Legal landscape

The 2022 Ninth Circuit ruling that scraping public pages doesn't trigger CFAA liability remains the controlling precedent. Public is the operative word. The moment auth or paywall is involved, you're back in CFAA territory.

If you scrape personal data of EU or California residents, you need a lawful basis (contract, consent, legitimate interest) and you must let subjects exercise rights — access, rectification, deletion. The "we're a scraper, not a controller" defense doesn't fly post-Clearview.

Bulk scraping for AI training is expressly addressed. Article 53 requires "sufficiently detailed summary" of training data sources. If your pipeline feeds a model that ends up in EU production, document your sources end-to-end.

Site ToS are contracts. Violating them isn't automatically illegal but can support breach-of-contract or tortious-interference claims. Reading and respecting ToS for sites you crawl heavily is risk-cheap.

Defaults that comply by default, knobs that surface when you want to deviate, audit logs of overrides. We're not your lawyer — we're the tool that doesn't make compliance harder.