Ethics & Law Published Jul 13, 2026 · 4 min read · 780 words
Web scraping ethics and robots.txt: the lines you don't cross
A clear, practical guide to scraping ethically and legally: reading robots.txt, Terms of Service, the CFAA and EU equivalents, login walls, personal data, and the difference between 'public' and 'allowed'.
This is the least fun guide on the site and the one you should read first. The technical guides tell you how to scrape. This one tells you when you shouldn't. Getting the ethics wrong can get you banned, sued, or worse. None of this is legal advice. It's the working rules we apply.
The short version
- If it's public, non-personal data and you scrape politely, you're usually fine.
- If it's behind a login, a paywall, or an access control, stop and get permission.
- If it's personal data, assume it's regulated. Don't collect it without a lawful basis.
- Obey robots.txt unless you have a specific, defensible reason not to.
- Don't break the site. Don't lie about who you are when honesty is required.
Read robots.txt
robots.txt is a site's statement about what automated crawlers may access. It's not a law, but it's the baseline of polite crawling, and ignoring it has real consequences.
User-agent: *
Disallow: /private/
Disallow: /search?
Allow: /
User-agent: GPTBot
Disallow: /
Reading it programmatically:
import urllib.robotparser
rp = urllib.robotparser.RobotFileParser()
rp.set_url("https://example.com/robots.txt")
rp.read()
rp.can_fetch("MyBot/1.0", "https://example.com/public") # True
rp.can_fetch("MyBot/1.0", "https://example.com/private") # False
rp.crawl_delay("MyBot/1.0") # seconds, or None
Scrapy honors this automatically with ROBOTSTXT_OBEY = True. There's rarely a good reason to turn it off.
Terms of Service
Many sites' ToS forbid scraping outright. A ToS violation is a contract issue, not a crime, but it can still get you sued and will get you banned. Read the ToS. If it says "no automated access," scraping isn't "public data, fair game." It's a breach you agreed to by using the site.
A useful test: would the site's owner be upset if they saw exactly what you're doing? If yes, that's a signal. Not a stop sign, but a signal worth weighing.
Login walls and access controls
Once you authenticate, the rules change. Content behind a login is not public. Scraping it can run into:
- The US Computer Fraud and Abuse Act (CFAA) talks about "exceeding authorized access." After Van Buren (2021) the bar is higher, but authenticated scraping against ToS is still risky.
- EU equivalents include the Computer Misuse Act (UK) and similar laws elsewhere.
- Contract breach. The ToS you accepted to get the account.
The safe default: never scrape behind a login without written permission.
Personal data
This is the sharpest line. Under GDPR (EU/UK) and CCPA/CPRA (California), personal data is personal data whether or not it's "public." Names, emails, phone numbers, photos, user profiles, location data. All of it.
- Collecting it requires a lawful basis (consent, legitimate interest, etc.).
- You must honor data subject rights (access, deletion).
- "It was public on the site" is not a defense under GDPR.
Practical rule: if your dataset could identify a person, treat it as personal data. Don't collect it unless you have a real, documented basis to.
What "public" actually means
| Situation | Public? | Scrape? |
|---|---|---|
| Plain HTML, no login | Yes | Usually fine, politely |
| Page reachable but disallowed by robots.txt | Ambiguous | No |
| API with no auth but undocumented | Yes | Usually fine, politely |
| Login-gated page | No | No, without permission |
| Paywalled content | No | No |
| Data behind a CAPTCHA or anti-bot | It's an access control | Avoid |
The CAPTCHA and anti-bot line is the subtle one. A bot-defense system is, legally, often an access control. Bypassing it can be treated as circumvention. That doesn't mean every Cloudflare site is off-limits. It means the "it's public" argument is weaker there.
Be a good guest
Politeness is ethical and practical:
- Set a User-Agent with a contact URL when scraping permitted targets.
- Crawl at off-peak hours for big jobs.
- Rate-limit yourself harder than the site would.
- Cache so you never re-request.
- If the site offers an API or a data dump, use that instead. Always.
A decision checklist
Before you scrape, answer these honestly:
- Is the data public and non-personal?
- Does robots.txt allow your path?
- Does the ToS permit automated access?
- Are you behind a login or bypassing an access control?
- Will your rate be gentle enough to go unnoticed?
- Is there an official API or dataset you could use instead?
If any answer is "no" or "I'm not sure," slow down and figure it out before writing code.
Key takeaways
- robots.txt is the baseline. Obey it unless you have a specific, defensible reason not to.
- Login walls and paywalls change the rules. Get permission.
- Personal data is regulated even when public. Don't collect it without a lawful basis.
- Anti-bot systems can be access controls. Bypassing them is riskier than scraping plain HTML.
- Politeness is both ethical and the cheapest anti-ban strategy there is.
Frequently Asked Questions
Is web scraping legal?
Scraping public, non-personal data is generally legal in many jurisdictions. US case law (hiQ v. LinkedIn) has favored scraping public data. But it depends on what you scrape, how, and where you are. Scraping behind a login, violating Terms of Service, circumventing access controls, or collecting personal data can be illegal. This guide is education, not legal advice.
Do I have to obey robots.txt?
robots.txt isn't a law, but disobeying it has consequences. It can be used as evidence that you exceeded authorized access. It often violates a site's Terms of Service. And ignoring it is the fastest way to get IP-banned. Practically and ethically, obey it unless you have a specific, well-considered reason not to.
Is it okay to scrape behind a login?
Generally no, not without explicit permission. Content behind authentication is not public. Scraping it often violates Terms of Service and can constitute exceeding authorized access under laws like the US CFAA. Always get permission before scraping authenticated areas.
Can I scrape personal data like emails and phone numbers?
Scraping personal data is heavily regulated under GDPR (EU/UK), CCPA (California), and similar laws. Even public personal data is personal data under GDPR. Collecting it without a lawful basis is a violation. Don't scrape personal data unless you have a clear legal basis and a specific purpose.
Keep reading
Building search infrastructure for 1M+ queries a month: the stuff nobody tells you
A deep, no-bullshit technical dive into building search infrastructure that handles over 1 million queries per month. Inverted index internals, posting list compression, WAND/MaxScore scoring, Go hot-path code, five-layer cache hierarchies, mmap and SSD reality, tiered segment merging, tail latency, and the non-obvious stuff that actually kills you at scale.
searchinfrastructureinverted-indexgoScraping at scale: queues, caching, and not getting banned
How to take a working scraper to millions of pages without melting the target or getting banned: work queues, bounded concurrency, on-disk caching, dedup, retries with backoff, and polite scheduling.
scalingarchitecturecachingconcurrencyBypassing anti-bot protections: TLS, fingerprints, and Cloudflare
A frank guide to anti-bot defenses and how scrapers get past them: TLS/JA3 fingerprinting, Cloudflare's challenge, PerimeterX, CAPTCHAs, residential proxies, and the libraries (curl_cffi, Camoufox) that actually work in 2026.
anti-botcloudflaretls-fingerprintproxies
Found this useful? Cite it as: webscraping.space. “Web scraping ethics and robots.txt: the lines you don't cross.” https://webscraping.space/blog/web-scraping-ethics-and-robots-txt. Published 2026-07-13.