ICO Joint Statement on Data Scraping and the Protection of Privacy

On August 24, the Information Commissioner’s Office (ICO) issued a joint statement in conjunction with 11 other global authorities responsible for data protection and privacy on data scraping. Data scraping is the process of extracting data from online sources, including social media platforms and websites that host publicly accessible personal information. Scraped personal information is valuable and can be monetized through reuse on third-party websites, sale to malicious actors, or use for private analysis or intelligence gathering. This can result in serious risks to the individuals concerned. 

The ICO’s statement underscored how data scraping has increasingly created significant privacy concerns that may constitute reportable data breaches and lead to exploitation through identity fraud, targeted cyberattacks or unsolicited direct marketing spam. It highlighted that even where personal information is publicly available, it is still subject to data protection and privacy laws in most jurisdictions. Social media companies should be aware that they have obligations to protect that data and could be liable for breaches.

The joint statement recommended that social media platforms and other websites implement multi-layered technical and procedural controls to reduce potential privacy breaches from data scraping. Possible controls may include appointing a team responsible for detecting, monitoring and addressing data scraping activities and blocking suspicious IP addresses. The statement further suggested safeguards that individuals can adopt to minimize the risk of unlawful use of their personal information, including always reading privacy notices provided by social media companies (or other websites) to see how they use personal information, thinking about the personal information shared online, and taking time to understand how to manage privacy settings.