PrivacyForgeSign In
Back to Blog

Web Scraping and GDPR: 2026 Rules for eCommerce AI

The EDPB's new draft guidelines set the GDPR rules for scraping reviews, UGC, and web data to train eCommerce AI. Here is what stores must do before scraping.

PFMariyan ValevJul 14, 2026 · 11 min read
RegulationRegulation

Key Takeaways

  • The EDPB adopted its draft Guidelines 03/2026 on web scraping for generative AI on 7 July 2026, opening them for public consultation until 30 October 2026 — they signal how EU regulators will judge AI training data, but they are not yet final law.
  • The GDPR applies to web scraping whenever it involves personal-data operations "such as collection, storage, organisation and retrieval" — and product reviews, forum posts, and social UGC almost always contain personal data.
  • Legitimate interest under Article 6(1)(f) is the usual lawful basis for AI-training scraping, but the EDPB requires three cumulative conditions to be met and documented — "publicly available" is not itself a lawful basis.
  • If your scrape sweeps up special-category data (health, political views, religion), you need an Article 9(2) exception on top of your Article 6 basis, and the EDPB says there is no general exemption.
  • The same opt-out signals you would want scrapers to respect on your own storefront — robots.txt, ai.txt, CAPTCHA — are the signals the EDPB says you must respect when you scrape others.

Introduction

Your growth team wants to fine-tune a product-description model on ten thousand competitor reviews scraped last quarter. Marketing wants to feed scraped social posts into a sentiment tool. Somebody has already pointed a price-monitoring bot at three marketplaces. None of them asked whether any of that is legal under the GDPR — because "it's public, so it's fair game" has been the unspoken rule of eCommerce data collection for years.

On 7 July 2026, the European Data Protection Board (EDPB) put that assumption in writing and rejected it. Its new draft guidelines on web scraping for generative AI spell out when scraping is lawful, what you must document first, and which sources you have to leave alone. This guide translates them into a storefront-level playbook.

What the EDPB's new web scraping guidelines actually say

The EDPB adopted Guidelines 03/2026 on web scraping in the context of generative AI as Version 1.0 on 7 July 2026, "for public consultation" — meaning this is a draft open for comment until 30 October 2026, not settled law. It was one of three documents from the same 8 July plenary, alongside new anonymisation guidelines and a final version of the blockchain guidelines.

The guidelines are limited to scraping by private entities, and — importantly for merchants — they cover scraping you do yourself and scraping you have "another party" do under contract. Hiring an agency to scrape does not move the legal risk off your books.

The core message, in the EDPB's framing, is blunt: web scraping is "a large-scale processing activity" that "often occurs without data subjects being aware of it," and the GDPR applies to it whenever it includes personal-data operations "such as collection, storage, organisation and retrieval." Trade coverage summarised the plenary as the EDPB refusing to let AI builders wave through "consent" or "it was public" as a blanket justification.

Does GDPR apply when your store scrapes web data?

Yes — the GDPR applies to your scraping the moment it collects personal data, regardless of whether that data was publicly visible. The EDPB is explicit that public availability does not remove GDPR protection: collection, storage, and retrieval of personal data are all regulated processing, and most scraped web sources contain personal data.

The sources you are most likely to scrape are full of personal data

The guidelines name the usual scraping targets — "public registers, open-data portals, news outlets, social media, discussions' forums, and personal websites ('blogs')" — and warn that "many of these websites are likely to contain personal data." Translate that to eCommerce and the picture is unambiguous:

  • Competitor and marketplace reviews carry reviewer names, usernames, profile links, and purchase context — personal data, even when the reviewer chose to post publicly.
  • Social UGC you scrape for sentiment or trend analysis identifies the people who posted it.
  • Q&A threads and forums you mine to train a support chatbot are conversations between identifiable people.

Pure price data ("this SKU costs €39.99 at competitor X") is generally not personal data. The moment a name, handle, or profile rides along with it, you are processing personal data and the rest of this guide applies.

The reviews-and-UGC trap: special-category data

Here is the part most merchants miss. The EDPB states that processing special categories of personal data is "in principle prohibited," and that scraping which entails it needs "a derogation in Article 9(2) GDPR... in addition to a lawful basis in Article 6 GDPR." Article 9 covers data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health, sex life, and sexual orientation.

Reviews leak this constantly: a supplement review that mentions a medical condition, a fashion review that reveals religious dress, a beauty review that discloses a pregnancy. You did not go looking for health data, but you collected it. The EDPB's position is that "there is no general exemption from the requirements of Art. 9 GDPR and each case must be assessed individually." For incidental collection like this, it points to the CJEU's ruling in GC & Others (C-136/17) and expects controllers to put technical and organisational measures in place to prevent both the collection and the spread of such data.

Legitimate interest (Article 6(1)(f)) is the lawful basis the EDPB expects most private-entity AI-training scrapes to rely on — asking millions of scraped individuals for consent is rarely feasible. But the EDPB is clear that legitimate interest is a test you must pass and document, not a default you assume.

