~ / guides / Instagram Terms of Service & Platform Policy on Scraping

Instagram Terms of Service & Platform Policy on Scraping

LH
Lena Hoff
Instagram data engineer · about the author
the short version
  • Instagram terms of service scraping rules are explicit: Meta's Terms say you may not access or collect data using automated means without prior permission, and Instagram's Terms ban collecting information in an automated way without express permission.
  • The live instagram.com/robots.txt I pulled in June 2026 opens with a notice that automated collection is prohibited without express written permission and ends with User-agent: * Disallow: /.
  • A U.S. court (Meta v. Bright Data, Jan 2024) held the Terms do not bar logged-off scraping of public data. Meta's 2025 Terms then added language covering automated access whether or not you are logged in.
  • Breaking the policy risks IP blocks, account suspension, and litigation. The routes that stay inside it are the official Instagram API (professional accounts only) or a scraper API that reads logged-out public pages for you.

I read every line of Instagram’s Terms of Use, Meta’s Terms of Service, and the live instagram.com/robots.txt before writing this, because Instagram terms of service scraping rules get paraphrased badly all over the web and the wording matters. The short version is that the policy is explicit and restrictive, a 2024 court decision carved out a narrow exception for logged-out public data, and Meta rewrote its 2025 Terms partly in response.

This guide quotes the actual clauses, separates the contract rules from the legal question, and lays out the two routes that keep you inside the policy. Every quote here comes from a primary source I checked in June 2026. I skipped the competitor summaries entirely.

What do the Instagram Terms of Service scraping rules actually say?

The Instagram Terms of Service scraping rules prohibit it by banning automated collection of data without permission, and they live in two stacked documents. Instagram runs on Meta’s Terms of Service plus Instagram’s own Terms of Use, and both carry a clause that covers scraping even though neither always uses the word.

Meta’s Terms of Service, effective January 1, 2025, state under the section on what you can do that “you may not access or collect data from our Products using automated means (without our prior permission) or attempt to access data you do not have permission to access.” Instagram inherits this because Instagram is a Meta Product. The phrase “automated means” is the operative one: a script, a headless browser, a crawler, or a scraping library all qualify.

Instagram’s Terms of Use add a second, narrower prohibition. They state: “You can’t attempt to create accounts or access or collect information in unauthorized ways. This includes creating accounts or collecting information in an automated way without our express permission.” Two ideas sit in that sentence: collecting information in an automated way, and doing it without express permission. Scraping is automated collection by definition, so absent a permission grant it falls inside the prohibition.

Here is how the two documents line up on scraping:

DocumentOperative clauseWhat it coversEffective
Meta Terms of Service”may not access or collect data… using automated means (without our prior permission)“Any automated access or collection across Meta ProductsJanuary 1, 2025
Instagram Terms of Use”collecting information in an automated way without our express permission”Automated information collection on InstagramCurrent as of June 2026
Meta Platform TermsRestricts use of Platform and Platform Data outside the granted licenseDevelopers using Meta APIs and dataCurrent as of June 2026

The takeaway is that the prohibition is a contract term you agreed to when you made an account, which is a different thing from a law. The next section covers the policy layer that sits underneath these Terms: the Platform Policy and the robots.txt file.

What does Instagram’s platform policy and robots.txt say?

Instagram’s platform policy on scraping is stated most plainly in its robots.txt, which prohibits automated collection without express written permission. The file is the operational expression of the Terms, and it names specific crawlers it refuses. I pulled https://www.instagram.com/robots.txt live in June 2026, and it opens with this notice:

# Notice: Collection of data on Instagram through automated means is
# prohibited unless you have express written permission from Instagram
# and may only be conducted for the limited purpose contained in said
# permission.
# All authorized user-agents listed on this page must comply with Meta's
# Automated Data Collection Terms available at:
# https://www.facebook.com/legal/automated_data_collection_terms

That notice does three things. It states automated collection is prohibited by default, it ties any permitted collection to a “limited purpose” written into the permission, and it points to Meta’s Automated Data Collection Terms as the binding document for any approved crawler. The robots.txt is a policy statement here, well beyond a plain list of paths.

The directives below the notice confirm the stance. Instagram explicitly disallows a list of named bots, and then disallows everything else:

User-agentDirectiveEffect
ScrapyDisallow: /The Python scraping framework is blocked outright
GPTBotDisallow: /OpenAI’s crawler is blocked outright
ClaudeBotDisallow: /Anthropic’s crawler is blocked outright
Google-Extended, Applebot-ExtendedDisallow: /AI-training crawlers blocked
Amazonbot, Bytespider-class botsDisallow: /Named commercial crawlers blocked
Googlebot, BingbotSelective Disallow + Allow: /places/c/Search indexing allowed on narrow paths only
* (everything else)Disallow: /Every unlisted agent is asked to stay out

The final block, User-agent: * Disallow: /, is the one most scrapers ignore. It asks every bot not explicitly whitelisted to crawl nothing. A handful of search and link-preview bots (Googlebot, Bingbot, Twitterbot, facebookexternalhit) get narrow allowances on profile and place paths, and even they are blocked from /ajax/, /query/, and the private publicapi endpoints. robots.txt is advisory by web convention, it does not carry the force of law on its own, and Instagram pairs it with the contractual ban and active blocking so that the request rarely succeeds anyway. That gap between what the policy forbids and what a court will enforce is the next question.

