By Last Followed Team · Published June 23, 2026 · Updated June 23, 2026 · 9 min read

The legal question follows the curiosity by about three seconds. You've checked a public Instagram profile, noted who someone follows, and then wondered whether what you just did put you on the wrong side of some law. The short answer is almost certainly no. The fuller answer requires three distinct legal frameworks: a US federal court ruling, a European data regulation, and the terms a platform sets for itself. This article unpacks all three in plain language, relying on primary sources rather than secondhand summaries.
Key Takeaways
- Viewing a public Instagram profile or its list of follows is legal in the US, EU, and most other jurisdictions -- the hiQ Labs ruling reaffirmed this in 2022.
- The GDPR applies even to public data, but Article 6(1)(f) legitimate interest typically covers personal curiosity, journalism, and business verification.
- You cross a legal line when you access private accounts, aggregate data commercially without consent, or use the information to harass someone.
- As an end user of a legitimate web tool, your personal exposure is minimal -- the operator carries the heavier compliance obligations.
The short answer: yes, with clear limits
Viewing a public Instagram profile, checking its list of follows, or verifying that an account exists is legal in the United States, the European Union, and the vast majority of other jurisdictions. The key condition is concrete: the profile must be public -- meaning the account holder chose to make it visible to everyone without login. Reading data that Instagram itself displays to unauthenticated visitors does not constitute unauthorized access under any major legal framework currently in force.
Instagram decides what data it exposes on public-facing pages. When someone keeps their account open, their following list, post count, bio, and follower tally are visible to any web browser, logged in or not. Accessing that information requires no bypass, no credential, and no deception. The legal distinction that matters is between reading content the platform openly serves and circumventing an access control the platform has deliberately put in place. The former is lawful; the latter is not.
Citation capsule: The Ninth Circuit federal appeals court confirmed in April 2022 that accessing publicly available social-platform data does not violate the Computer Fraud and Abuse Act. The court held that data a platform makes visible to everyone cannot be considered "protected" under the CFAA's "without authorization" standard, because no authorization barrier exists for a visitor to bypass (hiQ Labs v. LinkedIn, 9th Cir. 2022, No. 17-16783).
What counts as "public" Instagram data?
Public Instagram data is any content the account holder chose to display without authentication restrictions. On a public account that includes: the profile photo, username, bio, follower count, following count, total post count, and the full list of accounts they follow. All of it loads for a visitor who is completely logged out -- Instagram serves it freely to any browser.
The line sits at the authentication wall. Posts on a private account, direct messages, close-friends stories, and any content that requires approved-follower status are not public. Accessing those elements requires either your own credentials or a relationship the account holder grants. A tool that claims to show private profiles either fabricates the data or bypasses access controls -- both are problems. Checking any content on the public side of that wall is consistent with current law in every jurisdiction covered here.
For a hands-on look at checking a public profile without a logged-in session, see how to view Instagram anonymously in 2026.
The hiQ Labs v. LinkedIn ruling: what it says and what it doesn't
hiQ Labs was a data analytics company that collected public LinkedIn profiles to build workforce-trend tools. LinkedIn blocked hiQ's crawlers and sent cease-and-desist letters. hiQ sued, arguing that blocking access to public data violated no legitimate law. The Ninth Circuit sided with hiQ in 2019 on the core Computer Fraud and Abuse Act claim. After a Supreme Court remand prompted by a related ruling, the Ninth Circuit reaffirmed its position in April 2022.
The controlling logic has two parts. First, the CFAA's "without authorization" standard is only meaningful where a system actually requires authorization to access. A public web page requires none, so anyone reading it is, by definition, authorized. Second, the court explicitly rejected the argument that violating a platform's terms of service converts an access into an unauthorized one under criminal law. Terms of service violations are contractual disputes -- not computer crimes.
One limit is worth noting: the ruling is binding on federal courts in the Ninth Circuit, which covers California and eight other western US states. Courts in other circuits are not formally bound, though they treat it as highly persuasive authority. European users operate under the GDPR framework covered next.
Citation capsule: The Electronic Frontier Foundation, which filed an amicus brief in the case, maintains a full case record and called the result a win for an open internet: collecting publicly visible information is lawful access, not hacking, because the platform itself chose to make that information visible to everyone (EFF, hiQ v. LinkedIn case page). The California Lawyers Association reached the same conclusion, noting the ruling "confirms that data scraping of publicly available information does not violate the CFAA" (Cal. Lawyers Assoc., 2022).
The Computer Fraud and Abuse Act: what it actually covers
The CFAA, codified at 18 U.S.C. § 1030, is a 1986 computer-fraud statute originally aimed at hackers who broke into government and financial systems. It prohibits accessing a "protected computer" "without authorization" or in a manner that "exceeds authorized access." Courts argued for decades over whether violating a website's terms of service counts as exceeding authorization.
The Supreme Court settled a significant piece of that debate in Van Buren v. United States (2021), ruling that the "exceeds authorized access" clause covers only conduct that circumvents access controls on otherwise off-limits information -- not mere misuse of authorized access. That reading pushed courts further away from treating terms-of-service violations as CFAA violations and reinforced the hiQ interpretation: a public web page has no access control to circumvent, so no CFAA violation can occur by reading it.
