This post is also available in:
עברית (Hebrew)
French regulators have imposed a fine of €240,000 ($249,600) on Kaspr, a software company based in Paris, for violating European Union privacy laws by scraping data from LinkedIn. The fine was issued by the National Commission on Informatics and Liberty (CNIL), which found that Kaspr unlawfully collected and retained data without proper authorization.
Kaspr’s business model revolves around its paid Chrome extension, which helps users extract professional contact information from LinkedIn. The extension was found to have scraped the contact details of LinkedIn users who had restricted visibility of their information to only their direct connections, violating EU data protection regulations.
Although it is legal to collect publicly visible information, the CNIL discovered that Kaspr had been storing this data for an excessively long period, which was considered a violation of privacy principles under the EU’s General Data Protection Regulation (GDPR). Kaspr, which is owned by the data company Cognism, had amassed a database containing around 160 million contact profiles scraped from LinkedIn and other websites.
The CNIL received numerous complaints from individuals who had been contacted by businesses using the Kaspr service to obtain their personal information. The company was also found to have failed in its transparency obligations. Kaspr only began notifying individuals about the collection of their data in 2022, four years after the extension’s launch, and the notifications were deemed unclear and insufficient.
Additionally, the company did not respect individuals’ right to access their data. When questioned about the source of collected information, Kaspr merely claimed that the data was obtained from publicly accessible sources, without providing further clarification.
As part of the penalty, the CNIL has ordered Kaspr to cease its unlawful practices and align with GDPR regulations moving forward. This fine serves as a stark reminder to businesses about the importance of adhering to privacy laws when handling personal data.