Is scraping public Instagram data against the terms?

Scraping public Instagram data is against the Terms as written, and a 2024 court decision created a narrow exception for one specific situation. The Terms make no distinction between public and private when they prohibit automated collection, so on the face of the contract, scraping a public profile still violates it. The legal picture is more nuanced.

In Meta Platforms, Inc. v. Bright Data Ltd., 2024 WL 251406 (N.D. Cal. Jan. 23, 2024), Judge Edward Chen granted summary judgment for Bright Data on Meta’s breach-of-contract claims. The court reasoned that Meta’s Terms bind “users,” that a person stops being a user when they log out or close an account, and that logged-off scraping of public data therefore falls outside the contract. As legal analysts summarized it, the Facebook and Instagram Terms do not bar logged-off scraping of public data, and so they do not prohibit the sale of such public data either. The decision sat alongside the earlier hiQ Labs v. LinkedIn line, where the Ninth Circuit held that scraping public data likely does not violate the Computer Fraud and Abuse Act.

Meta responded in its contract language. The 2025 Terms of Service version I quoted above now reaches automated access “regardless of whether such automated access or collection is undertaken while logged-in to a Facebook account,” which is a direct attempt to close the logged-out gap the Bright Data court relied on. Whether that revised wording survives the same reasoning is untested.

The distinction that actually controls your risk looks like this:

ScenarioTerms positionCourt signal (US)
Scraping while logged in to an accountClear breach of TermsBreach likely enforceable; account relationship exists
Logged-off scraping of public dataProhibited by 2025 Terms wordingBright Data: pre-2025 Terms did not bar it
Accessing private or login-gated dataBreach plus potential CFAA exposureBypassing a login is the classic CFAA risk
Collecting personal data of EU residentsBreach plus GDPR dutiesRegulators treat scraped personal data as in-scope

US contract and CFAA outcomes are one layer. Data-protection law is a separate one, and it bites hardest on personal data, which most Instagram fields are. The enforcement section covers what Instagram and regulators actually do.

What happens if you scrape Instagram against its policy?

Scraping Instagram against its policy triggers technical enforcement first and legal enforcement second. The technical layer is what you hit on day one: rate limits, IP blocks, device fingerprint blocks, action blocks, and on logged-in accounts, suspension or permanent disable. Instagram’s anti-automation systems are tuned to spot non-human request patterns, and a datacenter IP running a fast crawl gets throttled or blocked quickly.

The legal layer is slower and heavier. Meta has a documented history of suing scraping operators, and it has won injunctions and settlements forcing companies to stop and delete data. The contract breach is the usual hook, and where a login is bypassed, the CFAA can come into play.

Regulators add a third front that catches people by surprise. Ireland’s Data Protection Commission, Meta’s lead EU privacy regulator, fined Meta 265 million euros on November 28, 2022 after a data-scraping inquiry into a leak of personal data from up to 533 million Facebook users. The DPC found breaches of GDPR Article 25 on data protection by design and default. The lesson for anyone collecting Instagram data is that scraped personal data is regulated data, and EU rules on lawful basis, transparency, and data subject rights apply to the party holding it.

The exposures stack on top of each other:

Enforcement typeWho actsTypical consequence
Rate limiting and blocksInstagram automated systemsThrottled, then IP or device blocked
Account actionInstagramAction block, suspension, permanent disable
Civil litigationMetaInjunction, damages, mandated deletion
Data-protection enforcementEU regulators (DPC)Fines under GDPR, corrective orders

None of this means data collection from Instagram is off the table. It means the method matters. The routes that stay inside the policy are the official API and a logged-out public-page approach, both covered next.

What is the compliant way to access Instagram data?

The compliant way to access Instagram data is Instagram’s official API, which grants permissioned access to professional accounts under defined scopes and rate limits. Meta deprecated the older Instagram Basic Display API on December 4, 2024 and replaced it with the Instagram API with Instagram Login, a Graph-based API that serves business and creator accounts. The official API is the only route that comes with express permission built in, which is exactly what the Terms and robots.txt require.

