer Fraud and Abuse Act (CFAA) — that is the core holding of hiQ v. LinkedIn after Van Buren. But the same activity can still breach LinkedIn's terms of service (a contract claim), violate privacy law like GDPR or CCPA for personal data, or trigger other claims. Legality depends on what you collect, how, from where, and what you do with it. This article is informational, not legal advice.
Did hiQ win its case against LinkedIn?
Partly, and the nuance matters. hiQ won the headline question: the Ninth Circuit held that scraping public LinkedIn profiles likely does not violate the CFAA, both in 2019 and again in 2022 after Van Buren. But in November 2022 a district court found hiQ had breached LinkedIn's User Agreement — through automated scraping and by creating fake accounts — and the case ended in a settlement where hiQ agreed to a permanent injunction, deleted its scraped data, and paid LinkedIn $500,000. So hiQ won the CFAA point but lost on contract and settled.
Is scraping public data a crime under the CFAA?
Generally no, for genuinely public pages. After Van Buren v. United States (2021), CFAA liability turns on a "gates-up-or-down" test: you exceed authorized access only when you get into areas that are off-limits to you, not when you access open information for a disfavored purpose. Public web pages have no access gate, so reading them is generally not a CFAA violation. This changes if you log in with fake accounts, bypass technical barriers, or access members-only areas — that can put the gate "down" and revive CFAA exposure.
Does GDPR apply to scraping public LinkedIn profiles?
Yes. A LinkedIn profile is personal data, and "publicly available" is not a blanket exemption under the GDPR. European regulators have treated scraping public personal data as a serious violation and issued significant fines against companies that built datasets from public profiles. If you collect or process personal data of people in the EU, GDPR obligations apply regardless of the fact that the data was public, and CCPA imposes its own, narrower rules in California. Personal data is where the biggest compliance risk sits.
Is it legal to use a LinkedIn data API?
A public-data API that reads only publicly available information, uses no login or credentials, and does not create fake accounts sits on the cleaner side of every one of these legal fronts — but it does not make you immune. You are still responsible for honoring applicable terms, and for privacy-law compliance in how you store and use the data, especially personal data. The right posture is to treat an API as a tool that keeps your collection method clean while you remain accountable for your specific use. This is informational, not legal advice — consult a lawyer for your situation.