The three-part test you have to pass

To rely on Article 6(1)(f), the EDPB says three cumulative conditions must be met:

  1. A legitimate interest is pursued by you or a third party (for example, building a product-recommendation model).
  2. Necessity — the personal-data processing is genuinely needed for that interest, with no less-intrusive route available.
  3. The balancing test — your interest is not overridden by the "interests or fundamental rights and freedoms of the data subject." Article 6(1)(f) itself flags this "in particular where the data subject is a child."

The EDPB adds a practical lever: as part of the balancing test, you can adopt technical and organisational measures to mitigate the risks your scraping creates, which strengthens your case. This is where the honest answer to "consent or legitimate interest?" lands: for large-scale AI-training scrapes, consent is usually unworkable and legitimate interest is the realistic basis — but only if you have written down all three conditions before you scrape. If you cannot articulate the necessity and survive the balancing test on paper, that is a signal to narrow the scrape or use synthetic or first-party data instead. The [broader GDPR-versus-AI tension](/resources/blog/ai-gdpr-compliance-challenges) is the same story: the law does not ban AI, it asks you to justify the data.

The ai.txt and robots.txt opt-out cuts both ways

The EDPB tells scrapers to "exclude from the collection websites which clearly oppose the scraping of their content, through the use of technical measures, such as... robots.txt or ai.txt files, or CAPTCHA." For an eCommerce operator, that single sentence has two sides.

As a scraper: if a site you want to harvest publishes a robots.txt or ai.txt directive against scraping, or gates content behind a CAPTCHA, the EDPB's position is that you should leave it alone. Ignoring those signals weakens any legitimate-interest claim and reads as bad faith.

As a target: your own storefront's reviews, catalogue, and Q&A are exactly the kind of content AI builders scrape. The same opt-out tools the EDPB endorses — a robots.txt or ai.txt policy, authentication, CAPTCHA — are how you register that you oppose it. It will not stop every bad actor, but it establishes your objection in the terms regulators now recognise.

Do you have to tell people you scraped their data?

Usually yes, but not always individually. The GDPR's transparency duty (Article 14) requires informing people when you collect their data indirectly — but Article 14(5)(b) relieves you of individual notice where providing it "proves impossible or would require disproportionate effort." The EDPB confirms this can apply to large-scale scraping.

That relief is not automatic. The EDPB says the disproportionate-effort assessment must be made "with regard to the dataset as a whole and not on every single piece of personal data," weighing the effort against the impact on people, and taking into account "the number of data subjects, the age of the data, [and] any appropriate safeguards adopted." And even when you rely on the exemption, Article 14(5)(b) still requires "appropriate measures to protect the data subject's rights... including making the information publicly available" — a clear, findable privacy notice describing the scraping and the model it feeds.

A practical checklist for merchants who scrape

If your store scrapes web data to train or feed an AI system, work through this before the next collection run:

  1. Map what you actually collect. The EDPB recommends "undertaking a data mapping and inventory process." Record every source, what personal data comes with it, and where it flows — the foundation of a defensible [record of processing activities](/resources/blog/data-mapping-101-how-to-build-a-record-of-processing-activities).
  2. Write the legitimate-interest assessment first. Document the interest, the necessity, and the balancing test. If you cannot, do not scrape that source.
  3. Minimise at the point of collection. The EDPB suggests defining "precise collection criteria," applying "filters to exclude the collection of certain categories of data," and using "syntax-based filtering mechanisms (e.g. regular expressions)" to strip data identifiable by format.
  4. Respect opt-outs. Skip sources that signal refusal through robots.txt, ai.txt, authentication, or CAPTCHA.
  5. Protect against special-category data. Add filters and organisational measures to catch and drop Article 9 data before it enters training.
  6. Guard accuracy. The EDPB recommends you "scrape from reliable sources, timestamp the data and validate the data before using them in AI training."
  7. Prefer safer inputs where you can. The guidelines float "using synthetic data instead of personal data" and, where feasible, [anonymising or pseudonymising](/resources/blog/gdpr-anonymisation-guidelines-2026-ecommerce) — the surest way to shrink your exposure is to train on data that is not personal in the first place.
  8. Publish the notice. Even under the disproportionate-effort exemption, make transparency information publicly available.

Common mistakes to avoid

The mistakes here are ranked worst-first, because they are not equally dangerous.

  • Treating "publicly available" as a lawful basis. This is the costliest error. Public visibility is not one of the six Article 6 bases; you still need legitimate interest and its three-part test. A scrape built on "it was already public" has no legal footing.
  • Assuming your vendor's contract insulates you. The guidelines cover scraping done "by contracting another party," and say controllership "should be analysed on a case-by-case basis." Outsourcing the bot does not outsource the liability.
  • Ignoring incidental special-category data. You will collect health and belief data from reviews whether you meant to or not. No Article 9 filter means no Article 9 exception — and that processing is prohibited by default.
  • Skipping transparency because the exemption "obviously" applies. Disproportionate effort is a documented balancing exercise, not a shrug. If you never assessed it and never published a notice, you cannot lean on it later.

