Data extraction: the CNIL heavily sanctions KASPR

On December 5, 2024, the CNIL imposed a fine of 240,000 euros on the company KASPR, which specializes in the collection and marketing of contact details from LinkedIn profiles. This ruling, made public, recalls a fundamental rule that is often overlooked: the public availability of data does not mean that it can be used freely.

KASPR offered a browser extension that allowed its customers to collect business contact information from LinkedIn and other sources. This practice, although common, has resulted in several complaints. Users had expressly limited the visibility of their data to protect their privacy. The CNIL concluded that this exploitation went against their legitimate expectations and violated personal data regulations. Three major shortcomings were identified:

‍

1. Illegal data collection: The CNIL recalls that even on public platforms, the confidentiality settings defined by users must be scrupulously respected. So-called “public” data is not automatically free to use, and its exploitation requires a rigorous legal basis.

2. Disproportionate shelf life: KASPR kept the data for five years, extending this period each time a LinkedIn profile was updated. This practice was considered excessive by the CNIL, which emphasized the obligation to define periods that were proportionate to the purposes pursued. Businesses should also put in place regular procedures for deleting data that has become obsolete.

3. Lack of transparency: Until 2022, KASPR did not inform users that their data was being collected. Subsequently, the notifications put in place were exclusively in English, which was considered insufficient. The CNIL insists on the importance of clear, understandable and accessible information in the language of the persons concerned.

Many companies share the received idea that public data can be used without restrictions. The decision of the CNIL breaks this illusion: exploiting data from platforms such as LinkedIn or other so-called “public” sources requires respecting the rights of users and the obligations provided for by the GDPR.

Businesses that don't comply with these rules not only face significant financial penalties, but also a lasting impact on their reputation. Tools similar to KASPR are not exempt from these requirements.

To prevent these risks, it is essential to take a proactive approach:

· Conduct an audit of your practices in order to identify the data collected and to assess their compliance with regulations.

· Formalize your processes in rigorous documentation to demonstrate your compliance in the event of an inspection.

· Guarantee transparent information for the persons concerned by clearly explaining, in their language, how their data is used.

These measures are not only legal obligations, they are also good practices to strengthen the trust of your customers and partners.

For any questions or support, do not hesitate to contact us by writing to cchance@squairlaw.com.

‍

Caroline Chancé, partner lawyer at Squair