LinkedIn Fined EUR 310M for Behavioral Ad Targeting
The Irish Data Protection Commission (DPC) fined LinkedIn Ireland Unlimited Company EUR 310 million in October 2024 for processing member personal data for behavioral advertising and analytics without a valid legal basis. The decision found that LinkedIn relied on consent that did not meet GDPR standards and improperly invoked legitimate interest as a fallback legal basis for intrusive ad targeting.
KEY FACTS
- WhatLinkedIn processed member data for behavioral ads without valid consent.
- WhoHundreds of millions of EEA LinkedIn members.
- Data ExposedProfessional profiles, on/off-platform behavior, and inferred demographics.
- OutcomeIrish DPC fined LinkedIn EUR 310M and ordered compliance.
WHAT WAS EXPOSED
- Member professional profile data including job titles, employers, skills, and connections used for ad segmentation
- On-platform behavioral data including content engagement, article reading, job search activity
- Off-platform tracking data collected through LinkedIn Insight Tags on third-party websites
- Inferred demographic and psychographic data derived from member activity
- Third-party data enrichment information matched against LinkedIn profiles
REGULATORY ANALYSIS
The DPC examined LinkedIn's reliance on three legal bases: consent (Article 6(1)(a)), legitimate interest (Article 6(1)(f)), and contractual necessity (Article 6(1)(b)). All three were found inadequate. Consent was not "freely given" because advertising consent was bundled with other purposes. Legitimate interest failed the balancing test because extensive behavioral profiling--including off-platform tracking--constituted processing members could not reasonably expect from a professional networking platform.
SOURCES
Irish DPC Decision IN-22-5-1, CJEU Planet49 Case C-673/17, EDPB Guidelines 2/2019 and 05/2020