Short answer: Scraping publicly visible LinkedIn profiles is very unlikely to violate the Computer Fraud and Abuse Act, the federal anti-hacking statute. The Ninth Circuit said so in 2022. That does not make it risk-free. LinkedIn's User Agreement prohibits automated data collection, and hiQ Labs, the company that won the CFAA argument, still lost on breach of contract, agreed to a permanent injunction, deleted its data, and paid LinkedIn $500,000.
For a US sales team the practical exposure is not prison. It is a restricted LinkedIn account, a contract claim, and privacy obligations that attach the moment you email the person.
Last updated July 2026. This is general information for sales and marketing teams, not legal advice. Talk to a lawyer about your specific situation.
Every vendor in outbound sales has an opinion about whether LinkedIn scraping is legal, and almost all of them collapse three separate questions into one. Criminal liability under federal computer law, civil liability under a contract you clicked, and data protection obligations under privacy statutes are governed by different rules and produce different answers. Here is each of them, and what a US team should actually do.
Is scraping LinkedIn illegal?
Scraping data that LinkedIn shows to the public without a login is not, on current Ninth Circuit law, a violation of the Computer Fraud and Abuse Act. In April 2022 the court held in hiQ Labs v. LinkedIn that the CFAA's prohibition on access "without authorization" does not reach information that anyone can view, and that breaking a website's terms of use is not by itself enough to trigger the statute. Public means public.
That ruling sits on top of the Supreme Court's 2021 decision in Van Buren v. United States, which narrowed "exceeds authorized access" to a gates-up-or-down question: did you enter a part of the system you were not permitted to enter? Reading a page you were allowed to load, for a purpose the operator dislikes, is not hacking.
So the criminal framing that scares most sales leaders is the wrong one. The risk lives elsewhere.
What happened in hiQ Labs v. LinkedIn?
This is the part that gets left out. hiQ built its business on scraped public LinkedIn profiles. LinkedIn sent a cease and desist. hiQ sued, won a preliminary injunction, and after a trip to the Supreme Court and back, won again in the Ninth Circuit in April 2022 on the CFAA question.
Then it lost. In November 2022 the district court found that hiQ had breached LinkedIn's User Agreement. In December 2022 the parties entered a consent judgment: hiQ accepted a permanent injunction barring it from scraping LinkedIn, agreed to destroy the source code, data, and algorithms it had built, and agreed to $500,000 in damages. The stipulations in that judgment are an agreement between two parties rather than binding precedent, but the outcome is real enough.
The lesson is narrow and important. hiQ was right that scraping public data is not a federal crime. It was wrong that this made scraping safe. Contract law did what the hacking statute could not.
Does LinkedIn's User Agreement prohibit scraping?
Yes, explicitly. LinkedIn's User Agreement forbids scraping, crawling, and using bots or other automated methods to access the service or copy data from it. If you hold a LinkedIn account, you accepted that. Whether that promise is enforceable against a particular person, in a particular way, for particular data is exactly the kind of question that made hiQ a five-year lawsuit.
For most sales teams, though, the enforcement mechanism is not a lawsuit. LinkedIn does not sue individual SDRs. It restricts and bans accounts, and it does so with automated detection that watches for the signature of automation: hundreds of profile views an hour, connection requests fired at machine speed, sessions from data-center IP ranges. Losing the account of a rep whose network is their pipeline is a real cost, and it arrives quietly.
What are the actual legal risks of scraping LinkedIn?
Four distinct bodies of law can touch the same activity. They are not interchangeable, and the one everybody worries about is the least likely to bite.
| Legal theory | Does it apply to public profile scraping? | Real-world consequence |
|---|---|---|
| CFAA (federal anti-hacking) | Unlikely for public data, per the Ninth Circuit in 2022 and Van Buren in 2021 | Low. This is the risk people fear and the one courts have narrowed |
| Breach of contract (User Agreement) | Yes, if you have an account and the terms bind you | High relevance. This is what ended hiQ. Usually enforced as an account ban |
| Privacy law (CCPA and CPRA, GDPR) | Yes, once you hold and use personal data about covered individuals | Notice, deletion, and opt-out duties. Applies to B2B contact data too |
| CAN-SPAM | Not to the scraping. To the email that follows | Accurate headers, working opt-out, physical address, honored within 10 business days |
Is it legal to email someone whose details you scraped?
