LinkedIn Scraping for AI: The Legal Risk Your Board Owns

Scraping LinkedIn to feed AI is legally risky, and the accountable people are the board, the general counsel and the data protection officer, not the team running the tool. Public profile data isn't free for the taking. It's personal data under UK and EU law, it's covered by a contract every LinkedIn user signed, and regulators have already fined companies that scraped it. If your sales, marketing or recruitment teams are piping LinkedIn profiles into an AI tool, you carry the exposure. Here's exactly where the risk sits and what to check.
Is scraping LinkedIn actually illegal?
It's more complicated than yes or no, and that's the trap.
In the United States, scraping data that's publicly visible (no login, no password) generally doesn't break the Computer Fraud and Abuse Act. That came out of the long-running fight between hiQ Labs and LinkedIn. In April 2022 the Ninth Circuit confirmed that scraping public profiles isn't "unauthorised access" under the CFAA (Ninth Circuit opinion, 18 April 2022).
That ruling gets quoted a lot. People stop reading there. They shouldn't.
The same case ended very differently. In November and December 2022, the district court found hiQ had breached LinkedIn's User Agreement, and the parties entered a consent judgment. hiQ agreed to a $500,000 payment to LinkedIn, a permanent injunction to stop all scraping, and an order to destroy the source code, data and algorithms built from scraped profiles (Privacy World, December 2022). The company that "won" on the CFAA point lost the war on contract.
So the headline most people remember is half the story. Scraping public data might not be a federal computer crime in the US. It can still be a contract breach, and in Europe it can break data protection law outright.
What does LinkedIn's User Agreement actually say?
It bans automated scraping in plain terms. Every LinkedIn user agrees to it on signup, which makes it a binding contract.
Section 8.2 of the LinkedIn User Agreement says you must not:
- "Develop, support or use software, devices, scripts, robots or any other means or processes (such as crawlers, browser plugins and add-ons or any other technology) to scrape or copy the Services"
- "Copy, use, display or distribute any information (including content) obtained from the Services... without the consent of the content owner"
- "Override any security feature or bypass or circumvent any access controls or use limits of the Services (such as search results, profiles, or videos)"
When your team uploads a spreadsheet of profile URLs into a scraping tool, that's the activity this clause names. hiQ's $500,000 bill came from breaching the same kind of term. The contract risk doesn't depend on which country you're in.
Why is scraped LinkedIn data a GDPR problem?
Because a name, a job title and an employer is personal data. The GDPR and the UK GDPR apply to personal data even when it's public.
This is the point most teams miss. "It's on a public profile" is not a defence. The moment you collect and process that data, you need a lawful basis under Article 6, and you have to meet the transparency, minimisation and retention rules. Public visibility doesn't switch those off.
Two enforcement actions show how this plays out.
| Case | Regulator | Outcome | What it tells you |
|---|---|---|---|
| KASPR | CNIL (France), Dec 2024 | €240,000 fine | Scraping LinkedIn contacts, including from users who'd restricted visibility, with no lawful basis and no transparency |
| Clearview AI | Dutch DPA, Sep 2024 | €30.5m fine | Scraping billions of online images (incl. LinkedIn) to build an AI database, no lawful basis |
KASPR ran a browser extension that pulled professional contact details from LinkedIn into a database of around 160 million contacts. The CNIL fined it €240,000 on 5 December 2024. The findings: no lawful basis for collecting data from people who'd limited who could see it, excessive retention, and a failure to tell those people their data had been taken (CNIL decision).
Clearview AI is the bigger warning. The Dutch DPA fined it €30.5 million on 3 September 2024 for scraping more than 30 billion images from the open web, LinkedIn among them, to build a facial recognition database with no lawful basis and no transparency (Dutch DPA decision). The regulator is even looking at whether the directors can be held personally liable.
Personal liability for directors. That's the line that should travel up to your board.
What do regulators say about scraping data to train AI?
They've moved fast, and the message is consistent: scraping public personal data to train or feed AI is legally hard to justify, and often fails the test.
The UK ICO finished its consultation on generative AI in December 2024. Its position: legitimate interests is the only lawful basis available for scraping personal data to train generative AI, and in most cases scraping fails the balancing test, because people don't know it's happening and can't exercise their rights (ICO outcome report). If you can get the data another way, the ICO expects you to.
The European Data Protection Board adopted Opinion 28/2024 on 18 December 2024. Three points matter for boards:
- Legitimate interest can work as a lawful basis for AI development, but only if the processing passes a strict three-step necessity and balancing test, judged case by case.
- Whether a model counts as "anonymous" is decided case by case by data protection authorities, not assumed by the developer.
- If a model was built on personal data that was processed unlawfully, that can taint the model's later use too, unless it's been properly anonymised (EDPB Opinion 28/2024).
Read point three again. An AI tool trained on scraped data can carry the original sin forward. Buying the tool doesn't clean the data.
Who is actually on the hook when it goes wrong?
The organisation that decides why and how the data gets processed. In GDPR terms, that's the data controller, and that's you, not the tool vendor.
If your team chooses to scrape LinkedIn profiles and feed them into an AI system to enrich leads or score candidates, your company is the controller. The vendor is usually a processor acting on your instruction. The lawful basis, the transparency notices, the retention limits, the data subject rights: those land on you. A free signup and a slick template don't move that responsibility anywhere.
This is why the people accountable are rarely the people clicking the button:
- The board owns the risk appetite and signs off the AI strategy. "We didn't know marketing was doing it" is not a defence the regulator accepts.
- The general counsel owns the contract exposure (the User Agreement breach) and the litigation risk.
- The data protection officer owns the lawful basis, the records of processing, and the response when a data subject asks where their data came from. KASPR was penalised partly for fumbling that exact question.
The same risk applies to recruitment and HR. Scraped profile data used to screen or rank candidates pulls in employment and equality obligations on top of data protection. The exposure compounds.
How do you do prospect research without the legal exposure?
You can still research people. You just collect the data in a way you can defend.
- Use LinkedIn's official, paid tools. Sales Navigator and Recruiter are licensed access. They're built for prospecting and they don't breach the User Agreement. Note the limit: LinkedIn's API does not hand you bulk profile data for export, by design.
- Buy from sources that can prove lawful collection. If a data vendor can't show you its lawful basis and its transparency process, that gap becomes your gap. Ask before you buy.
- Collect with consent where you can. Opt-in data, gated content, event sign-ups. Slower, but defensible, and the ICO explicitly prefers it.
- Keep a human in the loop and write down your reasoning. A documented legitimate-interest assessment is the difference between a defensible position and a guess. Do it before you process, not after a complaint lands.
- Get one person to own AI tool sign-off. Most of this risk enters through shadow IT, a team adopting a tool nobody reviewed. A single approval gate kills most of it.
None of this stops you from growing pipeline. It stops you from building that pipeline on data you can't account for.
Frequently asked questions
Is scraping public LinkedIn profiles legal?
Public visibility doesn't make it lawful. In the US, scraping public data generally doesn't breach the Computer Fraud and Abuse Act, but it can still breach LinkedIn's User Agreement, as hiQ Labs found when it agreed to a $500,000 judgment and a permanent injunction in 2022. In the UK and EU, profile data is personal data under GDPR, so you need a lawful basis to collect and use it regardless of whether it's public.
Can we use scraped LinkedIn data to train or feed an AI tool?
It's hard to do lawfully in the UK and EU. The ICO's view is that legitimate interest is the only available lawful basis, and that scraping usually fails the balancing test because people don't know it's happening. The EDPB's Opinion 28/2024 adds that a model trained on unlawfully processed data can stay tainted when you later use it. Treat scraped training data as a liability you inherit.
What are the penalties for unlawful LinkedIn scraping?
Under UK and EU GDPR, fines run up to €20m or 4% of global annual turnover, whichever is higher. Real cases sit lower but still bite: the CNIL fined KASPR €240,000 in 2024 for scraping LinkedIn contacts. On the contract side, breaching LinkedIn's User Agreement exposes you to damages and an injunction. Reputational damage and director liability are live risks too.
Who is responsible if our team scrapes LinkedIn data?
Your organisation, as the data controller. The team running the tool isn't the one a regulator pursues, and "a vendor's tool did it" doesn't shift the duty. Accountability sits with the board for risk sign-off, the general counsel for contract and litigation exposure, and the DPO for lawful basis and data subject rights.
The bottom line
The "it's public, so it's fair game" argument is the most expensive misunderstanding in B2B data right now. It survives because one half of the hiQ ruling gets quoted and the other half gets ignored. Public data is still personal data, the User Agreement is still a contract, and regulators have stopped issuing warnings and started issuing fines.
My view: if your company runs on AI-enriched prospect or candidate data and nobody can name your lawful basis in one sentence, you're not running a growth engine, you're running an open liability. The fix isn't expensive. It's a person who owns AI tool sign-off, a written lawful-basis assessment, and licensed data sources you can defend. Do that before a data subject asks where you got their profile, because the ones who ask tend to be the ones who complain.
The teams scraping LinkedIn aren't villains. They're efficient, and they've been told public means free. It doesn't. Responsible AI starts with knowing whose data you're holding and why you're allowed to.
This is the kind of work our AI governance and compliance handles.

Sotiris Spyrou
Sotiris Spyrou is the founder of VerityAI, a Responsible AI advisory for boards and AI-deploying businesses. With 27 years across agencies, global in-house roles, and the C-suite, he advises leaders on AI governance and risk, and on answer-engine visibility engineered without the dark patterns the rest of the industry is getting penalised for. He is the author of TRANSFORM, AI Moats, and Ethical AI.
Founder at VerityAI