Privacy Authorities Warn Social Media Platforms from Scraping User Data

Privacy Protection Authorities from around the world have signed a joint statement calling social media platforms to protect publicly available user content from data scraping. Failure to do so may result in legal accountability. Authorities from countries such as the United Kingdom, Canada, Switzerland, Hong Kong (China), Australia, and Mexico have signed the statement.

The authorities’ statement clarifies that “social media companies and website operators hosting publicly accessible personal information are obligated to implement measures that shield such information from data scraping on their platforms. These obligations typically apply to personal information regardless of its accessibility status. Extensive scraping of personal data may qualify as a reportable information security incident in multiple jurisdictions.”

The statement comes amid a rise in the popularity of artificial intelligence models like ChatGPT, which rely on extensive personal information for training. This trend could incentivize more stakeholders to engage in web data scraping to enhance their capabilities. The authorities warn that data scraping could enable targeted cyber-attacks, such as social engineering and phishing, identity fraud, monitoring and profiling of data subjects, illegal political or intelligence gathering, and the dissemination of unlawful direct mail or spam.

The authorities urge websites and social media platforms to “…implement multi-layered technical and procedural controls to mitigate risks.” These measures include a designated team within the organization to address data scraping risks, configuring hourly or daily visit limits on individual accounts, monitoring activities of new users, identifying patterns of bot activities, taking legal action against data collectors, and complying with privacy protection laws by notifying affected data subjects and relevant private authorities.

The statement also provides data subjects with a few guidelines to protect themselves against data scraping. Data subjects are encouraged to review platform privacy policies, carefully consider content shared online, manage post viewability through settings, and contact the platform or website, or file a complaint with the relevant privacy protection authority in case of suspicious data scraping.

The statement was sent to Alphabet (the ultimate parent company of YouTube), ByteDance (the parent company of TikTok), Meta (operator of Instagram, Facebook, and Threads), Microsoft (ultimate owner of LinkedIn), Sina Corp (Weibo), and X (formerly Twitter). Despite the statement’s clear message, its potential enforceability remains uncertain, because it lacks explicit warnings or threats of legal action against non-compliant companies. The authorities suggested that social media platforms respond to the statement within a month and outline their plans to meet the authorities’ expectations.

Click here to read the media release published by the UK Information Commissioner’s Office.

Click here to read the Joint statement on data scraping and the protection of privacy.