International Privacy Authorities Issue Joint Statement on Data Scraping

On August 24, 2023, a group of international privacy authorities issued a joint statement on data scraping and the protection of privacy. The statement was issued by the data protection authorities of New Zealand, Canada, Australia, the United Kingdom, Hong Kong, Switzerland, Norway, Columbia, Morocco, Argentina, Mexico, and Jersey.

What was the statement?

The statement highlights the significant privacy concerns raised by data scraping technologies, which can collect and process personal information from the internet. The statement clarifies that the operators of websites that host publicly accessible personal information also have data protection obligations with respect to third-party scraping from their websites.

The statement identifies a number of specific privacy risks from data scraping, including:

• Targeted cyber-attacks
• Identity fraud
• Monitoring, profiling, and surveilling individuals
• Unauthorized political or intelligence gathering purposes
• Unwanted direct marketing or spam

The statement stipulates that social media companies and other websites are responsible for protecting individuals' personal information from unlawful data scraping. The statement provides a number of mitigation controls that can be used to protect against data scraping, including:

• Designating a team to identify and implement controls protecting against data scraping activities
• "Rate limiting" the number of visits per hour or day to specific accounts or profiles
• Monitoring how quickly or aggressively a new account starts looking for other users
• Taking steps to identify "bot" activity through the identification of suspicious IP addresses and CAPTCHAs

The statement also notes that entities should inform users of the steps taken to protect users against data scraping. The statement also elaborates on what steps individuals can take to minimize the privacy risks from data scraping, such as managing privacy settings and limiting the amount of personal information shared.

What does it mean for businesses?

It should be noted that the joint statement does not prohibit ordinary businesses from scraping data, as long as it is legal. However, businesses should be aware of the privacy risks associated with data scraping and take steps to mitigate those risks.

Some of the things that businesses can do to mitigate the privacy risks of data scraping include:

• Only scraping data that is publicly available.
• Limiting the amount of data that is scraped.
• Notify users that their data is being scraped.
• Take steps to protect the data from unauthorized access or use.

Here are some additional things that businesses should consider when scraping data:

• The purpose of the scraping. Is the data being scraped for legitimate business purposes, such as market research or competitive analysis? Or is it being scraped for more nefarious purposes, such as identity theft or spam?
• The type of data being scraped. Some types of data, such as financial information or health data, are more sensitive than others. Businesses should be careful not to scrape sensitive data unless they have a legitimate reason to do so.
• The laws and regulations that apply. The laws and regulations that apply to data scraping vary from country to country. Businesses should make sure that they are complying with all applicable laws and regulations.
  

How can Secure Privacy help?

Secure Privacy is committed to helping businesses protect their customers' personal information from data scraping. We offer a comprehensive range of data privacy solutions, including:

• Data protection training courses
• Data privacy compliance software
• Data privacy consulting services

Secure Privacy can help you assess your data privacy risks, implement appropriate controls, and comply with all applicable data privacy laws and regulations.

Contact us today to learn more about how we can help you protect your customers' personal information from data scraping.