The United Kingdom’s Information Commissioner’s Office and data protection authorities from Canada, Australia, Hong Kong, Mexico, Switzerland, Norway, New Zealand, Colombia, Jersey, Morocco, and Argentina have released a joint statement on data scraping and its impact on data privacy.
The statement provides a clear definition of data scraping, making it easier for both consumers and technology companies to understand the concept. It describes data scraping as the automated extraction of information from websites, databases, or other online sources, often without the consent of the data owner. Data protection authorities have seen an increase in incidents involving data scraping, particularly from social media platforms and websites that host publicly available data.
The aim of the joint statement is to outline the key data privacy risks associated with data scaping, how social media companies and other websites should protect individuals’ personal data, and the steps individuals can take to protect their data.
The increase in data scraping from social media and websites can lead to several privacy risks, including the following:
- Targeted Cyberattacks: Malicious actors use scraped data for social engineering or phishing attacks.
- Fraud: Scraped data can fuel fraudulent loan or credit card applications and create fake social media accounts.
- Surveillance and Profiling: Scraped data contributes to unauthorized surveillance, facial recognition databases, and unauthorized access.
- Unauthorized Intelligence Gathering: Foreign governments or intelligence agencies may exploit scraped data.
- Unwanted Marketing: Contact information from scraping personal data leads to bulk unsolicited marketing campaigns.
The risks to data privacy posed by data scraping will undermine the trust consumers have in digital products and services, leading to an impact on the digital economy in the long run.
Responsibility of SMCs and Websites
Social media companies (SMCs) and other websites have a responsibility for safeguarding personal data from unlawful data scraping. Data scraping techniques are continually evolving, so SMCs must develop ways to monitor and counteract these new technologies. To mitigate privacy risks, SMCs and websites should implement multi-layered technical and procedural controls, proportionate to data sensitivity. These may include the following:
- Designated Teams: Appoint teams or roles to identify and address scraping activities.
- Rate Limiting: Restrict the number of visits and monitor unusual activity.
- Bot Detection: Employ methods like CAPTCHAs and IP blocking to identify scraping.
- Legal Action: Pursue legal action against scraping, including cease and desist letters.
- Notification: Inform affected individuals and privacy regulators in jurisdictions where scraping may constitute a data breach.
SMCs and websites should also empower users to make informed decisions about their personal data through increased awareness and privacy settings.
Steps for Individuals to Mitigate Privacy Risks
While security controls help mitigate risks, there are steps individuals can take to protect their personal data, including reviewing privacy policies, limiting information sharing, and managing privacy settings.
Individuals concerned about unlawful scraping can contact the website, file complaints with relevant data protection authorities and remove personal data as needed.
This joint statement emphasizes the importance of protecting personal data from data scraping to ensure compliance with global data protection and privacy laws. Implementing safeguards not only protects user data but also fosters trust from users. SMCs and websites can further protect their users' personal data by educating them on protection measures.
The data protection authorities are asking for feedback from SMCs by September 24, 2023 demonstrating how they comply with the expectations outlined in the joint statement.
Trainee solicitor Lovell Owiti contributed to this post.