MeitY is examining Instagram scraping after notices: fix your lead-gen and MarTech stack before buyers ask
Updated: 10 Jul 2026 · For: SaaS founders, DPOs and growth leads selling to enterprises
What changed
On 9 July 2026, MeitY Secretary S. Krishnan told reporters the ministry will examine concerns over scraping data from public Instagram accounts after formal responses to notices issued in the matter — with reply deadlines falling that week. Separate notices cover a username-related issue (also sent to other agencies) and child sexual abuse material (CSAM) on the platform, with different response timelines. Public backlash followed Meta's AI features that drew on Instagram content. The government has previously stated in Parliament that scraping publicly available user data for AI training is regulated under the IT Act, intermediary rules, and the DPDP Act — with consent required for specified purposes and penalties up to ₹250 crore for serious non-compliance.
What the law is (plain English)
Scraping is not a free-for-all because a profile is 'public'. The DPDP Act requires notice, purpose limitation, and a lawful basis before processing digital personal data — including handles, bios, engagement metadata, and inferred identity linked to a phone or email in your CRM. Section 43 of the IT Act penalises unauthorised access; Section 72A addresses breach of lawful contract where a platform's terms prohibit scraping. Intermediary Rules require platforms to prevent unlawful content and protect unauthorised access — but that does not license third parties to harvest user data at scale. If scraped data feeds outbound calls or SMS, TRAI's unsolicited communications rules add another compliance layer.
What it means in practice
SaaS founders, growth leads, and AI startups building enrichment pipelines must separate 'technically feasible' from 'lawful in India'. Enterprise procurement is already adding scraping questionnaires to security reviews. If MeitY acts against a global platform, Indian startups that resell scraped social graphs or train models on them face collateral takedowns, app-store scrutiny, and investor DD write-downs. SB Tech's Data Protection team advises on scraping alternatives — consented APIs, first-party capture, and DPDP-aligned enrichment — because the first regulator question is always 'show us the notice and purpose map'.
What founders should do this week
- Map every scraping script, browser extension, and third-party enrichment API — document lawful basis, notice, and retention per field
- Pause new campaigns that rely on Instagram or public-profile harvesting until MeitY's examination clarifies enforcement posture
- Update privacy notices and enterprise DPAs to disclose social-data sources honestly — remove 'publicly available' boilerplate that implies unlimited reuse
- Add a scraping kill-switch in product: block exports when consent status is unknown for EU/India combined cohorts
- Brief sales: do not promise 'Instagram graph' leads to enterprise buyers without legal sign-off on the data path
What can wait
- Rebuilding entire attribution stack if first-party capture can replace scraped fields short term
- Board-level AI governance policy until scraping inventory is complete
When to call counsel
- Enterprise legal asks for a scraping opinion before renewal and your vendor cannot show DPDP notices or Meta API terms compliance
- You train or fine-tune models on social data and lack a documented objection-handling and erasure workflow
- MeitY or a state authority sends you a notice as processor or intermediary — do not respond without counsel on admission risk
Founder FAQ
Is scraping public Instagram profiles illegal in India?
Public visibility does not remove DPDP notice, purpose, and consent obligations. Platform terms, IT Act access rules, and how you use the data (calls, AI training, resale) determine legality — not whether the profile was public.
We only use scraping for B2B lead enrichment — does DPDP apply?
If you process digital personal data of identifiable individuals in India, DPDP applies. B2B does not exempt you from notice and purpose limitation when emails, phones, or handles identify natural persons.
Should we wait for MeitY's final order before changing anything?
No. Notices and public examination signal active scrutiny. Founders should fix data paths now — regulators rarely reward 'we waited for clarity' after a breach or complaint.
SB Tech Associates: General information only — not legal advice. Verify the official notification and obtain counsel for your facts before acting.
Source: ANI →
Topics: Instagram data scraping legal India, MeitY scraping notice Meta, DPDP web scraping compliance, lead generation data protection India, public social media data DPDP, MarTech scraping India law
This publication is for general information only and does not constitute legal advice. Regulatory positions evolve; verify current notifications and obtain counsel before acting. © 2026 SB Tech Associates.