Sinil On December 19, it announced that it had imposed a fine on Casper of 240,000 euros. “Data ambition“. The French personal data protection watchdog believes that the company failed to comply with several GDPR obligations, in particular by collecting user data on… LinkedIn While it was the last “She chose to limit her exposure.”.
Database of 160 million contacts
Kaspr markets a paid addon that can be accessed at Google Chromewhich allows its clients to access the professional contact details — mainly phone numbers and email addresses — of people from their LinkedIn profile. To collect this data, the company relies on: Social network And on other sites like “Domain Name Directories”determines authority.
In total, the Kaspr database includes more than 160 million contacts. The collected data is then used to verify the identity of individuals or conduct commercial prospecting. This is where the action started: some people were informed of the fact that their contact details had been collected via the extension for Vote screeningHe decided to refer the matter to the committee.
Violations of five articles of the General Data Protection Regulation
In a closed meeting, the CNIL considered that Kaspr had failed to fulfill several obligations arising from General Data Protection RegulationStarting from having a legal basis (Article 6 of the Regulations). On LinkedIn, a user can choose several degrees of visibility of their contact details, ranging from closed (“visible only to me”) to semi-open (direct contacts and their contacts’ contacts) or even fully open (“everyone on LinkedIn “”).
In this case, the CNIL ruled “The Casper Group (…) went beyond what people who register on a professional social network could reasonably expect.” People who selected the “Relationships 1” option.any And 2e Levels “actually witnessed their data being collected by the company, even though this was illegal. The authority also noted that Kaspr retained the data.” From LinkedIn users After choosing the general vision for five years from each data update. She believes that this period is disproportionate, especially for users who change jobs before five years.
A severe lack of transparency
The company also failed to meet its transparency and information obligation for individuals (Articles 12 and 14 of the GDPR), by only informing individuals whose data was collected in 2022, four years after the launch of the extension. Finally, Casper simply provided vague explanations to individuals who wanted to know how their data was collected.
In addition to the fine, the authority requires Kaspr to comply with its GDPR obligations, in particular by stopping the collection of data for people who have limited their visibility and deleting this data. These injunctions were accompanied by a compliance deadline of June 18, 2025.