Kaspr Extension Violates Privacy by Illegally Collecting LinkedIn Contact Information

The maker of the Kaspr extension, a paid extension for Google Chrome that allows LinkedIn users to see the contact details of profiles they visit, has illegally collected contact details on LinkedIn and other websites, French privacy regulator CNIL ruled today. The authority has fined Kaspr 240,000 euros.

LinkedIn users have four options to display their contact information, namely ‘Only visible to me’, ‘Everyone on LinkedIn’, ‘1st degree connections’ and ‘1st and 2nd degree connections’. According to CNIL, Kaspr collected contact information from LinkedIn users who had explicitly limited the visibility of their contact information to first- and second-degree connections, i.e. their contacts on the social network and contacts of contacts. They had therefore not given Kaspr permission to collect their contact details, according to the French privacy regulator.

The company has therefore illegally collected the contact details on LinkedIn, according to CNIL. In addition, data when people got a new employer or position was also kept longer than necessary. Although the Kaspr extension has been around for years, users were only informed in 2022 that their personal data had been collected. The email about this was only in English, which, according to the French privacy regulator, is not a transparent and understandable provision of information. When people asked how Kaspr got their data, the company said it got it from publicly available sources. CNIL states that Kaspr should have cited some of the sources.

In addition to the fine of 240,000 euros, CNIL has also imposed various measures. For example, Kaspr must stop collecting contact details of people who have limited their visibility, it must stop automatically extending the retention period of personal data, people whose data has been collected must be informed in an understandable way and it must comply with access requests.

In short: