A Competitive Intelligence Analyst Is Instructed by Her VP to Use a Web Scraping Tool to Gather Competitor Pricing Data. The Activity Is Legal. The VP Has Authorized It. The Competitor’s Terms of Service Explicitly Prohibit Automated Data Collection. Does the Analyst Have an Obligation to Say Something Before Running the Tool?

Quick Answer

When a company-authorized competitive intelligence activity is legal but violates a competitor’s Terms of Service, does the analyst executing it have a compliance obligation — and what is it?

This is a genuinely contested question with real legal uncertainty. Web scraping of publicly accessible data has been held legal under the CFAA in hiQ Labs v. LinkedIn (9th Circuit, 2022) when no authentication is bypassed. However, violating the Terms of Service creates exposure to a civil breach of contract in some jurisdictions, and the legal landscape continues to evolve. The analyst’s obligation is not to make the legal determination — it is to flag the ToS conflict to Legal before proceeding, so the organization can make an informed decision with full awareness of the legal posture. An authorized activity with known legal uncertainty is not the same as a clearly permissible one.

The Situation

A competitive intelligence analyst at a software company has been asked by her VP of Strategy to deploy a scraping tool to systematically collect pricing, product features, and customer review data from a competitor’s public website. The competitor’s data is publicly visible — no login required, no authentication bypassed. The tool visits publicly accessible pages and extracts structured data at scale. This type of intelligence gathering is common in the industry.

Before running the tool, the analyst reads the competitor’s Terms of Service. Section 4.2 reads: “You may not use automated tools, bots, scrapers, or similar technologies to access, copy, or collect data from this site without prior written consent.” The prohibition is explicit. The analyst then checks the company’s internal competitive intelligence policy — it addresses not accessing password-protected systems or misrepresenting company identity, but does not address Terms of Service compliance for scraping publicly accessible data.

The VP wants the data by the end of the week. The analyst knows her company’s lawyers haven’t reviewed this specific ToS prohibition. She is deciding what to do in the next hour.

Choice ARun the scraping tool as instructed. The VP authorized it. The data is publicly accessible. Courts have upheld the legality of scraping public websites. The competitor’s ToS is a civil matter between companies — not a compliance issue for an individual analyst following authorized instructions.

Choice BBefore running the tool, notify the VP and Legal in writing — flagging that the competitor’s ToS explicitly prohibits automated scraping, that the company’s internal policy doesn’t address this scenario, and requesting Legal’s assessment of the civil exposure before proceeding. Offer to run the tool after Legal has confirmed the company’s position or accepted the risk.

Choice CDecline to run the tool and propose manual collection instead — collecting the same publicly available pricing and feature data through manual browsing, which is not restricted by the ToS. The data will remain the same; the method will comply with the competitor’s stated terms.

The Right Call

Choice B — Flag the ToS conflict to Legal and the VP before proceeding. Choice C is a reasonable fallback if Legal advises against the tool.

Choice A proceeds past a known legal uncertainty without routing it to the people qualified to assess it. The analyst’s observation that courts have upheld scraping legality is accurate about the CFAA analysis and incomplete about civil ToS exposure — those are different questions, and the analyst is not positioned to assess the second one alone. Choice C avoids the question entirely and may be the practical outcome, but it should follow Legal’s assessment rather than precede it — the VP and Legal deserve the opportunity to weigh in. Choice B is the right sequence: flag the uncertainty in writing, let Legal and the VP make the call with full information, and proceed (or not) based on their guidance.

VP authorization is not the same as Legal clearance — and the analyst is the only person who has read the ToS.

In most operational situations, VP authorization is sufficient to proceed. This situation is different because the analyst has read a specific legal prohibition that the VP almost certainly hasn’t seen. The authorization was given without the information the analyst now has. The trained compliance behavior is to close that information gap before proceeding, which is exactly what Choice B does. It is not a refusal to do the work. It ensures the authorization covers the actual situation.

“The legal landscape on scraping is generally favorable” is not the same as “this situation is clearly permissible.”

hiQ Labs v. LinkedIn addressed CFAA liability for scraping publicly accessible data. It did not address state-level computer access statutes, civil breach-of-contract claims arising from ToS violations, or the application of those frameworks to this specific jurisdiction and fact pattern. The difference between “courts have generally upheld scraping” and “this specific situation is legally cleared” is a Legal question — not an analyst question.

The ethical question is distinct from the legal one—and it belongs at the organizational level.

Even if Legal concludes that the civil exposure from the ToS violation is low enough to accept, the organization is still deliberately violating a business counterparty’s stated terms. Whether the organization wants to be the kind of company that knowingly violates competitors’ terms — even when it can — is a values question that belongs at an organizational level, not with the individual analyst. The compliance program’s role here is not to answer the question but to ensure it gets asked at the right level.

Is web scraping of publicly accessible data legal?

Under federal law, the 9th Circuit held in hiQ Labs v. LinkedIn (2022) that scraping publicly accessible data — data that doesn’t require authentication to access — does not constitute unauthorized access under the Computer Fraud and Abuse Act. However, state-level computer access laws vary, and civil breach of contract exposure from ToS violations is a separate analysis the individual analyst is not positioned to perform alone.

What legal exposure does violating a competitor’s Terms of Service through web scraping create?

Potential exposure includes civil breach of contract claims if the ToS constitutes a binding agreement, tortious interference claims if the scraping disrupts the competitor’s business or customer relationships, and in some jurisdictions state computer access statute violations. The materiality depends on jurisdiction, the nature of data collected, how it is used, and the specific ToS language. These are Legal questions — not operational ones.

Should compliance policies address competitive intelligence gathering methods?

Yes — and most don’t adequately address the gray area between clearly legal manual gathering and clearly prohibited hacking. A comprehensive competitive intelligence policy should address: prohibited methods (bypassing authentication, misrepresenting identity); ToS compliance expectations and the Legal review process when ToS conflicts are identified; acceptable use of third-party CI tools; and the escalation process for legal uncertainty rather than proceeding on the assumption that something is “probably fine.”

How to Use This Scenario in Training

Recommended for competitive intelligence, strategy, product, and marketing teams — and for Legal and compliance professionals building or reviewing CI policies. Most effective when run with the VP of Strategy and the analyst in the same session — the VP often doesn’t know that ToS review is a step in the CI workflow, and the scenario creates a natural conversation about what the policy should require.

This scenario demonstrates the authority and urgency rationalization from the Decision Readiness Engine™ — “the VP authorized it, and courts have upheld scraping, so I should proceed” combines two rationalizations that together create the conditions for a compliance gap. Decision-ready analysts recognize that VP authorization of an activity with unreviewed legal uncertainty is an authorization of the business goal — not a Legal clearance — and that flagging the uncertainty before proceeding is both appropriate and expected.

More Gray Area Compliance Scenarios