KASPR Hit with €240,000 Fine for GDPR Violations
In a recent decision by the French data protection authority (CNIL), KASPR, a company known for its data scraping practices, has been fined €240,000 for violating the General Data Protection Regulation (GDPR). The fine comes after KASPR’s controversial method of collecting personal contact details from LinkedIn users, even those who had specifically chosen to limit their visibility.
KASPR offers a browser extension that allows users to gather professional contact information from LinkedIn profiles. These collected details are then used for various purposes, such as marketing, recruitment, and identity verification. With a database of around 160 million contacts, KASPR’s reach is vast. However, many LinkedIn users began to file complaints after being contacted by organizations using KASPR’s tool. This sparked an investigation into the company’s data practices.
At the heart of the issue were several breaches of GDPR:
- Unlawful Data Collection: KASPR gathered contact information not only from users who made their details publicly visible but also from those who had set their profiles to restrict visibility to their 1st and 2nd-degree connections. The CNIL found that this went beyond what users could reasonably expect when they registered on a professional network. Simply put, if a user limited visibility to their direct contacts and their contacts' contacts, that shouldn’t have opened the door for KASPR to collect their data.
- Excessive Data Retention: The company also failed to respect the GDPR’s principle of data minimization. KASPR stored the collected contact details for up to five years after each data update—far longer than necessary. If someone changed employers before five years were up, their data’s retention period was automatically renewed, which the CNIL considered disproportionate.
- Lack of Transparency: KASPR only began notifying individuals about the collection of their data in 2022, despite having started its operations years earlier. To make matters worse, the notifications were sent in English, which the CNIL deemed insufficiently clear and transparent for the individuals whose data was being collected.
- Failure to Respect Access Rights: When individuals contacted KASPR to find out where their contact details had come from, the company only provided vague responses, saying the information was sourced from publicly accessible platforms. This was deemed inadequate since KASPR could have disclosed more specific sources.
In light of these violations, the CNIL has ordered KASPR to cease collecting data from users who have restricted their contact information and delete any such data already collected. The company is also required to stop automatically renewing the retention of personal data, notify individuals in a language they can easily understand, and respond more comprehensively to data access requests.
KASPR has until June 18, 2025, to fully comply with these directives. The CNIL’s decision not only highlights the seriousness of KASPR’s actions but also sends a broader message about the importance of respecting privacy rights in an increasingly digital world. This fine is a reminder that companies must remain transparent, accountable, and in line with GDPR to avoid heavy penalties.
The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.