LinkedIn isn’t always thought of as a hotbed of ad tracking, at least not compared to contemporaries like Facebook and Tiktok, but it often makes top 10 lists of apps and platforms that are the worst for user privacy. The Microsoft-owned site will now be facing a hefty GDPR fine along those lines, as the Irish Data Protection Commission (DPC) delivered a final decision that includes an administrative fine total of €310 million.
The business and employment networking giant is being tagged for failure to obtain sufficiently informed consent for ad tracking, and for not having a valid basis for its processing of first party personal data for this purpose. The final order stems from a draft decision submitted to the GDPR cooperation mechanism in July, to which no other data authorities raised objections.
GDPR fine includes reprimand and compliance order
The GDPR fine, which equals about $335 million USD, stems from an investigation initiated by complaints first filed in 2018 (the year the regulation first went into force). The total cracks the top 10 list for fine amounts, falling just behind the penalty assessed to Tiktok in 2023 due to its failure to protect underage users.
LinkedIn’s path during this time mirrors Meta’s, in which it attempted to cover its lack of explicit user consent for Facebook ad tracking with various claims of legal exceptions allowed by the GDPR. These included “legitimate interest” and “contractual necessity” exceptions, all of which were rejected as a lawful basis by the Irish DPC.
The site could face further GDPR fines if it does not bring its ad tracking practices into compliance. The company said in a statement that it believes it has been within the bounds of the GDPR, but is working to ensure it is in line with requirements as ordered by the DPC.
LinkedIn ad tracking flies below the radar
Rankings of site and app privacy practices often place the usual suspects at the top of the warning list: Meta’s assorted services, X, Tiktok and YouTube. But LinkedIn is often in that mix as well. The fact that it is used almost exclusively for business networking sometimes masks the extent of personal data collection and ad tracking that takes place there. The site serves what it calls “dynamic ads” based on user profile data; it is possible to opt out, but one is opted in by default. That practice is at odds with GDPR terms that require consent be provided for collection of personal information for advertising purposes, and that it must be clear and unambiguous.
While Meta has been the main focus of ad tracking penalties in the EU to date, the law appears to be coming to collect up other players with similar practices. Privacy group noyb, which has spent much of its attention on Meta since the inception of the GDPR, recently filed a complaint against Pinterest along similar ad tracking lines. The complaint notes that the platform similarly opts all of its users into data collection and requires them to manually opt out. Pinterest has similarly invoked the “legitimate interest” defense for this practice, something that has already been shot down for both Meta and LinkedIn now and has led to GDPR fines in both cases.
Meta’s own adventures in this area led to it eventually adopting its “pay or OK” or “pay or consent” model for its services, telling users they can either pay a monthly subscription fee or agree to whatever ad tracking the company wants to do. But in July, the European Commission issued a preliminary ruling that the model violates the terms of the new Digital Markets Act (DMA). Meta has until March of next year to argue for its approach, at which time it could be subject to penalties even larger than the maximum GDPR fines.
It has yet to be seen if LinkedIn and other players will attempt a similar subscription model in the EU. Meta charges the equivalent of about $14 per month for ad-free access to all of its services, and a GDPR complaint by noyb noted that the average internet user could be expected to pay hundreds of dollars per year to maintain their privacy if all of their services shifted to a similar model. The Court of Justice of the European Union (CJEU) backed the Schrems complaint with a ruling earlier this month, though it merely limits the personal data Meta is allowed to collect rather than banning the practice. Various regulatory bodies have signaled receptiveness to the “pay or OK” concept so long as there is a “third way” offered that allows for free access to the service with legally compliant ad tracking.