Is Scraping Instagram Legal?
- Scraping public, logged-out Instagram data is largely legal in the US. In Meta v. Bright Data (Jan 2024), a federal court held that Meta's terms do not bar logged-off scraping of public data.
- The legality turns on access. Logging in, using fake accounts, or bypassing the login wall pulls you under Meta's contract and the CFAA. Public pages anyone can view without an account are the safe zone.
- Instagram's terms still prohibit automated collection without permission. Breaking them is a contract and policy matter, separate from whether scraping is a crime.
- Personal data carries its own rules. GDPR, the EU AI Act, and CCPA apply to what you collect about people, even when the page is public. Clearview AI was fined 30.5M EUR for scraped face data.
I get asked whether scraping Instagram is legal more than any other question, usually right before someone is about to build a pipeline they have already half-committed to. The honest answer is that “is scraping Instagram legal” has two layers that people collapse into one: what a court will treat as lawful, and what Instagram’s own terms permit. Those are not the same thing, and the gap between them is where most of the confusion lives.
I build Instagram data pipelines for a living, so I have read the rulings, the terms, and the regulator decisions that decide this. Below I walk through the actual US case law, what Meta’s terms say about scraping, where the line sits between public and private data, the ethical considerations, and how GDPR and the EU AI Act change the picture once you are collecting information about real people. So can you scrape Instagram safely? In most US cases involving public data, yes, with the qualifiers I lay out here, though this is not legal advice, just what the primary sources actually say, with links so you can check each claim yourself.
Is scraping Instagram legal in the US?
Scraping Instagram is largely legal in the US when you collect public data without logging in. The controlling authority is Meta Platforms, Inc. v. Bright Data Ltd., decided in the Northern District of California on January 23, 2024, where Judge Edward Chen granted summary judgment for Bright Data and held that “the Facebook and Instagram Terms do not bar logged-off scraping of public data.”
The court’s reasoning is the part worth understanding, because it tells you exactly where the legal line falls. Meta’s terms govern “your use” of its products, and the judge concluded that Bright Data “did not ‘use’ Facebook and Instagram when it engaged in public logged-off scraping.” In other words, viewing and collecting public Instagram pages as an anonymous visitor is not the kind of account “use” that Meta’s contract regulates. Meta would have needed to prove Bright Data scraped while logged into an account for the terms to apply, and on the public logged-off activity it could not.
That ruling sits on top of an earlier and broader one. In hiQ Labs v. LinkedIn, the Ninth Circuit held that scraping publicly accessible data does not violate the Computer Fraud and Abuse Act, because there is no “unauthorized access” where no login is required and the site has “erected no gates” to bypass. The court reaffirmed that position in April 2022 after the Supreme Court’s narrow CFAA reading in Van Buren. Together these cases form the backbone of why public Instagram scraping is defensible in the US.
Here is how the main US legal theories map onto Instagram scraping:
| Legal theory | Applies to public logged-out scraping? | What triggers it |
|---|---|---|
| CFAA (unauthorized access) | Generally no | Logging in, bypassing a login wall, using credentials you lack |
| Breach of contract (Meta terms) | Generally no per Bright Data | Scraping while logged into an account |
| Trespass to chattels | Rarely, fact-specific | Server load or damage, as raised in hiQ on remand |
| Copyright | Possible | Republishing photos or videos wholesale |
The one caveat I always flag: a court has decided the logged-off question in Meta’s own backyard, but case law evolves and lower-court rulings can be appealed. The pattern across hiQ, Bright Data, and related decisions is consistent enough that I treat public logged-out scraping as low risk in the US, with the qualifiers below. The next question is what Instagram itself says, because being legal and being permitted are separate things.
Does Instagram allow scraping in its terms of service?
Instagram does not allow scraping in its terms. Meta’s main Terms of Service state: “You may not access or collect data from our Products using automated means (without our prior permission) or attempt to access data you do not have permission to access.” That language is explicit, and it covers scrapers, bots, and crawlers regardless of the legal analysis above.
Meta backs the main terms with a dedicated Automated Data Collection Terms document that goes further. It says you “will not engage in Automated Data Collection without first obtaining Meta’s express written permission,” and it spells out that accepting the terms is not itself that permission. Meta defines Automated Data Collection broadly, covering web scrapers, bots, robots, spiders, crawlers, and user-agents that navigate or index its surface-layer pages. If you want a clause-by-clause read of how this applies, I break it down in my Instagram Terms of Service and platform policy on scraping guide.