If you deploy an AI tool trained on scraped data

Most merchants are not the scraper — they buy the AI. If you deploy a third-party product-copy generator, chatbot, or recommendation engine that was trained on scraped data, you are still a controller for how you use it, and the EDPB's case-by-case controllership analysis can pull you in. Ask the vendor, in writing, what lawful basis they relied on for their training data, whether they filtered special-category data, and whether they honoured scraping opt-outs. Fold that into your data processing agreement and your AI-governance records. Under the [EU AI Act's transparency rules](/resources/blog/eu-ai-act-article-50-ecommerce-transparency), you also owe your own customers disclosure when they interact with that AI — the sourcing question and the disclosure question travel together.

How PrivacyForge Helps

Web-scraping compliance is really three familiar problems wearing a new hat: knowing what data you hold, documenting a lawful basis, and governing your AI. PrivacyForge's data-mapping tools give you the source-by-source inventory the EDPB now expects, so a scraped-data pipeline is not a blind spot. The compliance-scoring and lawful-basis records help you capture the three-part legitimate-interest assessment before you collect, rather than reconstructing it under pressure. And the AI-governance workspace lets you register each model, its training-data provenance, and the vendor answers behind it — turning "we think our AI tool is fine" into evidence you can show a regulator. None of it scrapes for you; it keeps the scraping you do accountable.

Frequently Asked Questions

Is web scraping legal under GDPR?

Web scraping is legal under the GDPR only when it meets the same rules as any other processing of personal data. The EDPB's draft Guidelines 03/2026, adopted 7 July 2026, confirm the GDPR applies whenever scraping involves collecting, storing, or retrieving personal data — public availability does not exempt it. You need a valid lawful basis and must respect minimisation, transparency, and special-category rules.

Do I need consent to train AI on scraped data?

Usually not consent, but you still need a lawful basis. The EDPB expects most private-entity AI-training scrapes to rely on legitimate interest under Article 6(1)(f), because obtaining consent from millions of scraped individuals is rarely feasible. Legitimate interest requires meeting and documenting three cumulative conditions — a legitimate interest, necessity, and a balancing test that your interest does not override people's rights.

Can I scrape competitor reviews for my eCommerce store?

Scraping competitor reviews means processing personal data, because reviews carry reviewer names, usernames, and profiles. You need a documented lawful basis (typically legitimate interest), you must filter out special-category data such as health details that reviews often reveal, and you must respect any robots.txt, ai.txt, or CAPTCHA opt-out the source uses. Pure price data without personal identifiers is treated differently.

How do I stop AI companies from scraping my product reviews?

Signal your objection with the technical measures the EDPB tells scrapers to respect: a robots.txt or ai.txt directive against scraping, content authentication, and CAPTCHA on sensitive pages. These will not stop every bad actor, but under the draft guidelines a documented refusal is something compliant scrapers are expected to honour, and it strengthens any later complaint.

Are the EDPB web scraping guidelines final?

No. The EDPB adopted Guidelines 03/2026 as Version 1.0 on 7 July 2026 "for public consultation," open until 30 October 2026, so the text may change before a final version. Treat them as a strong signal of how EU regulators will assess AI-training data now — and build your practices to meet them — rather than as settled, unchangeable law.

Conclusion

The era of "it was public, so we scraped it" is closing. The EDPB's draft guidelines do not ban eCommerce AI, and they do not make legitimate interest impossible — but they turn scraping from a quiet technical task into a documented decision: what you collect, why you are allowed to, what you filter out, and which opt-outs you honour. The stores that win are the ones that write that down before the next collection run, not after a regulator asks. Start with a data map of every scraped source feeding your AI, and build the lawful-basis record around it.

This article is informational content, not legal advice. The EDPB guidelines discussed are in draft consultation until 30 October 2026; consult a qualified data protection professional for your specific circumstances.

Sources

  • [EDPB, Guidelines 03/2026 on web scraping in the context of generative AI (Version 1.0, adopted 7 July 2026)](https://www.edpb.europa.eu/system/files/2026-07/edpb_guidelines_2020603_webscraping_v1_en_0.pdf)
  • [EDPB news, "EDPB sheds light on anonymisation and web scraping for generative AI" (8 July 2026)](https://www.edpb.europa.eu/news/edpb-sheds-light-on-anonymisation-and-web-scraping-for-generative-ai-and-adopts-final-version_en)
  • [GDPR Article 6 — Lawfulness of processing](https://gdpr-info.eu/art-6-gdpr/)
  • [GDPR Article 9 — Processing of special categories of personal data](https://gdpr-info.eu/art-9-gdpr/)
  • [GDPR Article 14 — Information to be provided where personal data have not been obtained from the data subject](https://gdpr-info.eu/art-14-gdpr/)