GDPR and public Instagram data in Europe
The General Data Protection Regulation applies across the European Union and to any organization processing personal data of EU residents wherever it is located. Unlike the CFAA, the GDPR creates no blanket public-data exemption. Publicly available information can still constitute personal data under the GDPR definition, and processing it requires a lawful basis under Article 6 of the Regulation.
For an individual checking a public Instagram profile for personal reasons -- verifying someone's account before a first date or researching a business contact -- Article 6(1)(f), the "legitimate interests" basis, is the relevant provision. The test asks whether the interest is real, whether processing is necessary to achieve it, and whether the data subject's rights outweigh it. Checking a public account profile for a proportionate personal purpose passes that test under standard supervisory-authority guidance.
Commercial collection is different. A company systematically harvesting public Instagram data to build marketing lists, train machine-learning models, or resell contact information at scale must identify a stronger legal basis or obtain consent. The UK Information Commissioner's Office distinguishes individual profile viewing from bulk commercial extraction when assessing proportionality under UK GDPR, and its data-sharing guidance addresses how the lawful-basis analysis shifts at scale (ICO, Data Sharing Guidance).
Citation capsule: The GDPR's Article 5(1)(c) data-minimisation principle requires that personal data be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed." Checking one person's public profile to verify a claim is inherently minimal. Bulk extraction to profile populations is not. European Data Protection Board enforcement actions have applied this distinction consistently in decisions targeting commercial social-media scrapers (EUR-Lex, Regulation (EU) 2016/679).
Meta's Terms of Service: what they can and can't enforce
Instagram's Terms of Service and Meta's Platform Policy prohibit automated data collection ("crawling, scraping, caching or otherwise accessing or collecting information through automated means") without prior written permission. Violating those terms gives Meta grounds to terminate your account and pursue contractual remedies. It does not, on its own, make the act a criminal offense -- criminal liability comes from the CFAA and applicable data-protection law, not from a private platform contract.
End users reading public profiles through a web browser are not running automated scrapers. The prohibition in Meta's terms targets bots and bulk-extraction systems, not an individual manually reviewing a public page. Platform terms create contractual obligations, not criminal liability. A platform can ban you for a policy violation; it cannot have you prosecuted for activity that is otherwise lawful under federal and state law.
When viewing public Instagram data becomes illegal
Three scenarios convert an otherwise legal activity into a legal problem.
Private account access. Using a secondary approved account, a tool that claims to reveal private profiles, or any credential-based workaround to view a private Instagram profile breaches both the CFAA authorization threshold and the GDPR legal-basis requirement at the same time. No legal theory justifies accessing a private account without the owner's consent.
Harassment and stalking. Repeatedly monitoring a specific private individual's public activity with the purpose of intimidating, following, or threatening that person can constitute criminal harassment or stalking under US state law, UK law, and national laws across EU member states. The viewing itself becomes part of a prohibited course of conduct.
Commercial use without legal basis. Systematically collecting, reselling, or building commercial databases from public Instagram data without a GDPR legal basis is the primary enforcement target of European data-protection regulators. In the US, the California Consumer Privacy Act creates similar obligations for businesses that handle personal data of California residents at scale (Cal. Civ. Code § 1798.100).
Tool responsibility versus your responsibility
When you use a legitimate web tool to check a public Instagram account -- such as Last Followed's follower-activity checker -- the legal relationship splits into two layers. The tool operator carries obligations as a data controller under the GDPR and must comply with Meta's developer policies when using platform infrastructure. You, as an end user, bear responsibility for the purpose you apply the result to.
A tool that accesses only public profiles, requires no Instagram credentials from you, operates under a transparent privacy policy, and cites a lawful basis for its processing transfers minimal legal risk to users. Your relevant question as a user is proportionality of purpose: using accurate public information to verify whether a business contact is who they claim to be is proportionate. Using the same information to track a specific private individual's daily movements is not proportionate and can become harassment under applicable law.
For a practical guide to what public follower data reveals and how to read it responsibly, see how to track Instagram follower activity: the complete 2026 guide. And to understand when and how to verify any account's authenticity, our verification guide walks through four field-tested methods.
Frequently asked questions
Does checking a public Instagram profile notify the account owner? No. Instagram does not tell account holders when someone visits their public profile or views their following list. Story views are the one exception: if you watch someone's story while logged into your own account, your username appears in their viewer list. Profile visits and following-list checks produce no notification at all.
Can a tool that claims to show private Instagram accounts be trusted? No. Private Instagram accounts require the owner's explicit approval to view. Any tool claiming to bypass that setting either shows fabricated data or violates the CFAA by circumventing an access control. Treat any such claim as a red flag and avoid the tool.
Is it legal to check a public Instagram account in the UK after Brexit? Yes. The UK retained the GDPR framework as UK GDPR under the Data Protection Act 2018. The Article 6(1)(f) legitimate-interest basis applies in the same way as in the EU. Individual use of a public profile for proportionate personal purposes is lawful.