In the United States, generally yes, and this surprises people who have absorbed European habits. CAN-SPAM does not require prior consent to send a commercial email. It requires that you do not falsify headers or the sender identity, that the subject line is not deceptive, that the message includes a valid physical postal address, that it offers a clear way to opt out, and that you honor an opt-out within ten business days. Cold email to a business address is lawful when those conditions are met. We cover the details in whether cold email is legal under CAN-SPAM.
Privacy law is the newer complication. Under the CCPA as amended by the CPRA, business contact information about California residents is personal information, and the B2B carve-out expired at the start of 2023. If your company meets the thresholds that make it a covered business, a California prospect can ask what you hold about them and demand deletion, whether you scraped it or bought it. GDPR is stricter still for EU recipients: you need a lawful basis, legitimate interest requires a documented balancing test, and the recipient must be told where you got their data.
The practical upshot for a US-focused team: keep a record of where each contact came from, honor deletion requests without arguing, and maintain a suppression list that every campaign checks before it sends. Opt-out and deletion requests almost always arrive as free-text replies rather than clicks, so most teams end up running them through an email parser that turns those replies into structured rows instead of letting a rep triage them by hand.
Can LinkedIn ban you for scraping?
Yes, and this is the outcome you should plan around rather than the courtroom. LinkedIn restricts accounts it believes are automated. Detection is behavioral. Scrolling a search result at inhuman speed, viewing profiles in perfectly regular intervals, running a headless browser from a cloud IP, or sending connection requests in bursts all look like exactly what they are.
Teams that operate for years without incident tend to share a few habits. They pull data at human pace rather than machine pace. They do not automate connection requests or messages inside LinkedIn itself, which is the behavior that triggers the fastest restrictions. They work from profiles that are public rather than trying to reach behind gates. And they treat LinkedIn as a source of who to contact, then move the conversation to email, which is a channel nobody can switch off.
What is the safest way to build a B2B list?
Ranked by risk, lowest first. Data you already own is safest: your CRM, past customers, event attendees, and inbound signups carry no platform contract and no sourcing ambiguity. Licensed data from a vendor such as ZoomInfo, Apollo, or Lusha shifts the sourcing question onto a company whose business is to answer it, which is a meaningful part of what the license buys. Public professional profiles viewed at human pace sit in the middle: the CFAA question is settled in your favor, the contract question is not, and the practical exposure is your account.
What all three have in common is that the list is the beginning of the work, not the end of it. Verify every address before you send, because a list assembled from any source will bounce and bounce rate is what damages your sending domain. Then write something specific enough that the recipient does not feel processed. Our guide to building a cold email list covers the mechanics, and B2B lead generation software compares the tools by which of these jobs they actually do.
How ColdMailer handles this
ColdMailer sources contacts from LinkedIn profiles and from CSVs you upload, enriches them, and verifies every address before a campaign touches it. We do not license a contact database, and we are not going to tell you that any automated interaction with LinkedIn carries zero account risk under their User Agreement, because that would be false. What we will say is that the risk people most often ask about, federal computer crime liability for reading public pages, is the one courts have most clearly narrowed.
Where the product spends its effort is the half of the job that determines whether the list was worth building: AI that writes a specific message per prospect rather than a merge tag, sending across inboxes you own so no vendor's shared reputation is between you and the inbox, and sequences that stop the moment a human replies.
The short version
Scraping public LinkedIn data is not a CFAA violation in the Ninth Circuit. It is a breach of LinkedIn's User Agreement, and that contract is what actually ended hiQ Labs. Emailing the resulting contacts is lawful in the US under CAN-SPAM if you identify yourself honestly, include a postal address, and honor opt-outs within ten business days, while CCPA and GDPR add notice and deletion duties that apply to B2B contacts too. Plan for the account ban, not the indictment, and keep a suppression list that never forgets.
Put this into practice with ColdMailer
Bring your own SMTP, let AI personalize every message, and land in the inbox, not spam. Free to start.
Keep reading
Why Are My Cold Emails Going to Spam? 9 Fixes That Work in 2026
Cold emails landing in spam usually comes down to authentication, reputation, and a few content habits. Here a...
Read articleHow Many Cold Emails Can I Send Per Day? Safe Limits for 2026
The safe cold email limit is 30 to 50 sends per day per mailbox, warmup included. Here is how to calculate you...
Read articleOwn SMTP for Cold Email: When to Use It and How to Set Up
Should you send cold email through your own SMTP instead of a vendor's pool? Here is when bring-your-own SMTP...
Read article