Privacy win: LinkedIn limits ad targeting after EDRi complaint

LinkedIn gave in to pressure from civil society and Digital Services Act (DSA) enforcers based on a complaint by EDRi and three partner organisations. The platform will no longer allow advertisers to target ads based on sensitive personal data from users. That’s a big win for privacy and the DSA, but it also exposes one of the DSA’s more hidden weaknesses.

By EDRi · June 12, 2024

Under pressure from civil society and the European Commission’s DSA enforcement arm, LinkedIn has deprecated the targeting of adverts based on sensitive personal data of users on its platform. This change addresses the concerns that EDRi and our partners Gesellschaft für Freiheitsrechte (GFF), Global Witness and Bits of Freedom had raised that this kind of targeting infringes the DSA’s new prohibition of targeting online adverts based on profiling with such sensitive categories of personal data.

We provided evidence to the Commission showing how the fact that advertisers on LinkedIn are allowed to target their users based on LinkedIn group names can contain or reveal sensitive categories of personal data such as sexuality, political opinions, or race, something that is expressly prohibited under the DSA:

“Providers of online platforms shall not present advertisements to recipients of the service based on profiling […] using special categories of personal data […]” such as health data, sexual preferences, and political opinions. Article 26(3) DSA

Data-driven ad targeting creates an omnipresent system of pervasive surveillance and profiling across the internet. Because the online profiling and tracking of people is often invisible, they are unable to exercise their fundamental rights and meaningfully object to being surveilled, targeted and manipulated by the ad industry. The surveillance ad system has a direct and negative impact on users as it limits their freedom of information and expression, enables discriminatory practices by advertisers and amplifies social stereotyping. There is ample evidence that people are deeply uncomfortable with their sensitive data being used to target them with ads and a majority oppose any of their personal information being used for advertising.

LinkedIn is becoming an increasingly big player in online advertising, with a global annual ad revenue of nearly $4 billion, an increase of 10.1 per cent from the previous year.

How we gathered evidence

In order to demonstrate the actual display of advertisement to LinkedIn users based on these sensitive categories of personal data, we conducted experiments on the platform during which we created an innocuous advert to be targeted at LinkedIn groups such as “Breast Cancer Survivors”, “Queer Businesses and Professionals (LGBT – Lesbian Gay Trans Non-Binary Entrepreneurs + Allies)”, “Jewish Professional Networking Group (JPNG)”, and “Groen Links” (politically “Green Left”, in Dutch).

For a clear example of the use of profiling techniques prohibited by the DSA, we also switched on LinkedIn’s ‘Audience Expansion’ function, which the platform promotes as “increasing the reach of your campaign by showing your ads to audiences with similar ‘attributes’ to your target audience.” As a result, we were able to show that LinkedIn’s ad targeting programme was using people’s intimate personal data that it is not allowed to use in order to target them with paid content.

While tech companies should comply with the DSA on their own, this win underlines the crucial role civil society plays in holding Big Tech to account and enforcing EU law.

DSA enforcement in action

A few weeks after we handed in the evidence, the Commission’s enforcement team sent a formal request for information, asking LinkedIn for “more details on how their service complies with the prohibition of presenting advertisements based on profiling using special categories of personal data.” Such a request constitutes the first step in any future infringement proceeding under the DSA.

The request must have been rather extensive, as for a while there was no news from either side until last week when we were informed that LinkedIn would change course and no longer allow advertisers globally to target users in the European Economic Area (EEA) with adverts in the way we criticised.

Publicly LinkedIn has not admitted any wrongdoing. In its own interpretation of things, the Big Tech firm, which is owned by Microsoft, said it deprecated the infringing targeting technique to “prevent any misconception that ads to European members could be indirectly targeted based on special categories of data or related profiling categories,” which of course was not a misconception at all.

In our experience, multi-billion dollar corporations don’t just cut off one of their revenue streams to avoid a “misconception”. They might do so, however, to avoid a larger investigation by the European Commission’s DSA enforcement team, which in turn could lead to hundreds of millions of Euros in fines. And that’s where, in our view, the DSA had great success in this instance.

Didn’t you say there were hidden weaknesses?

While we are pleased to see that LinkedIn has decided to comply with the DSA rather than fight this through the courts, it is important to acknowledge that this change will only apply to adverts that are targeted at people in Europe (in the European Economic Area, to be precise). People in other parts of the world will, for the time being, continue to be subjected to these invasive forms of profiling and targeting.

What is more, the DSA’s anti-profiling provision only prohibits the use of certain sensitive categories of personal data and also only applies to “online platforms”, that is hosting services that allow users to store and disseminate information to the public (like YouTube, Instagram, Facebook, and Tiktok). That means the DSA lets the rest of the surveillance advertising industry off the hook, including Google ads displayed on third-party websites and in apps and the billion-euro data broker industry that secretly hordes and sells off our most intimate moments to whoever pays for it.

The profiling restriction also does not prohibit the use of other types of personal data like geolocation data, purchasing decisions, or browsing histories. LinkedIn and all other online platforms can therefore continue to legally spy on our private lives in order to feed us targeted adverts. This needs to change.

We salute the European Commission’s DSA enforcement team for the swift and professional action in the LinkedIn case. But this example also underlines that the DSA leaves a huge regulatory gap around commercial surveillance that can only be filled by a comprehensive EU surveillance ads regulation.

Jan Penfrat

Senior Policy Advisor

Mastodon: @ilumium