Does GDPR apply if I'm not in the EU? GDPR applies when you process personal data of EU residents, regardless of where you are located. If the Instagram profile belongs to an EU resident, the regulation is technically in scope. In practice, enforcement against individuals for personal-use profile checks has never occurred; supervisory authorities target organizations handling data at scale.
What is the safest way to verify someone's Instagram account? Use a tool that checks only publicly available data, requires no login credentials from you, publishes a clear privacy policy, and operates under a stated legal basis. Never enter your Instagram password into a third-party service. A full walkthrough of verification methods is in our account-verification guide.
Is viewing public Instagram data legal for journalism or academic research? Yes. The GDPR provides explicit allowances for processing personal data in the public interest, for journalism, and for scientific or academic research under Article 85. US law has never restricted journalists or researchers from reading public social-media profiles. Academic institutions typically layer their own ethical-review standards on top of the legal baseline.
[
{
"@context": "https://schema.org",
"@type": "Article",
"headline": "Is it legal to view public Instagram data? The 2026 answer",
"description": "Is it legal to view public Instagram data? Yes, with clear limits. We break down hiQ Labs, GDPR, the CFAA, and when checking a profile crosses a legal line.",
"datePublished": "2026-06-23",
"dateModified": "2026-06-23",
"author": {
"@type": "Organization",
"name": "Last Followed Team",
"url": "https://www.lastfollowed.com/en/about"
},
"publisher": {
"@type": "Organization",
"name": "Last Followed",
"url": "https://www.lastfollowed.com"
},
"url": "https://www.lastfollowed.com/en/blog/is-it-legal-view-public-instagram-data",
"about": [
{
"@type": "Thing",
"name": "hiQ Labs v. LinkedIn",
"sameAs": "https://en.wikipedia.org/wiki/HiQ_Labs,_Inc._v._LinkedIn_Corp."
},
{
"@type": "Thing",
"name": "General Data Protection Regulation",
"sameAs": "https://en.wikipedia.org/wiki/General_Data_Protection_Regulation"
},
{
"@type": "Thing",
"name": "Computer Fraud and Abuse Act",
"sameAs": "https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act"
}
]
},
{
"@context": "https://schema.org",
"@type": "BreadcrumbList",
"itemListElement": [
{
"@type": "ListItem",
"position": 1,
"name": "Home",
"item": "https://www.lastfollowed.com/en"
},
{
"@type": "ListItem",
"position": 2,
"name": "Blog",
"item": "https://www.lastfollowed.com/en/blog"
},
{
"@type": "ListItem",
"position": 3,
"name": "Is it legal to view public Instagram data? The 2026 answer",
"item": "https://www.lastfollowed.com/en/blog/is-it-legal-view-public-instagram-data"
}
]
},
{
"@context": "https://schema.org",
"@type": "FAQPage",
"mainEntity": [
{
"@type": "Question",
"name": "Does checking a public Instagram profile notify the account owner?",
"acceptedAnswer": {
"@type": "Answer",
"text": "No. Instagram does not tell account holders when someone visits their public profile or views their following list. Story views are the one exception: if you watch someone's story while logged into your own account, your username appears in their viewer list. Profile visits and following-list checks produce no notification at all."
}
},
{
"@type": "Question",
"name": "Can a tool that claims to show private Instagram accounts be trusted?",
"acceptedAnswer": {
"@type": "Answer",
"text": "No. Private Instagram accounts require the owner's explicit approval to view. Any tool claiming to bypass that setting either shows fabricated data or violates the CFAA by circumventing an access control. Treat any such claim as a red flag and avoid the tool."
}
},
{
"@type": "Question",
"name": "Is it legal to check a public Instagram account in the UK after Brexit?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Yes. The UK retained the GDPR framework as UK GDPR under the Data Protection Act 2018. The Article 6(1)(f) legitimate-interest basis applies in the same way as in the EU. Individual use of a public profile for proportionate personal purposes is lawful."
}
},
{
"@type": "Question",
"name": "Does GDPR apply if I'm not in the EU?",
"acceptedAnswer": {
"@type": "Answer",
"text": "GDPR applies when you process personal data of EU residents, regardless of where you are located. If the Instagram profile belongs to an EU resident, the regulation is technically in scope. In practice, enforcement against individuals for personal-use profile checks has never occurred; supervisory authorities target organizations handling data at scale."
}
},
{
"@type": "Question",
"name": "What is the safest way to verify someone's Instagram account?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Use a tool that checks only publicly available data, requires no login credentials from you, publishes a clear privacy policy, and operates under a stated legal basis. Never enter your Instagram password into a third-party service."
}
},
{
"@type": "Question",
"name": "Is viewing public Instagram data legal for journalism or academic research?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Yes. The GDPR provides explicit allowances for processing personal data in the public interest, for journalism, and for scientific or academic research under Article 85. US law has never restricted journalists or researchers from reading public social-media profiles."
}
}
]
}
]