The Regulator’s Decision

Ireland's Data Protection Commission (DPC) fined the Microsoft-owned professional social networking site for breaches of the lawfulness, fairness, and transparency of its data processing. LinkedIn failed to inform users about their personal data processing and how their data was used for behavioral analysis and targeted advertising. This violates the EU's General Data Protection Regulation (GDPR).

According to the DPC, LinkedIn failed to meet the required obligations when obtaining valid user consent.

The GDPR requires businesses to have a proper legal basis for data collection and processing. In this case, the justifications LinkedIn had relied upon to perform its tracking ads business were found to be invalid. The company also did not properly inform users about the use of their personal data for targeted advertising.

Processing personal data “without an appropriate legal basis is a clear and serious violation” of the user rights under the GDPR, Deputy Commissioner Graham Doyle said in a statement.

Article 6 GDPR and Article 5(1)(a) GDPR, that requires the processing of personal data to be lawful.

The DPC’s final decision records the following violations of the GDPR:

• Did not validly rely on Article 6(1)(a) GDPR (consent) to process third-party data of its members for the purpose of behavioral analysis and targeted advertising on the basis that the consent obtained by LinkedIn was not freely given, sufficiently informed or specific, or unambiguous.
• Did not validly rely on Article 6(1)(f) GDPR (legitimate interests) for its processing of first party personal data of its members for behavioral analysis and targeted advertising, or third-party data for analytics, as LinkedIn’s interests were overridden by the interests and fundamental rights and freedoms of data subjects.
• Did not validly rely on Article 6(1)(b) GDPR (contractual necessity) to process first-party data of its members for the purpose of behavioral analysis and targeted advertising.
• Articles 13(1)(c) and 14(1)(c) GDPR, in respect of the information LinkedIn provided to data subjects regarding its reliance on Article 6(1)(a), Article 6(1)(b) and Article 6(1)(f) GDPR as lawful bases.
• Article 5(1)(a) GDPR, the principle of fairness.

The Ireland's Data Protection Commission (DPC) launched an inquiry into LinkedIn Ireland Unlimited Company (LinkedIn) as the lead supervisory authority for LinkedIn. The case against LinkedIn follows a complaint initially made to the French Data Protection Authority in 2018 by the digital rights non-profit La Quadrature Du Net.

In addition to the fine, LinkedIn received a formal requirement to comply with GDPR regulations within three months.

Response from LinkedIn

LinkedIn said it believes the company complied with the data privacy rules and did not intend to breach the GDPR. It’s working to ensure GDPR compliance to meet the data privacy requirements when serving ads.

Frequently Asked Questions

Why was LinkedIn fined by Ireland's Data Protection Commission?

LinkedIn was fined on 22 October 2024 for breaches of the GDPR. It failed to meet the required obligations when obtaining valid user consent and did not inform users about their data processing for behavioral analysis and targeted advertising. Use CookieScript CMP to get valid user consent and comply with the GDPR and other privacy laws.

What is valid user consent?

Under the GDPR, user consentt must be freely given, sufficiently informed, specific, and unambiguous. LinkedIn failed to get valid user consent for using user personal data for behavioral analysis and targeted advertising. CookieScript CMP can help you get valid user consent and comply with the GDPR and other privacy laws. We also offer compliance hints, so you can ensure compliance while configuring your cookie banner.