LinkedIn in breach of GDPR – Berlin court

• LinkedIn privacy ruling in Germany.
• Users not protected by Do-Not-Track.
• Global Privacy Control observed by few.

A regional court in Germany has ruled that Microsoft-owned LinkedIn can no longer ignore its users’ ‘Do Not Track’ settings in browsers. Additionally, the default setting for new users’ visibility for LinkedIn’s partner sites cannot be set to ‘Visible.’

In a submission to the Berlin Regional court, German consumer rights organization vzbv (Verbrauchezentrale Bundesverband), claimed that LinkedIn’s statement (that it would not observe ‘Do Not Track’ preferences) infringes the GDPR, under which processing of personal data without consent is forbidden. The second part of the vzbz’s claim, the visibility default, was also upheld by the Court under GDPR.

‘Do Not Track’ settings in web browsers are intended to inform website operators that their online activities should not be recorded and evaluated.

Lawyer comments on LinkedIn privacy stance

“When consumers activate their browser’s ‘Do Not Track’ function, this is a clear message: they don’t want their surfing behavior to be spied on for advertising and other purposes. Website operators must respect this signal,” said Rosemarie Rodden, a legal expert at vzbv. [transl. Firefox Translations]

The original aim of ‘Do Not Track’ (DNT) was to protect consumers against the now common practice among website owners to capture, use, and potentially monetize visitor data. Att the time of its general uptake around 2010-2011, both Mozilla and Microsoft implemented code in Firefox and Internet Explorer 10, respectively, to inform web servers of users’ wishes (with others like Apple following suit for Safari). Yet few sites actually ever acted on the preference. LinkedIn’s notice that it would not observe DNT is more of a statement of normality than a deliberate poke in the eye for privacy advocates.

One of the original architects of DNT, Jonathan Meyer, has since termed the feature a “failed experiment.” The truth behind that statement lies in the fact that there was little incentive for websites to respect the setting and no mandatory requirement enforced by law to take action against miscreants. With a few notable exceptions (Pinterest, Medium), the preference was, at the time, largely ignored, a situation that continues to this day. DNT had become a footnote in web history until the legal case in Germany.

What’s interesting about the case presented in Berlin is that under the GDPR, users must actively consent to others capturing and using their data. By actively expressing a preference to a site’s owners by means of a browser setting, a site’s owners (in this case, Microsoft) cannot capture data under EU law. Similarly, by setting a default to ‘On’ that allows Microsoft to share LinkedIn profile information with third parties, the company is again in breach of GDPR.

By making the statement that it would not respect DNT, LinkedIn unwittingly presented itself as a test case for legal action. Such a case could have been brought against almost every other website operator on the planet. In Europe, at least, the GDPR could become the legal lever that the DNT’s creators lacked at their disposal over ten years ago. While privacy advocates might see the relatively small victory as a move to make the internet (or the web, in this case) a more privacy-respecting place, it’s unlikely to herald massive change without the precedent being upheld and a swathe of further actions taken against website operators for similar misdeeds.

More recently, Global Privacy Control (often seen as the successor to DNT) can be found implemented in the DuckDuckGo browser and as part of its browser extension for Firefox and Chromium-based browsers (Chrome, Edge, Vivaldi, etc.). Sites including the New York Times, Washington Post, People.com, Allrecipes.com, and WordPress.com are observing GBC, aware that in the US, the California Privacy Rights Act (CPRA) is potentially the forerunner of more legislation protecting consumers’ digital rights. Those sites will also not be the target of legal action in the EU, we can presume.