The official API has real limits, and they are the reason people look elsewhere. It is scoped to accounts you own or that authorize your app, it does not expose arbitrary public profiles in bulk, and it gates the richest data behind App Review and a business connection. For collecting public data across many accounts you do not control, the official API does not fit.

That is where a scraper API that reads logged-out public pages comes in. It requests the same pages any signed-out visitor can load, parses them, and returns structured JSON, so you are not running automation against Instagram from your own infrastructure or holding an account that is bound by the logged-in clause. In my testing of ChocoData, a single authenticated request returned a public profile as clean JSON without an app review or a proxy pool. The request is a plain GET with your API key as a query parameter:

curl "https://chocodata.com/api/v1/instagram/profile?username=nasa&api_key=$CHOCO_API_KEY"

The Python version is the same shape and loads straight into your own storage:

import requests

resp = requests.get(
    "https://chocodata.com/api/v1/instagram/profile",
    params={"username": "nasa", "api_key": "YOUR_CHOCO_API_KEY"},
    timeout=30,
)
profile = resp.json()["data"]
print(profile["username"], profile.get("followers"), profile.get("biography"))

This reads a public profile the way a logged-out browser would, which keeps you clear of the logged-in account relationship the 2025 Terms lean on, though the automated-collection prohibition still applies as a contract matter and you remain responsible for how you use any personal data you receive. You can get an API key on the ChocoData sign-up page and swap it into the snippet. For pulling contact fields from public business profiles, the Instagram email and lead scraper endpoint returns the same shape, and the Instagram profile scraper endpoint covers account-level fields.

How the three routes compare on the things that decide which you pick:

RoutePermission modelCovers public accounts you don’t ownMain constraint
Official Instagram API (with Login)Express, scope-basedNoProfessional accounts and App Review only
Logged-out scraper API (ChocoData)Reads public pages a visitor seesYesContract prohibition and data-use duties remain
Self-built scraperNoneYes, until blockedBlocks, account bans, full legal exposure

The route you choose sets your compliance posture before you collect a single record. The practical checklist below turns that into steps.

How do you stay compliant when collecting Instagram data?

You stay compliant by matching your method to the rules in the Terms, the robots.txt, and data-protection law, in that order. Compliance here is not a single switch, it is a set of choices about which data, which route, and what you do with the result. Here is the checklist I work through before any Instagram collection project.

For the legal background in depth, including the CFAA and the public-data case law, I walk through it in is scraping Instagram legal. The practical side of staying unblocked is in my guide on how to avoid getting blocked scraping Instagram, and the end-to-end methods are in how to scrape Instagram data. The policy is strict, the case law is moving, and the safest path is to pick a permissioned or logged-out route and document why you chose it.

FAQ

Does Instagram's terms of service prohibit scraping?

Yes. Meta's Terms of Service state you may not access or collect data from its Products using automated means without prior permission, and Instagram's Terms of Use separately prohibit collecting information in an automated way without express permission. The prohibition is a contract term, so it binds anyone who holds or held an Instagram account and agreed to the Terms. It is a separate question from whether scraping is illegal, which depends on the data and the jurisdiction.

What does Instagram's robots.txt say about scraping?

Instagram's robots.txt opens with a notice that collection of data through automated means is prohibited unless you have express written permission from Instagram, and it links to Meta's Automated Data Collection Terms. It then disallows named crawlers including Scrapy, GPTBot, and ClaudeBot with Disallow: /, and closes with a catch-all User-agent: * Disallow: / that asks every other unlisted bot to stay out. I pulled the file live in June 2026 and quote it in full below.

Is scraping public Instagram data against the terms of use?

Under the Terms, collecting any Instagram data by automated means without permission is prohibited, public or not. A U.S. court reached a narrower contract result in Meta v. Bright Data in January 2024, finding the Terms did not bar logged-off scraping of public data by a party with no active account. Meta updated its 2025 Terms to state the automated-access restriction applies whether or not you are logged in to an account.

What happens if you scrape Instagram against its policy?

Instagram enforces its scraping policy with rate limits, IP and device blocks, action blocks, and account suspension or termination, and Meta has sued scraping operators. Regulators have also acted on scraped Instagram and Facebook data: Ireland's Data Protection Commission fined Meta 265 million euros in November 2022 over a data-scraping inquiry. The compliance risk sits on both the operator collecting data and the platform exposing it.

What is the compliant way to get Instagram data?

The compliant route is the official Instagram API with Instagram Login (the Graph-based API that replaced the Basic Display API in December 2024), which serves professional accounts under permission scopes and rate limits. For logged-out public pages, a scraper API that reads what any visitor can see returns parsed JSON without you running automation against Instagram directly. I show both shapes, including a ChocoData request, in the routes section.

LH
Lena Hoff
I've built Instagram data pipelines for years. On instagramscraperapi.com I run Instagram scraping methods against live pages and publish what actually holds up.