The CNIL (French Data Protection Authority) has imposed a significant penalty on Kaspr. This provider of a Chrome extension designed to collect the professional contact details of LinkedIn users has been ordered to pay a fine of 240,000 euros .
Controversial data collection
Kaspr offers a technical solution that allows access to the professional contact information of individuals whose profiles are viewed on LinkedIn. According to the French data protection authority, this method violates several fundamental principles of the General Data Protection Regulation (GDPR). LinkedIn users can choose to restrict the visibility of their personal information, but Kaspr continued to collect this data despite users’ privacy settings.
It is this precise point that triggered the CNIL’s ire. Indeed, the CNIL considers that when individuals choose to limit access to their contact information, this choice must be unequivocally respected by third parties. The systematic collection of data made private constitutes a clear violation of the reasonable expectations of users of a professional network such as LinkedIn.
Prolonged and disproportionate data storage
In addition to the problematic collection of contact information, the CNIL also criticizes Kaspr for inadequate management of data retention periods. Generally, information was kept for five years, a period deemed excessive, especially for professionals who frequently change jobs. Furthermore, each update by a user extended this retention period, further exacerbating the disproportionate nature of the data processing.
The CNIL (French Data Protection Authority) emphasized that this approach directly contravened the proportionality requirement established by the GDPR. It ruled that the company must revise its practices to comply with legal requirements, particularly by adjusting the retention period for collected information.
Failure to comply with the obligation of transparency
Transparency is a key pillar of the GDPR, and this is another area where Kaspr fell short. Until 2022, individuals were not informed about the collection or use of their personal data. When complaints were raised, Kaspr’s responses were vague and unsatisfactory, simply stating that the data came from publicly accessible sources.
This lack of transparency constituted a direct breach of the transparency obligations imposed by the GDPR. The CNIL (French Data Protection Authority) emphasized that even if the company could not technically specify the precise origin of the data for each individual, it was obligated to provide clear information on the general methods and sources used for data collection.
Corrective measures required by the CNIL
In response to the identified violations, the CNIL (French Data Protection Authority) ordered Kaspr to take corrective measures . The company must immediately cease collecting the contact details of individuals who have limited their visibility on LinkedIn and delete all data obtained under these conditions. If it is impossible to distinguish this specific data, Kaspr is required to inform the users concerned about the processing of their information and offer them the opportunity to object.
The French data protection authority stressed the importance of respecting users’ privacy choices, adding that failure to comply with these guidelines would result in additional penalties.
This case highlights the challenges related to the collection and management of personal data in today’s digital age. To avoid further penalties, companies using similar techniques must implement strict GDPR compliance policies. Actions such as those taken against Kaspr clearly signal that data protection authorities are prepared to act firmly against violations.