Instagram Terms of Service & Platform Policy on Scraping
- Instagram terms of service scraping rules are explicit: Meta's Terms say you may not access or collect data using automated means without prior permission, and Instagram's Terms ban collecting information in an automated way without express permission.
- The live
instagram.com/robots.txtI pulled in June 2026 opens with a notice that automated collection is prohibited without express written permission and ends withUser-agent: * Disallow: /. - A U.S. court (Meta v. Bright Data, Jan 2024) held the Terms do not bar logged-off scraping of public data. Meta's 2025 Terms then added language covering automated access whether or not you are logged in.
- Breaking the policy risks IP blocks, account suspension, and litigation. The routes that stay inside it are the official Instagram API (professional accounts only) or a scraper API that reads logged-out public pages for you.
I read every line of Instagram’s Terms of Use, Meta’s Terms of Service, and the live instagram.com/robots.txt before writing this, because Instagram terms of service scraping rules get paraphrased badly all over the web and the wording matters. The short version is that the policy is explicit and restrictive, a 2024 court decision carved out a narrow exception for logged-out public data, and Meta rewrote its 2025 Terms partly in response.
This guide quotes the actual clauses, separates the contract rules from the legal question, and lays out the two routes that keep you inside the policy. Every quote here comes from a primary source I checked in June 2026. I skipped the competitor summaries entirely.
What do the Instagram Terms of Service scraping rules actually say?
The Instagram Terms of Service scraping rules prohibit it by banning automated collection of data without permission, and they live in two stacked documents. Instagram runs on Meta’s Terms of Service plus Instagram’s own Terms of Use, and both carry a clause that covers scraping even though neither always uses the word.
Meta’s Terms of Service, effective January 1, 2025, state under the section on what you can do that “you may not access or collect data from our Products using automated means (without our prior permission) or attempt to access data you do not have permission to access.” Instagram inherits this because Instagram is a Meta Product. The phrase “automated means” is the operative one: a script, a headless browser, a crawler, or a scraping library all qualify.
Instagram’s Terms of Use add a second, narrower prohibition. They state: “You can’t attempt to create accounts or access or collect information in unauthorized ways. This includes creating accounts or collecting information in an automated way without our express permission.” Two ideas sit in that sentence: collecting information in an automated way, and doing it without express permission. Scraping is automated collection by definition, so absent a permission grant it falls inside the prohibition.
Here is how the two documents line up on scraping:
| Document | Operative clause | What it covers | Effective |
|---|---|---|---|
| Meta Terms of Service | ”may not access or collect data… using automated means (without our prior permission)“ | Any automated access or collection across Meta Products | January 1, 2025 |
| Instagram Terms of Use | ”collecting information in an automated way without our express permission” | Automated information collection on Instagram | Current as of June 2026 |
| Meta Platform Terms | Restricts use of Platform and Platform Data outside the granted license | Developers using Meta APIs and data | Current as of June 2026 |
The takeaway is that the prohibition is a contract term you agreed to when you made an account, which is a different thing from a law. The next section covers the policy layer that sits underneath these Terms: the Platform Policy and the robots.txt file.
What does Instagram’s platform policy and robots.txt say?
Instagram’s platform policy on scraping is stated most plainly in its robots.txt, which prohibits automated collection without express written permission. The file is the operational expression of the Terms, and it names specific crawlers it refuses. I pulled https://www.instagram.com/robots.txt live in June 2026, and it opens with this notice:
# Notice: Collection of data on Instagram through automated means is
# prohibited unless you have express written permission from Instagram
# and may only be conducted for the limited purpose contained in said
# permission.
# All authorized user-agents listed on this page must comply with Meta's
# Automated Data Collection Terms available at:
# https://www.facebook.com/legal/automated_data_collection_terms
That notice does three things. It states automated collection is prohibited by default, it ties any permitted collection to a “limited purpose” written into the permission, and it points to Meta’s Automated Data Collection Terms as the binding document for any approved crawler. The robots.txt is a policy statement here, well beyond a plain list of paths.
The directives below the notice confirm the stance. Instagram explicitly disallows a list of named bots, and then disallows everything else:
| User-agent | Directive | Effect |
|---|---|---|
Scrapy | Disallow: / | The Python scraping framework is blocked outright |
GPTBot | Disallow: / | OpenAI’s crawler is blocked outright |
ClaudeBot | Disallow: / | Anthropic’s crawler is blocked outright |
Google-Extended, Applebot-Extended | Disallow: / | AI-training crawlers blocked |
Amazonbot, Bytespider-class bots | Disallow: / | Named commercial crawlers blocked |
Googlebot, Bingbot | Selective Disallow + Allow: /places/c/ | Search indexing allowed on narrow paths only |
* (everything else) | Disallow: / | Every unlisted agent is asked to stay out |
The final block, User-agent: * Disallow: /, is the one most scrapers ignore. It asks every bot not explicitly whitelisted to crawl nothing. A handful of search and link-preview bots (Googlebot, Bingbot, Twitterbot, facebookexternalhit) get narrow allowances on profile and place paths, and even they are blocked from /ajax/, /query/, and the private publicapi endpoints. robots.txt is advisory by web convention, it does not carry the force of law on its own, and Instagram pairs it with the contractual ban and active blocking so that the request rarely succeeds anyway. That gap between what the policy forbids and what a court will enforce is the next question.
