Rising enthusiasm for consumer data protection in the United States has resulted in several states advancing legislation to protect the privacy of their residents’ personal information. But even the newly enacted California Privacy Rights Act (CPRA)—the most comprehensive data privacy law in the country—leaves a wide-open gap for internet data scrapers to extract, share, and monetize consumers’ personal information while circumventing regulation. Allowing scrapers to evade privacy regulations comes with potentially disastrous consequences for individuals and society at large.

This Note argues that even publicly available personal information should be protected from bulk collection and misappropriation by data scrapers. California should reform its privacy legislation to align with the European Union’s General Data Privacy Regulation (GDPR), which requires data scrapers to provide notice to data subjects upon the collection of their personal information regardless of its public availability. This reform could lay the groundwork for future legislation at the federal level.