1

I have recently built a scraper that could collect user information from a variety of social media platforms, these include: Instagram, Twitter and Nextdoor.

The information provided to me are the following:

  1. Profile/Persons name
  2. Location
  3. Posts
  4. Other people in association with the user

What are my legal rights in advertising this information for marketing uses such as statistics on users?

Otherwise, what consequences may I face if I do so?

Improve this question
2
  • 1
    I don't know enough to offer an answer but this sounds very much like GDPR processing
    – user35069
    Commented Mar 16, 2022 at 13:52
  • @Rick There are other Data Protection laws, the GDPR is only one such law. Any might be relevant depending on jurisdiction. More than one might well apply.
    – David Siegel
    Commented Apr 15, 2022 at 18:42

2 Answers 2

Reset to default
2

As Rick mentioned in comments this would most definitely be considered processing of personally identifiable information (PII) under the UK GDPR.

You mention "advertising" and "marketing purposes" so it's pretty clearly not for your own personal household/family use and that means you would have to comply with the GDPR.

That means you're going to need what's called a "Lawful Basis" for processing this data. There's six different ones:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

You haven't provided enough information for to hazard a guess at what your basis would be but the ICO has an on-line tool which would give you a starting point.

It's a very good idea to make sure you have all your i's dotted and all your t's crossed before you start processing any PII - and that includes documenting the process.

Otherwise, what consequences may I face if I do so?

In some ways the consequences of non-compliance are "what have you done?" coupled with "how much have you got?", the maximum penalty is £17.5m or 4% of your annual turnover (whichever is greater) and fines issued under the UK GDPR to date have ranged from mere pocket change to almost enough to buy a tank of petrol.

Widen it to the EU and small property owners association got a €500 slap on the wrist and Amazon managed to net themselves a €746m fine.

Improve this answer
5
  • I'd also hazard a guess that in scraping some of that data, that you are most likely breaking the TOS of the various websites. I'm not sure if this falls under "(a) Consent" of your checklist.
    – Peter M
    Commented Mar 16, 2022 at 16:55
  • The consent involved is the consent of the DS. But a TOS violation might well be a breech of contract, which could lead to separate damages.
    – David Siegel
    Commented Apr 15, 2022 at 18:50
  • Note that "this would most definitely be considered processing of personally identifiable information" is contingent on there being personal data (per the Article 4(1) definition) which might be the case if the profile name or posts contain a real name or other information which can identify the data subject, but equally might not be the case if they do not. With that said, it's probably safe to assume that large scale automated scraping would pull in some personal data.
    – JBentley
    Commented May 16, 2022 at 10:09
  • The link under "pocket change" is broken.
    – User65535
    Commented Sep 12, 2022 at 17:06
  • @User65535 Strange.. I just tried it and it works fine for me.
    – motosubatsu
    Commented Sep 12, 2022 at 17:12
1

As the answer by motosubatsu mentioned, a person or firm (entity) doing this that is located in the UK would be subject to the UK-GDPR. Also, an entity doing this that targets residents of the EU would be subject to the EU-GDPR The two laws are currently identical except for the substitution of "UK" for "EU" and other needed substitutions to make the modified law apply to the UK, not to the EU.

The entity collecting this information by scraping and then offering it for sale would be a Data Controller (DC) under either version of the GDPR.

This means that a lawful basis is required, as was explained by user motosubatsu. In addition:

  • Under paragraphs 1 and 2 of Article 14 the DC must provide a notice to the Data Subject (DS), which means the natural person whose data has been obtained. This notice must include:
  • the identity and the contact details of the controller and, where applicable, of the controller’s representative; the contact details of the data protection officer, where applicable; the right to request access, modification, or erasure of the data; the right to complain to a supervising data Authority (DA) and the contact details of that authority
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • the categories of personal data concerned;

and various other information about the DC and the dta collected, including who (or what kind(s) of entity) the DC intends to transfer the data to; how long the data will be retained; and any intent to transfer the data to entities located in other countries.

Such a notice must be sent "as soon as reasonable" but no later than within one month from the date that the data is collected, and no later than when any such data is transferred to another entity, such as by being sold.

Under article 12 the notice required by Article 14 (and all other communications with the DS must be:

in a concise, transparent, intelligible and easily accessible form, using clear and plain language

  • Under Article 15 the DC must provide the DS with the right to access the data, free of charge, and a means to make access requests, unless an exception applies.

  • Under Article 16 the DC must provide the DS with the right to request correction the data, free of charge, and a means to make such requests, unless an exception applies.

  • Under Article 17 the DC must provide the DS with the right to request deletion of the data, free of charge, and a means to make such requests, unless an exception applies.

Other rights under the GDPR will also apply.

Failing to grant any of these can subject the DC to a penalty, determined by the relevant DA.

Improve this answer
1
  • (1) The full text of the UK GDPR can be viewed here which may be more convenient than making mental adjustments while reading the EU GDPR. (2) "The two laws are currently identical except for the substitution of "UK" for "EU" and other needed substitutions to make the modified law apply to the UK, not to the EU" - but note also that the Data Protection Act 2018 contains rules which extend and/or modify the UK GDPR in some scenarios (which in a sense makes it less "identical" to the EU GDPR to which the DPA no longer applies).
    – JBentley
    Commented May 16, 2022 at 10:12

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .