A joint statement signed by regulators at a dozen international privacy watchdogs, including the U.K.’s ICO, Canada’s OPC and Hong Kong’s OPCPD, has urged mainstream social media platforms to protect users’ public posts from scraping — warning they face a legal responsibility to do so in most markets.

“In most jurisdictions, personal information that is ‘publicly available’, ‘publicly accessible’ or ‘of a public nature’ on the internet, is subject to data protection and privacy laws,” they write. “Individuals and companies that scrape such personal information are therefore responsible for ensuring that they comply with these and other applicable laws. However, social media companies and the operators of other websites that host publicly accessible personal information (SMCs and other websites) also have data protection obligations with respect to third-party scraping from their sites. These obligations will generally apply to personal information whether that information is publicly accessible or not. Mass data scraping of personal information can constitute a reportable data breach in many jurisdictions.”The timing of the statement, which was also signed by privacy regulators in Australia, Switzerland, Norway, New Zealand, Colombia, Jersey, Morocco, Argentina and Mexico — who are all members of the Global Privacy Assembly’s international enforcement cooperation working group — coincides with the ongoing hype around generative AI models which typically require large amounts of data for training and could encourage more entities to scrape the Internet in a bid to acquire data-sets jump on the generative AI bandwagon.

High profile examples of such systems, such as OpenAI’s large language model ChatGPT, have relied (at least in part) upon data posted online for training their systems — and a class action lawsuit filed against the U.S. company in June, which CNN Business reported on, alleges it secretly scraped “massive amounts of personal data from the internet”.Among the privacy risks the regulators highlight is the use of data scraping for targeted cyberattacks such as social engineering and phishing; identity fraud; and for the monitoring, profiling and surveilling of individuals, such as using data to populate facial recognition databases and provide unauthorised access to authorities — a clear swipe at Clearview AI, which has faced a number of enforcements from international regulators (including several across the EU) over its use of scraped data to power a facial recognition ID tool which it sold to law enforcement and other users.

They also warn scraped data can be used for unauthorised political or intelligence gathering purposes — including by foreign governments or intelligence agencies. And be used to pump out unwanted direct marketing or spam.

They don’t directly cite the training of AI models as one of these “key” privacy risks but generative AI tools which have been trained on people’s data without their knowledge or consent could be repurposed for a number of the malicious use cases they cite, including to impersonate people for targeted cyberattacks, identity fraud, or to monitor/surveil individuals.As well as the statement being made public, the regulators note that a copy has been sent directly to YouTube’s parent company, Alphabet; TikTok’s parent ByteDance; Meta (owner of Instagram, Facebook and Threads); Microsoft (LinkedIn); Sina Corp (Weibo); and X (aka, the platform previously known as Twitter) — so mainstream global social media platforms are clearly front-and-center as the international watchdogs consider the privacy risks posed by data scraping.

Some platforms have of course already had major data scandals linked to data scraping — such as the 2018 Cambridge Analytica data misuse scandal which hit Facebook after a developer on its platform was able to extract data on millions of users without their knowledge or consent as a result of lax permissions the company applied; or the $275 million General Data Protection Regulation (GDPR) penalty Facebook was handed last year in relation to a data scraping incident that affected 530 million users as a result of insecure product design. (The latter incident is also subject to a lawsuit by an Irish digital rights group that’s challenging the DPA’s enforcement finding that there was no security breach.)While the regulators’ joint statement contains a clear shot across the bows of mainstream social media site on the need to be proactive about protecting users’ information from scraping, there is no commensurately clear warning accompanying the message that failure to act and protect people’s data will result in enforcement action — which does risk diluting the statement’s impact somewhat.

Instead, the watchdogs urge platforms to “carefully consider the legality of different types of data scraping in the jurisdictions applicable to them and implement measures to protect against unlawful data scraping”.

“Techniques for scraping and extracting value from publicly accessible data are constantly emerging and evolving. Data security is a dynamic responsibility and vigilance is paramount,” they also write. “As no one safeguard will adequately protect against all potential privacy harms associated with data scraping, SMCs and other websites should implement multi-layered technical and procedural controls to mitigate the risks.”Recommended measures to limit the risks of user data being scraped that are mentioned in the letter include having designated in-house team/roles focused on data scraping risks; ‘rate limiting’ the number of visits per hour or day by one account to other account profiles and limiting access if unusual activity is detected; and monitoring how quickly and aggressively a new account starts looking for other users and taking steps to respond to abnormal activity.

They also suggest platforms take steps to detect scrapers by identifying patterns in bot activity — such as having systems to spot suspicious IP address activity.

Taking steps to detect bots such as deploying CAPTCHAs and blocking IP address where data scraping activity is identified is another recommendation (albeit bots can solve CAPTCHAs so that piece of advice is already looking outdated).Other recommended measures is for platforms to take appropriate legal action against scrapers, such as sending of ‘cease and desist’ letters; requiring the deletion of scraped information; obtaining confirmation of the deletion; and taking other legal action to enforce terms and conditions prohibiting data scraping.

Platforms may also have a requirement to notify affected individuals and privacy regulators under existing data breach laws, the watchdogs warn.

The social media giants who were sent a copy of the letter are being encouraged to respond with feedback within a month demonstrating how they will meet regulators’ expectations.