Scraping and Generative Artificial Intelligence: the Data Protection Autority’s Notice

Automated online data collection, commonly known as web scraping, has become a widespread practice in many sectors for data analysis and the development of applications based on generative artificial intelligence (GIA). However, this practice raises important legal issues, especially in relation to the protection of personal data. Recently, the Italian data protection authority (Garante per la protezione dei dati personali) issued specific guidelines that provide guidance on measures to be taken to mitigate the risks associated with web scraping. This article examines the new guidelines in detail, exploring the legal implications and best practices for compliance.

What is Web Scraping?

Web scraping is the process of automatically extracting data from websites using specific software, known as a scraper. These programmes can automatically browse web pages, collect structured and unstructured data, and save it for further analysis. Web scraping can be performed through various methods, including:

  • HTML parsing: Parsing the HTML code of web pages to extract specific information.
  • APIs: Use of programming interfaces to access data offered by websites.
  • Bots: Automated programmes that simulate human navigation to collect data.

Risks Associated with Web Scraping

Although it may have legitimate applications, such as collecting information for market analysis, it is often associated with less legitimate uses, such as the theft of personal data for commercial or even fraudulent purposes. The indiscriminate use of web scraping may in fact entail various legal and security risks such as:

  • breach of privacy: the collection of personal data without consent may violate privacy regulations, such as the GDPR.
  • Abuse of Terms of Service: Many websites prohibit web scraping in their terms of service, and violating these terms may lead to legal action.
  • Data security: Bulk data collection may expose information to security risks, such as unauthorised access or malicious use of data.

The Autoruty’s Notice

The Garante per la protezione dei dati personali (Italian Data Protection Authority) has recently published a document providing guidance on how to manage the risks associated with web scraping. The notice focuses on several aspects that revolve around the protection of personal data and compliance with existing regulations. Below are the main recommendations:

  • Creation of Restricted Areas: one of the measures suggested is the creation of restricted areas on websites, accessible only after registration. This practice reduces the availability of personal data to the general public and can act as a barrier against indiscriminate access by bots. This will also make it possible to monitor who accesses the data and to what extent, improving traceability and accountability. On the other hand, it is crucial that the collection of data for registration is proportionate and respects the principle of data minimisation.
  • Clauses in the Terms of Service: the inclusion of specific clauses in the Terms of Service explicitly prohibiting the use of web scraping techniques is another effective tool. These clauses can act as a deterrent and provide a legal basis for taking action against those who violate these conditions.
  • Network Traffic Monitoring: implementing monitoring systems to detect anomalous data flows can help prevent suspicious activities. Adopting measures such as rate limiting makes it possible to limit the number of requests coming from specific IP addresses, helping to reduce the risk of excessive or malicious web scraping.
  • Technical interventions on bots: The document also suggests the use of techniques to limit access to bots, such as implementing CAPTCHAs or periodically modifying the HTML markup of web pages. These interventions, although not decisive, may make scraping more difficult.


The Data Protection Authority’s statement represents a significant step forward in regulating the use of web scraping and the protection of personal data. For operators of websites and online platforms, it is crucial to take the recommended measures to ensure regulatory compliance and protect users’ personal data.

Compliance with data protection regulations is not only a legal obligation, but also a key element in building and maintaining user trust. Companies must be proactive in adopting data protection best practices and monitoring regulatory developments.

Contact us

If you have questions or need legal assistance with regard to web scraping and data protection, our firm is at your disposal. Contact us for a personal consultation and to find out how we can help you navigate the complex landscape of privacy regulations.