CNIL Fines KASPR €240,000 for Illegally Collecting LinkedIn Users' Contact Details

data protection
Written By Nathalie Pouderoux

On 5th December 2024, the French data protection authority, CNIL, imposed a €240,000 fine on KASPR, a company that markets a browser extension enabling users to extract professional contact details from LinkedIn profiles. This decision highlights key GDPR compliance points and offers important lessons for businesses handling data. 

KASPR's extension was designed to help users gather professional contact details from LinkedIn, even from profiles where contact visibility had been limited. The company built a database of 160 million contact details, which were used for commercial outreach, recruitment, and identity verification. The CNIL received numerous complaints from individuals who had been contacted by companies using data obtained through KASPR’s service. 

Key GDPR Violations

Following an inspection, the CNIL identified several breaches of GDPR, leading to the fine and a set of corrective actions. Here is a breakdown of the violations:

1. Lack of a Legal Basis for Data Collection

Under Article 6 of the GDPR, businesses must have a legal basis for processing personal data. KASPR collected contact details from LinkedIn users who had restricted the visibility of their information to first- and second-degree connections. This was deemed a violation because KASPR accessed data that users had chosen to limit to a specific group.

2. Failure to Define a Data Retention Period

According to Article 5(1)(e), data should not be kept longer than necessary for its intended purpose. KASPR stored data for up to five years, automatically renewing the retention period every time an individual changed jobs. This led to the prolonged retention of data, which was not proportionate to the business purpose.

3. Lack of Transparency and Information to Data Subjects

KASPR informed individuals about their data being collected only four years after the extension was launched, and the notification was sent in English, which was not ideal for many recipients. GDPR requires that businesses provide clear and transparent information to individuals about data processing practices.

4. Failure to Honour the Right of Access

When individuals requested details about how their data had been collected, KASPR was unable to provide specific information about the data sources, despite being aware of some of them. GDPR grants individuals the right to access information about the sources of their data.

The CNIL’s Sanctions and Compliance Orders

The CNIL’s fine and corrective measures are a wake-up call for businesses dealing with large volumes of personal data. In addition to the fine, KASPR was ordered to:

  • Stop collecting data from individuals who have restricted the visibility of their contact details and delete any unlawfully collected data.

  • Cease the automatic renewal of data storage periods.

  • Provide clear, understandable communication to individuals whose data is being processed, particularly in a language they can easily comprehend.

  • Respond comprehensively to data access requests, including specifying the data sources.

The company has until 18th June 2025, to fully comply with these requirements.

What Businesses Should Take Away from This Decision

To stay GDPR-compliant, businesses need to put privacy at the forefront, respecting user preferences. For instance, just because a social media profile is public doesn’t mean it’s open for collecting someone’s contact details without proper consent.

Establishing clear data retention policies is equally important, holding onto data for longer than necessary is not only a compliance risk but also erodes trust. Companies should regularly review these policies to ensure they align with legal requirements. Transparency is another key factor, users should always be informed about how their data is being used and given clear options to opt out. Delays or lack of clarity in communication can lead to regulatory scrutiny and reputational damage. Additionally, businesses must be prepared to respond efficiently to access requests, providing individuals with clear information about how their data was obtained and processed. A structured approach to data handling not only ensures compliance but also strengthens customer trust and business credibility.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.

Nathalie Pouderoux
Next

The TikTok Saga: What U.S. and Global Businesses Need to Know