So how do the Bright Data ruling and these terms coexist? The ruling decided that the terms bind people who are logged in and “using” an account, and they do not reach an anonymous visitor scraping public pages. The terms still exist and still prohibit the practice as a matter of policy. The practical consequences live outside the courtroom:
| Consequence | Who it applies to | Source |
|---|---|---|
| Account suspension or disablement | Logged-in scrapers, accounts tied to scraping | Meta combats scraping |
| Rate limits and IP blocks | Any client hitting Instagram too fast | Meta enforcement |
| Cease-and-desist letter | Named operators at scale | Pattern seen in hiQ, Bright Data |
| Loss of API access | Registered Graph API apps | Meta Platform Terms |
This is why I separate “legal” from “against the rules” every time. You can be on solid legal ground for public logged-out scraping and still get your accounts disabled and your IPs blocked, because those are Meta’s enforcement levers that operate outside any courtroom. Keeping that block risk low is its own technical discipline, which I cover in how to avoid getting blocked scraping Instagram. The bigger legal divide, though, is between public and private data.
What is the difference between scraping public and private Instagram data?
The difference between public and private Instagram data is the single most important factor in whether scraping is legal. Public data is anything a logged-out visitor can see: a public profile’s bio, follower counts, public posts, captions, and public hashtags. Private data is anything behind the login wall or a private account, including direct messages, private-account content, and a user’s email unless they chose to display it publicly.
Every favorable US ruling is about public data. hiQ and Bright Data both turned on the data being openly accessible without authentication. The moment you cross into private data, you lose the protection those cases give and you pick up new exposure. Scraping private content usually means logging in, which puts you back under Meta’s terms, or circumventing the login wall, which is exactly the “bypassing a barrier” that can revive a CFAA claim.
Here is how I categorize Instagram data by risk before any project starts:
| Data type | Public or private | Legal risk | Notes |
|---|---|---|---|
| Public profile bio, follower count | Public | Low | Visible logged-out, core of Bright Data protection |
| Public posts, captions, hashtags | Public | Low | Public-facing; copyright applies if republished |
| Private account content | Private | High | Behind a follow approval; needs login to reach |
| Direct messages | Private | Very high | Never public; access implies credentials |
| Emails and contact details | Mixed | High under GDPR | Personal data even when shown publicly |
The “mixed” row is the one that catches people. An email shown on a public business profile is technically public, but it is still personal data the moment it identifies a person, and that pulls in privacy law no matter how the US contract and CFAA questions resolve. Lead and email scraping is the highest-risk category I work with, and I keep the tooling discussion in my Instagram email and lead scraper breakdown. The privacy dimension deserves its own section, because it is governed by an entirely separate body of law.
Is scraping Instagram legal under GDPR and EU law?
Scraping Instagram personal data on EU residents is legal under GDPR only if you have a lawful basis and pass the balancing test, which is a far higher bar than the US public-data rules. GDPR applies to personal data of people in the EU regardless of where your company sits, so a US-based scraper collecting data on European users is squarely in scope.
A public profile does not equal consent. Regulators have been explicit that making information visible does not authorize anyone to process it. The most common lawful basis people reach for is legitimate interest under Article 6(1)(f), and both the UK’s ICO and France’s CNIL have addressed it directly. The ICO’s position on the lawful basis for web scraping and the CNIL’s focus sheet on data collection by web scraping both say legitimate interest can work, but only after a full balancing exercise and with concrete safeguards: precise collection criteria, excluding sites that object, and deleting irrelevant data promptly.
The enforcement record shows what happens when those safeguards are missing. The Dutch Data Protection Authority fined Clearview AI 30.5 million EUR in September 2024 for building a facial recognition database from images scraped across the web, holding over 50 billion face images. That fine is the clearest signal that scraping personal data at scale, without a lawful basis, carries real financial risk in Europe.
EU law tightened further in 2025 and 2026. The EU AI Act, Article 5(1)(e) now bans outright “the placing on the market, the putting into service for this specific purpose, or the use of AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage.” This prohibition became enforceable in February 2025, with penalties up to 35 million EUR or 7% of global turnover. Scraping Instagram photos to build a face-recognition dataset is no longer a gray area in the EU; it is prohibited.
A quick map of the privacy regimes that can apply to Instagram scraping:
| Regime | Region | What it governs | Key point |
|---|---|---|---|
| GDPR | EU / EEA | Personal data of EU residents | Public visibility is not consent; needs lawful basis |
| EU AI Act Art. 5(1)(e) | EU | Facial recognition databases | Untargeted face scraping banned outright |
| UK GDPR / DPA | UK | Personal data of UK residents | ICO requires legitimate-interest test |
| CCPA / CPRA | California | Personal information | Public-record and lawfully-public info exempted |
US privacy law is more permissive here. Under the CCPA, “publicly available information” is exempted from the definition of personal information, including data a consumer has made available to the general public. That exemption is one reason US-focused public scraping faces less privacy friction than the same activity touching EU residents. The split between US and EU rules is sharp enough that I treat them as two separate compliance questions, which leads to how I actually keep projects clean.
