Various members of the Global Privacy Assembly’s International Enforcement Cooperation Working Group (IEWG) issued a joint statement voicing concerns about what it described as unlawful scraping of publicly available personal information. In its effort to protect individuals from having their data unlawfully collected, the group addressed the social media companies and other websites (“SMCs”) that are often the targets of scraping rather than focusing on the data scrapers and their practices. Specifically, the IEWG detailed steps that SMCs could take to protect their users’ personal information from scraping and advised the sites’ users to be proactive about protecting the privacy of their data.
Data protection authorities (DPAs) in the EU have brought notable enforcement actions against entities scraping publicly available personal information in recent years, recognizing the applicability of the GDPR to such data and asserting protections over it. While data protection laws vary across jurisdictions, the IEWG’s announcement places the platforms that host personal data – and SMCs specifically — on notice that failure to take steps to inhibit the scraping of publicly available personal information also comes with risk.
Scraping & Privacy Risks
In explaining the impetus for its statement, the IEWG explains that it has seen an increase in mass data scraping from various websites, including SMCs, which raises privacy concerns and may put consumers at risk. Identity theft, cyberattacks, spam, data monetization, and unauthorized surveillance are some of the IEWEG’s chief concerns. The joint statement repeatedly emphasizes that SMCs have obligations to protect personal information from unlawful scraping under data protection and privacy laws. In this way, the statement essentially frames the obligation to ensure users’ privacy from scraping as akin to a data-security obligation. In fact, the IEWG suggests that in certain jurisdictions, unauthorized scraping may be considered a reportable data breach. However, the IEWG does not identify which specific laws or jurisdictions are implicated. For instance, laws that historically have been used to curtail or address unwanted scraping have differed in the U.S., EU, and other jurisdictions, and in the U.S., publicly available data does not typically carry privacy protections.
Nonetheless, the joint statement creates a roadmap for what it expects platforms to do to potentially protect users’ publicly available data from scraping. These efforts may also provide guidance for other sites that seek to ward off unwanted scraping, even of non-personal data. For instance, the group urges “multi-layered technical and procedural controls to mitigate the risks” since no one method can adequately safeguard data. Among the methods the signatories highlight are the following:
- Having a specific team within an organization that can identify and implement controls to protect against scraping;
- Limiting the number of visits per hour or day by one account to other account profiles as well as monitoring how quickly a new account looks for other users;
- Identifying patterns in “bot” activity such as if a platform is being accessed by using the same credentials from multiple locations;
- Using CAPTCHAs and blocking IP addresses in an attempt to detect and deter bots;
- Sending cease and desist letters and taking other appropriate legal action where data scraping is suspected and/or confirmed; and
- To the extent where such scraping would be considered a breach by the applicable data authority, notifying individuals and the privacy regulators.
The authorities also note that the SMCs and other companies would be well served to enable users to best interact with their websites in a privacy protective manner. Increasing user awareness regarding privacy settings, and sharing with their users the steps they have taken to protect against data scraping are some of the suggested methods. Finally, the authorities urge the companies to monitor and respond to new security risks as they arise and to routinely test and update their controls.
Takeaways for SMCs and Scrapers
While the joint statement also outlines certain steps that consumers can take to protect their personal information, the IEWG’s focus is on SMCs and other companies that host significant amounts of data online. In addition to providing its expectations of steps for companies to take to protect personal information, the signatories have requested feedback from companies demonstrating how they are complying with such expectations.
For scrapers, of personal data or more generally, this joint statement is also worth noting. Even though it does not impose new obligations on scrapers, it signals potentially significant government attention to scraping activities and introduces another possible avenue for inhibiting it. In many countries, there is already a body of case law or regulatory enforcement actions that provide guidance to scrapers about how they might conduct themselves and manage their scraping risks. It is unclear precisely how the joint statement will interact with or impact those existing frameworks, especially in connection with publicly available personal data, but it is an area to monitor closely.
The IEWG invites comments and feedback on their statement until September 24, 2023 (one month from the issuance of the statement). As such, consider submitting comments on this new guidance to help shape the way that it will be understood, interpreted, and/or enforced to avoid undue or unreasonable impact on you or your business.