Terms of Service, Enforceable or Not?

Not legal advice. Engineer's summary.

Nearly every website's Terms of Service forbid scraping. If those were universally enforceable as written, almost all scraping would be unlawful. They aren't, in practice. But ToS aren't toothless either. This lesson is the framework for understanding when ToS matters.

Two ways a ToS gets formed

Contract law generally requires assent. Two ways courts have found assent online:

Clickwrap

You explicitly click "I agree." Common pattern: a checkbox on signup. Courts consistently uphold clickwrap as a binding contract (assuming basic elements like clear notice).

Implication for scraping: anything you've signed up for, clicked through, or agreed to via a checkbox, you're bound to. Includes APIs you have a key for, sites where you have an account, paid services.

Browsewrap

A ToS link sits in the footer. You haven't clicked anything; the site claims your use constitutes agreement. Courts have been much more skeptical of browsewrap:

• Strong browsewrap: prominent notice, easy-to-find link, language saying "by using this site you agree" → sometimes enforceable.
• Weak browsewrap: tiny footer link, no explicit notice → often unenforceable.

Implication for scraping: anonymous scraping of a public page with only browsewrap is on much weaker ground than scraping after signup. Whether the browsewrap was reasonably noticed by you matters.

The hiQ angle, revisited

In hiQ v. LinkedIn, LinkedIn argued hiQ violated the ToS. The 9th Circuit didn't rule on CFAA grounds (that's where hiQ won), but LinkedIn ultimately prevailed on California state-law claims partly because hiQ had created LinkedIn accounts and thereby agreed to LinkedIn's ToS via clickwrap.

The lesson:

• Anonymous scraping of public pages with only browsewrap → ToS more easily contested.
• Scraping while having an account at the target → contract clearly formed; ToS prohibitions much harder to evade.

What ToS typically prohibits

Reading scraping-relevant ToS clauses across major sites:

• "No automated access" or "no bots, scripts, or crawlers."
• "No scraping, copying, or extracting data."
• "No use of data for competitive purposes."
• "No circumventing access controls" (often included).
• "Account access is for personal use only" (consumer sites).

Even sites that allow registered API access typically prohibit non-API scraping. Reading the actual ToS of a target is worth 30 minutes.

When ToS prohibitions probably bite

Strong ToS-driven risk:

1. You have an account at the target. Clickwrap formed; ToS attaches to your use.
2. The ToS has prominent, unambiguous notice. Even browsewrap can stick.
3. You're scraping in clear violation (not arguably "researching" or "academic").
4. The target site is litigious or has previously sued scrapers.
5. You're commercializing the scraped data.

Weaker ToS-driven risk:

1. Pure anonymous browsewrap scraping of public pages.
2. Use is non-commercial / personal.
3. You've never created an account or clicked through anything.
4. The data is purely factual and not redistributed verbatim.

ToS vs CFAA, different questions

A common confusion: "but I read that violating ToS isn't a CFAA violation."

That's true post-Van Buren, ToS violations aren't federal computer-misuse crimes. But ToS violations can still be breach of contract claims under regular contract law. Different statute, different liability.

You can avoid CFAA exposure and still face a breach-of-contract suit. Damages tend to be smaller than CFAA-style claims, but injunctions ("stop scraping our site") can still terminate a business.

The "I didn't read it" defense

It generally doesn't work for clickwrap. Courts treat clicking "I agree" as assent regardless of whether you actually read.

For browsewrap, it sometimes works, if the ToS was hidden, the argument that you didn't reasonably notice it has more weight. But banking on "I didn't see it" is fragile.

Practical posture for scrapers

1. Read the target's ToS once before starting a non-trivial project. Look for explicit no-scrape clauses, anti-automated-access clauses, and account-required clauses.

2. Don't create accounts you don't need. If you can scrape without registering, you avoid the clickwrap trap.

3. Don't pretend to be a human user if the ToS says "no automated access." Scraping is automated; the lie compounds the violation.

4. If you need data behind a login, explore official API access first. Many sites offer paid APIs that are explicitly licensed for your use case.

5. For commercial projects, get an actual legal opinion on the target's ToS posture. Engineers' intuitions about contract law are notoriously bad.

What a ToS DOESN'T do

A few things ToS cannot do, regardless of what they claim:

• Bind you to laws you haven't broken. A ToS saying "scraping is criminal" doesn't make it so.
• Limit your statutory rights in many jurisdictions (e.g. EU consumer protection law).
• Forbid facts you've observed. You can't be sued for knowing a price you saw on a public page.

These are limits courts apply on top of contract law.

The reasonable scraper posture

A defensible approach for most projects:

• Public data only: no login.
• No circumvention: respect IP blocks, CAPTCHAs as effective signals to stop.
• Identified User-Agent: visible good faith.
• Polite rate-limit: avoid distorting target's analytics or load.
• Read the ToS: know what you're choosing to interpret around.
• Output is facts: don't republish copyrighted text/images verbatim.
• Personal/research/non-commercial OR carefully-considered commercial with legal review.

This posture survives most ToS-driven challenges. It isn't bulletproof, nothing is, but it's defensible.

Documenting your posture

For any non-trivial project, write a one-page memo:

PROJECT: [name]
DATA SOURCES: [list of URLs/sites]
NATURE OF DATA: [facts? user-generated content? personal data?]
TOS REVIEW: [date, summary of relevant clauses]
ACCESS METHOD: [public anonymous / authenticated / API]
ANY CIRCUMVENTION: [if any, usually should be "none"]
COMMERCIAL USE: [yes/no, brief]
LEGAL POSTURE: [3-5 sentences on why you think this is defensible]
DECISION: [proceed / abandon / get legal opinion first]

The exercise of writing this clarifies your thinking and creates a paper trail showing good faith if questions arise later.

What to try

Pick a real scraping project (current or hypothetical). Read the target's actual ToS, find it via "Terms" link or /terms URL. Note:

1. Does it prohibit scraping explicitly?
2. Is the notice browsewrap (footer link) or clickwrap (clicked-through at signup)?
3. Do you have an account at the target?

Combine: if (1 is yes) AND (3 is yes), you're on weak ground. If (1 is yes) AND (3 is no) AND (notice is weak browsewrap), you're on stronger ground.

Either way, document the analysis. Knowing your posture is half the battle.