How do you scrape Instagram legally and ethically?
You scrape Instagram legally and ethically by staying on public data, staying logged out, respecting personal-data law, and not overcollecting. These are the rules I apply to my own pipelines, and each one tracks directly to a specific piece of case law or regulator guidance above. They also fold the ethical considerations into the same checklist, so the legal risks and the ethical risks shrink together.
- Collect only public, logged-out data. This keeps you inside the Bright Data and hiQ protections and out of Meta’s contract terms. If reaching the data requires a login, treat it as off-limits.
- Do not bypass the login wall or use fake accounts. Circumventing a technical barrier is what revives CFAA exposure, and fake-account use was part of why hiQ ultimately lost on the breach-of-contract claim and faced a $500,000 judgment.
- Minimize personal data. Overcollection is the most common GDPR failure. Collect the fields you actually need and drop the rest, exactly as the CNIL guidance recommends.
- Never build a facial recognition dataset from scraped images. This is now a prohibited practice under the EU AI Act, full stop.
- Throttle and cache. Hammering Instagram raises both the block risk and any trespass-to-chattels argument about server load. A steady, human-like rate is safer on every axis.
- Get legal review for commercial or EU-facing projects. The US public-data rules do not clear you under GDPR, and a lawyer who knows your jurisdiction is worth more than any blog post, including this one.
The ethical core under all of this is restraint: take what is public, take only what you need, and do not turn public visibility into surveillance. That principle is also what keeps you on the right side of the regulators tightening the rules each year.
There is one more practical point that affects compliance directly. A maintained API collects public data for you without ever logging in with your own account, which keeps your collection on the public, logged-out path that the courts have protected. In my runs against ChocoData’s Instagram endpoint, a single request returned public profile data as clean JSON without any login or credentials of mine attached to the request:
curl "https://chocodata.com/api/v1/instagram/profile?username=nasa&api_key=$CHOCO_API_KEY"
The Python shape is the same, and it returns public profile fields ready to load into your own storage:
import requests
resp = requests.get(
"https://chocodata.com/api/v1/instagram/profile",
params={"username": "nasa", "api_key": "YOUR_CHOCO_API_KEY"},
timeout=30,
)
profile = resp.json()
print(profile)
Because the request targets a public profile and carries no account login of yours, it stays on the logged-off public-data path that the Bright Data ruling protected. Meta’s terms reach the logged-in path, and this request never touches it. You can get an API key on the ChocoData sign-up page and swap it into the snippet above. When you are comparing managed options for this kind of collection, I rank them head to head in my best Instagram scrapers and APIs in 2026 roundup, and I cover the language and library choices in my guide on how to scrape Instagram with Python.
FAQ
Is it legal to scrape Instagram in 2026?
Scraping publicly visible Instagram data without logging in is largely legal in the United States as of 2026. The leading authority is Meta Platforms v. Bright Data (N.D. Cal., January 2024), where the court held that Meta's Facebook and Instagram terms do not bar logged-off scraping of public data. Scraping while logged in, behind the login wall, or using fake accounts is a different question and carries real contract and CFAA risk. Non-US laws like GDPR add separate obligations for personal data.
Does Instagram allow scraping?
No. Instagram and its parent Meta do not allow scraping. Meta's terms state you may not access or collect data using automated means without prior permission, and the separate Automated Data Collection Terms require express written permission first. Allowing it in policy and being legal are two different things: a US court found those terms do not reach logged-off public scraping, but the policy still bans the practice and Meta can rate-limit, block, or disable accounts that scrape.
Can you scrape data from Instagram without breaking the law?
You can scrape public Instagram data in the US with a low legal risk if you stay logged out, collect only data any visitor could see, avoid bypassing the login wall, and do not republish private or copyrighted material wholesale. The risk rises sharply once you log in, scrape personal data on EU residents without a lawful basis under GDPR, or build a facial recognition dataset, which the EU AI Act now bans outright.
Does scraping Instagram violate the CFAA?
Scraping public, logged-out Instagram pages generally does not violate the Computer Fraud and Abuse Act. After the Ninth Circuit's ruling in hiQ v. LinkedIn, accessing data that is open to the public with no login required is not 'unauthorized access' under the CFAA. The analysis changes if you scrape behind a login, ignore a technical block you have to circumvent, or use credentials you are not entitled to.
Is scraping Instagram for email and lead generation legal?
Scraping public business contact details can be lawful, but lead scraping is where privacy law bites hardest. Emails and names are personal data under GDPR, so collecting them on EU residents needs a lawful basis and the balancing test regulators now require. The Dutch DPA fined Clearview AI 30.5M EUR for building a database from scraped images. I treat email and lead data as the highest-risk category and cover the tooling separately in my Instagram email and lead scraper guide.