In short, the company offered a Chrome extension that allowed the collection of LinkedIn users' contact information. The CNIL found numerous violations of the GDPR, including processing data without a legal basis, resulting in a fine of €240,000.
The KASPR case is one of the biggest warnings yet for companies processing personal data without user consent. The CNIL emphasized that illegally obtaining and storing data constitutes a serious violation that can lead to significant fines and reputational damage. In an era of growing awareness of user privacy, such activities are increasingly being detected and sanctioned.
How did KASPR work?
KASPR provided users with a paid tool to obtain contact information from people they visited on LinkedIn. As a result, the company amassed a database of approximately 160 million contacts. This data was used for sales, recruitment, and identity verification purposes.
The CNIL found that KASPR collected information not only from public profiles but also from those whose users had knowingly restricted their visibility to first- and second-degree connections. The authority concluded that this action was unlawful and violated LinkedIn users' privacy.
KASPR business model
The main goal of KASPR was to provide entrepreneurs and recruiters with easy access to the contact information of "professionals" on LinkedIn. The tool allowed customers to search the database and obtain phone numbers and email addresses of individuals who didn't necessarily want to share this information publicly.
One key problem was that KASPR aggregated data from multiple sources, including services like Whois and GitHub, often combining them in ways that were contrary to user preferences. Many people were unaware that their data had been collected and was being shared with third parties.
The company's activities sparked a wave of complaints from users who were contacted by unknown entities using their data for commercial purposes. Many felt deceived and exploited without their special database knowledge, and consequently reported the matter to the CNIL, which led to the initiation of proceedings and the imposition of fines.
GDPR violations
During its investigation, the CNIL identified a number of violations of personal data protection regulations:
Lack of legal basis for data processing (Article 6 of the GDPR) – KASPR processed the data of LinkedIn users, particularly those who had restricted their visibility. The CNIL found that this violated their legitimate expectations of privacy.
Disproportionately long data retention period (Article 5(1)(e) GDPR) – The company stored data for 5 years from each update of the user profile, which led to excessively long data processing.
Lack of transparency in informing users (Articles 12 and 14 of the GDPR) – For four years of operation, the company failed to inform the individuals whose data it collected. When it began doing so in 2022, it used only English, making it difficult for recipients to understand the message.
Incorrect implementation of the right to access data (Article 15 of the GDPR) – Individuals seeking information about the origin of their data received vague answers. KASPR did not provide precise information sources.
Failure to respect users' right to object to data processing – Users whose data was collected did not have an effective opportunity to delete it or object to processing.
As can be seen, in the case of KASPR, the use of scraping techniques without the knowledge and consent of users, as well as the lack of clear data retention rules, led to numerous violations of the law, which was reflected in the CNIL decision.