LinkedIn misused data on non-users by allowing their email addresses to be used to target Facebook advertising, according to a report by the Irish Data Protection Commissioner (DPC).
The news broke Friday in the Irish Times, and was subsequently picked up by other media.
The report covers alleged violations of E-Privacy Regulations from January 1 to May 24, 2018.
The DPC report states that LinkedIn “processed hashed email addresses of approximately 18 million non-LinkedIn members and targeted these individuals on the Facebook Platform.”
It adds that the complaint “was ultimately amicably resolved, with LinkedIn implementing a number of immediate actions to cease the processing of user data for the purposes that gave rise to the complaint.”
However, an audit later revealed that LinkedIn was undertaking the pre-computation of a suggested professional network for non-LinkedIn members.”
LinkedIn was ordered to “cease pre-compute processing and to delete all personal data associated with such processing prior to 25 May 2018,” the date that GDPR took effect.
TechCrunch reports that Denis Kelleher, head of privacy, EMEA, for LinkedIn, responds as follows:
“We appreciate the DPC’s 2017 investigation of a complaint about an advertising campaign and fully cooperated. Unfortunately the strong processes and procedures we have in place were not followed and for that we are sorry.”
He added: "We’ve taken appropriate action, and have improved the way we work to ensure that this will not happen again. During the audit, we also identified one further area where we could improve data privacy for non-members and we have voluntarily changed our practices as a result.”
The DPC investigated 41 complaints in the time period covered by the report. Of these, 24 were related to email marketing, 16 to SMS and one to telephone marketing.
In one email case, Guerin Media Limited was prosecuted for sending unsolicited marketing emails, convicted on four charges and fined €4,000, the report states.
Some complainants asked that their email addresses be removed, but in one case, “nine marketing emails were sent to an individual’s work email address after he had sent an email request to Guerin Media Limited to remove his email address from its mailing list,” the report states.