Data scraping: KASPR fined €240,000

Background

KASPR markets a pay-for extension for the Chrome browser that enables customers to obtain the professional contact details of people they visit the profiles on the LinkedIn social network. To do this, the company builds a database of contact details from Linkedin and other websites such as domain name registries. The contact details thus collected generally enable the company's customers to contact the target persons, for example for commercial prospecting, recruitment or identity verification. KASPR's database contains about 160 million contacts.

The CNIL received many complaints from people who had been canvassed by entities that obtained their contact details via the KASPR extension.

On the basis of findings made during an inspection, the restricted committee – the CNIL body responsible for issuing sanctions – considered that the company had failed to comply with several obligations under the General Data Protection Regulation (GDPR). The restricted committee imposed a fine of  240,000 euros on KASPR, which was made public, and ordered the company to comply with the GDPR. This fine was adopted in cooperation with all the CNIL's European counterparts.

Sanctioned breaches

Failure to comply with the obligation to have a legal basis (Article 6 of the GDPR)

On Linkedin, users can choose from four options to determine the visibility of their contact information:

1. "Only visible to me";
2. " Anyone on LinkedIn";
3. "1st-degree connections" ;
4. "1st and 2nd-degree connections".

However, in addition to the contact details of users who had made them visible to all, KASPR also collected the contact details of those who had chosen to restrict visibility to their 1st and 2nd-degree connections.

The CNIL considered that KASPR's collection of contact details for which LinkedIn users had expressly limited visibility exceeded what could reasonably be expected from people who register on a professional social network. The CNIL noted that for these individuals, the fact that they chose to make their contact details visible to their 1st  and 2nd-degree connections, i.e. to their contacts on the social network and their contacts' contacts, didn't mean that KASPR was authorized to access and collect their contact details.

In this case, the CNIL considered that the contact details had been collected unlawfully.

Failure to comply with the obligation to define and respect a data retention period proportionate to the purpose of the processing (Article 5-1-e of the GDPR)

The CNIL noticed, for data collected by the company in a lawful manner, i.e. those of people who chose to leave their contact details visible on LinkedIn, that the company was keeping the contact details of users for 5 years from each data update, which generally occurs when a person changes job or employer. However, for people who change jobs or employers before 5 years, the CNIL noticed that this renewal of the retention period leads to their data being kept for a disproportionately long time.

Failure to comply with the obligation to provide transparency and information to individuals (Articles 12 and 14 of the GDPR)

The company started to inform data subjects that their personal data had been collected only in 2022, that is to say four years after the implementation of the KASPR extension. Information was provided via an e-mail in English, with a link to oppose processing.

Apart from the company's delay in informing individuals, the CNIL also considered that informing individuals on the collection of their data in an e-mail written in English did not provide transparent and comprehensible information.

Failure to respect the right of access of individuals (Article 15 of the GDPR)

When people who had been canvassed asked KASPR how their contact details had been collected, the company simply told them that their contact details had been collected from publicly accessible sources.

After pointing out that the company should be able to indicate “all available information as to the source” of the data, the CNIL found that, even if the company was technically unable to specify the source of the data collected for each person concerned, it was nonetheless aware of some of the sources feeding its database, which were moreover listed in its privacy policy.

The decision

The CNIL imposed a fine of 240,000 euros on KASPR for all these breaches, and ordered the company to:

• cease collecting the data of persons who chose to limit the visibility of their contact details, and delete the data collected in this way. If it is impossible to distinguish the data whose visibility had been limited, the company will have to inform the persons concerned, within 3 months, of the processing of their data and of the possibility of objecting to it, and to use their data solely for this purpose;
   
• stop the automatic renewal of the storage of personal data of target persons;
   
• inform the people whose data is collected in a language they understand;
   
• respond to requests for access from individuals, providing all available information on the sources of data collection.

The CNIL set a six-month deadline for compliance, expiring on 18 June 2025.

In making its decision public, the CNIL stresses the seriousness of some of the breaches in question, the large number of people concerned, and points out that publishing this sanction will make it possible to inform the people concerned by the processing implemented by the company, so that they can assert their rights.