LinkedIn hit with $335 million fine for using member data for ad targeting without consent
Ireland’s top privacy regulator on Thursday fined social media platform LinkedIn €310 million ($335 million) for allegedly using its members' data for advertising purposes without obtaining their consent.
The Microsoft-owned company violated the European Union’s General Data Protection Regulation (GDPR) when it processed users’ data for behavioral analysis and targeted advertising, Ireland’s Data Protection Commission (DPC) said in its announcement. By unfairly processing the data without transparency or consent LinkedIn broke the law, it added.
The hefty fine is one of the largest ever levied against a tech company for violating the GDPR.
The personal information LinkedIn processed and used for its ad tracking business allegedly included data that users provided directly to the platform as well as data it obtained from third-party partners.
LinkedIn did not have a lawful basis to gather the data,said the DPC, which ordered the company to change its practices.
“The consent obtained by LinkedIn was not freely given, sufficiently informed or specific, or unambiguous,” the DPC announcement said.
The DPC’s investigation of the platform followed claims made to a French regulator in 2018. The DPC took over the probe because it is charged with overseeing Microsoft.
LinkedIn asserts that it did not violate the GDPR, but is nonetheless working to meet the DPC’s demand for changes.
“While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC's deadline,” the company said in a statement posted to its website.
Deputy Commissioner Graham Doyle issued a statement which said that processing personal data “without an appropriate legal basis is a clear and serious violation of a data subject's fundamental right to data protection.”
European regulators have a history of aggressively enforcing the GDPR’s rules relating to how tech companies traffic in individuals’ data. Last year the DPC fined Meta €1.2 billion ($1.3 billion) for moving Facebook users’ personal data out of the EU.
Luxembourg’s National Commission for Data Protection hit Amazon with a €746 million ($815 million) fine in July 2021 for not receiving consent before using customers' personal data for ad targeting.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.