Data Harvesting Risks: Commercial lessons from the Facebook v BrandTotal case
For digital and data-driven businesses, compliance with third-party platform rules is critical. The lawsuit filed by Facebook against BrandTotal Ltd. and Unimania, Inc. highlights the legal and financial risks associated with unauthorised data extraction.
To avoid costly litigation and business interruptions, it's important to understand the liabilities associated with data scraping and how to govern your data collection practices.
How is data collected?
Understanding how data is collected is the first step in risk management.
In this case, the defendants deployed internet browser extensions (named "UpVoice" and "Ads Feed") via the Google Chrome Store to silently extract data from users' sessions on platforms like Facebook and Instagram. By using users' browsers as proxies, the defendants sent unauthorised, automated commands to Facebook's servers to harvest both public and non-public data.
Commercial and legal risks
If your business uses or profits from unauthorised data scraping, you expose your operations to significant legal actions. The salient risks demonstrated in this case include:
Binding Terms of Service: Simply creating an account or a business page on a platform binds your business to its Terms of Service. Facebook and Instagram’s policies expressly prohibit accessing or collecting data using automated means without prior permission.
Breach of Contract: By using automated scripts to bypass platform rules and harvest user profiles, ad preferences, and engagement metrics, the defendants committed a direct breach of contract.
Unjust Enrichment: Packaging and selling unauthorised scraped data as "marketing intelligence" or "competitive insights" exposes your business to unjust enrichment claims. Platforms will aggressively protect their proprietary data ecosystems.
Severe Financial Penalties: The financial exposure in these lawsuits extends far beyond standard compensatory damages. Plaintiffs can demand an accounting and "disgorgement" of profits, meaning your business could be legally forced to surrender all revenue generated from the illicit data harvesting.
Destruction of Business Assets: Courts can issue permanent injunctions requiring a business to identify and permanently delete all data obtained through unauthorised means, effectively crippling business models that rely on that data.
Managing your risk
To protect your business, please proactively audit your data acquisition strategies. You must verify that any data collection tools, browser extensions, or third-party data vendors your business relies on strictly comply with the target platforms' Terms of Service. Relying on unauthorised "dark" marketing intelligence or scraping techniques carries an unacceptable risk of immediate technical enforcement, account termination, and crippling civil litigation.