Is scraping public Instagram data against the terms?
Scraping public Instagram data is against the Terms as written, and a 2024 court decision created a narrow exception for one specific situation. The Terms make no distinction between public and private when they prohibit automated collection, so on the face of the contract, scraping a public profile still violates it. The legal picture is more nuanced.
In Meta Platforms, Inc. v. Bright Data Ltd., 2024 WL 251406 (N.D. Cal. Jan. 23, 2024), Judge Edward Chen granted summary judgment for Bright Data on Meta’s breach-of-contract claims. The court reasoned that Meta’s Terms bind “users,” that a person stops being a user when they log out or close an account, and that logged-off scraping of public data therefore falls outside the contract. As legal analysts summarized it, the Facebook and Instagram Terms do not bar logged-off scraping of public data, and so they do not prohibit the sale of such public data either. The decision sat alongside the earlier hiQ Labs v. LinkedIn line, where the Ninth Circuit held that scraping public data likely does not violate the Computer Fraud and Abuse Act.
Meta responded in its contract language. The 2025 Terms of Service version I quoted above now reaches automated access “regardless of whether such automated access or collection is undertaken while logged-in to a Facebook account,” which is a direct attempt to close the logged-out gap the Bright Data court relied on. Whether that revised wording survives the same reasoning is untested.
The distinction that actually controls your risk looks like this:
| Scenario | Terms position | Court signal (US) |
|---|---|---|
| Scraping while logged in to an account | Clear breach of Terms | Breach likely enforceable; account relationship exists |
| Logged-off scraping of public data | Prohibited by 2025 Terms wording | Bright Data: pre-2025 Terms did not bar it |
| Accessing private or login-gated data | Breach plus potential CFAA exposure | Bypassing a login is the classic CFAA risk |
| Collecting personal data of EU residents | Breach plus GDPR duties | Regulators treat scraped personal data as in-scope |
US contract and CFAA outcomes are one layer. Data-protection law is a separate one, and it bites hardest on personal data, which most Instagram fields are. The enforcement section covers what Instagram and regulators actually do.
What happens if you scrape Instagram against its policy?
Scraping Instagram against its policy triggers technical enforcement first and legal enforcement second. The technical layer is what you hit on day one: rate limits, IP blocks, device fingerprint blocks, action blocks, and on logged-in accounts, suspension or permanent disable. Instagram’s anti-automation systems are tuned to spot non-human request patterns, and a datacenter IP running a fast crawl gets throttled or blocked quickly.
The legal layer is slower and heavier. Meta has a documented history of suing scraping operators, and it has won injunctions and settlements forcing companies to stop and delete data. The contract breach is the usual hook, and where a login is bypassed, the CFAA can come into play.
Regulators add a third front that catches people by surprise. Ireland’s Data Protection Commission, Meta’s lead EU privacy regulator, fined Meta 265 million euros on November 28, 2022 after a data-scraping inquiry into a leak of personal data from up to 533 million Facebook users. The DPC found breaches of GDPR Article 25 on data protection by design and default. The lesson for anyone collecting Instagram data is that scraped personal data is regulated data, and EU rules on lawful basis, transparency, and data subject rights apply to the party holding it.
The exposures stack on top of each other:
| Enforcement type | Who acts | Typical consequence |
|---|---|---|
| Rate limiting and blocks | Instagram automated systems | Throttled, then IP or device blocked |
| Account action | Action block, suspension, permanent disable | |
| Civil litigation | Meta | Injunction, damages, mandated deletion |
| Data-protection enforcement | EU regulators (DPC) | Fines under GDPR, corrective orders |
None of this means data collection from Instagram is off the table. It means the method matters. The routes that stay inside the policy are the official API and a logged-out public-page approach, both covered next.
What is the compliant way to access Instagram data?
The compliant way to access Instagram data is Instagram’s official API, which grants permissioned access to professional accounts under defined scopes and rate limits. Meta deprecated the older Instagram Basic Display API on December 4, 2024 and replaced it with the Instagram API with Instagram Login, a Graph-based API that serves business and creator accounts. The official API is the only route that comes with express permission built in, which is exactly what the Terms and robots.txt require.
The official API has real limits, and they are the reason people look elsewhere. It is scoped to accounts you own or that authorize your app, it does not expose arbitrary public profiles in bulk, and it gates the richest data behind App Review and a business connection. For collecting public data across many accounts you do not control, the official API does not fit.
That is where a scraper API that reads logged-out public pages comes in. It requests the same pages any signed-out visitor can load, parses them, and returns structured JSON, so you are not running automation against Instagram from your own infrastructure or holding an account that is bound by the logged-in clause. In my testing of ChocoData, a single authenticated request returned a public profile as clean JSON without an app review or a proxy pool. The request is a plain GET with your API key as a query parameter:
curl "https://chocodata.com/api/v1/instagram/profile?username=nasa&api_key=$CHOCO_API_KEY"
The Python version is the same shape and loads straight into your own storage:
import requests
resp = requests.get(
"https://chocodata.com/api/v1/instagram/profile",
params={"username": "nasa", "api_key": "YOUR_CHOCO_API_KEY"},
timeout=30,
)
profile = resp.json()["data"]
print(profile["username"], profile.get("followers"), profile.get("biography"))
This reads a public profile the way a logged-out browser would, which keeps you clear of the logged-in account relationship the 2025 Terms lean on, though the automated-collection prohibition still applies as a contract matter and you remain responsible for how you use any personal data you receive. You can get an API key on the ChocoData sign-up page and swap it into the snippet. For pulling contact fields from public business profiles, the Instagram email and lead scraper endpoint returns the same shape, and the Instagram profile scraper endpoint covers account-level fields.
How the three routes compare on the things that decide which you pick:
| Route | Permission model | Covers public accounts you don’t own | Main constraint |
|---|---|---|---|
| Official Instagram API (with Login) | Express, scope-based | No | Professional accounts and App Review only |
| Logged-out scraper API (ChocoData) | Reads public pages a visitor sees | Yes | Contract prohibition and data-use duties remain |
| Self-built scraper | None | Yes, until blocked | Blocks, account bans, full legal exposure |
The route you choose sets your compliance posture before you collect a single record. The practical checklist below turns that into steps.
How do you stay compliant when collecting Instagram data?
You stay compliant by matching your method to the rules in the Terms, the robots.txt, and data-protection law, in that order. Compliance here is not a single switch, it is a set of choices about which data, which route, and what you do with the result. Here is the checklist I work through before any Instagram collection project.
- Read the current Terms and robots.txt yourself. They change. The 2025 Meta Terms added the logged-in clause that did not exist when Bright Data was decided, and the robots.txt notice ties any permission to a “limited purpose.”
- Use the official API for accounts you own or that authorize you. The Instagram API with Instagram Login is the permissioned path, and it carries the express grant the policy demands.
- Stay on logged-out public data for anything else. The Bright Data reasoning turned on the absence of an account relationship. Logging in to scrape removes that protection.
- Treat scraped personal data as regulated. If you collect data on EU residents, GDPR obligations on lawful basis, transparency, and retention apply to you, as the DPC’s 265 million euro decision underlines.
- Avoid login-gated and private data entirely. Bypassing a login is the conduct most likely to draw a CFAA claim in the US.
- Throttle and cache. Aggressive request rates get you blocked and make a borderline collection look worse on the record.
For the legal background in depth, including the CFAA and the public-data case law, I walk through it in is scraping Instagram legal. The practical side of staying unblocked is in my guide on how to avoid getting blocked scraping Instagram, and the end-to-end methods are in how to scrape Instagram data. The policy is strict, the case law is moving, and the safest path is to pick a permissioned or logged-out route and document why you chose it.
FAQ
Does Instagram's terms of service prohibit scraping?
Yes. Meta's Terms of Service state you may not access or collect data from its Products using automated means without prior permission, and Instagram's Terms of Use separately prohibit collecting information in an automated way without express permission. The prohibition is a contract term, so it binds anyone who holds or held an Instagram account and agreed to the Terms. It is a separate question from whether scraping is illegal, which depends on the data and the jurisdiction.
What does Instagram's robots.txt say about scraping?
Instagram's robots.txt opens with a notice that collection of data through automated means is prohibited unless you have express written permission from Instagram, and it links to Meta's Automated Data Collection Terms. It then disallows named crawlers including Scrapy, GPTBot, and ClaudeBot with Disallow: /, and closes with a catch-all User-agent: * Disallow: / that asks every other unlisted bot to stay out. I pulled the file live in June 2026 and quote it in full below.
Is scraping public Instagram data against the terms of use?
Under the Terms, collecting any Instagram data by automated means without permission is prohibited, public or not. A U.S. court reached a narrower contract result in Meta v. Bright Data in January 2024, finding the Terms did not bar logged-off scraping of public data by a party with no active account. Meta updated its 2025 Terms to state the automated-access restriction applies whether or not you are logged in to an account.
What happens if you scrape Instagram against its policy?
Instagram enforces its scraping policy with rate limits, IP and device blocks, action blocks, and account suspension or termination, and Meta has sued scraping operators. Regulators have also acted on scraped Instagram and Facebook data: Ireland's Data Protection Commission fined Meta 265 million euros in November 2022 over a data-scraping inquiry. The compliance risk sits on both the operator collecting data and the platform exposing it.
What is the compliant way to get Instagram data?
The compliant route is the official Instagram API with Instagram Login (the Graph-based API that replaced the Basic Display API in December 2024), which serves professional accounts under permission scopes and rate limits. For logged-out public pages, a scraper API that reads what any visitor can see returns parsed JSON without you running automation against Instagram directly. I show both shapes, including a ChocoData request, in the routes section.