Noyb cries foul on LinkedIn withholding profile visitor data

Privacy advocacy group Noyb has launched a challenge against LinkedIn, arguing the Microsoft-owned professional networking platform is violating EU data protection law by restricting full profile visitor logs to paid Premium subscribers. The case centers on a user's request for their personal data under GDPR Article 15, which LinkedIn denied, claiming its privacy policy satisfies legal requirements. Noyb contends this practice of selling user data back to the people it was collected from is incompatible with EU regulation, and could set a precedent for how all platforms handle paywalled user data.

How LinkedIn's two-tier system works

LinkedIn's profile viewer feature operates on a two-tier system that gives drastically different access to paying and non-paying users. Premium subscribers, who pay between $39.99 and $119.95 per month for access to advanced networking tools (more details on LinkedIn Premium here: https://www.linkedin.com/premium), can view a 365-day history of every person who visited their profile. This log includes visitor names, job titles, employers, and direct links to their profiles, provided the visitor has not set their visibility to private.

Free users receive only aggregated, vague summaries of profile activity. A free user might see a notification that 12 people found their profile via the LinkedIn homepage, or that a person with a specific job title at a particular company viewed their page. Clicking any of these entries does not reveal the visitor's identity, instead redirecting to a LinkedIn Premium signup page or a search results page for employees at the mentioned company.

The GDPR conflict

An unnamed LinkedIn user exercised their right under GDPR Article 15, which grants all EU data subjects the right to obtain a copy of any personal data a company processes about them. The user requested their full profile visitor log, but LinkedIn rejected the request, citing that protecting the data took precedence. Noyb, which stands for "none of your business" and focuses on enforcing GDPR rights for individuals, has taken up the case.

GDPR Article 15 is unambiguous in its scope. It applies to any entity that processes personal data of EU residents, regardless of the entity's business model or revenue streams. The provision requires companies to provide data subjects with confirmation of whether their data is being processed, a copy of that data, and details about how the data is used. The full text of Article 15 is available at the official GDPR information portal: https://gdpr-info.eu/art-15-gdpr/

LinkedIn has defended its practice, telling The Register that "Not only is it incorrect that only Premium members can see who has viewed their profile, but we also satisfy GDPR Article 15 by disclosing the information at issue via our Privacy Policy." The first claim is demonstrably false, as shown in the screenshots above. The second claim relies on a narrow interpretation of Article 15 that Noyb rejects, arguing that a privacy policy describing data collection practices does not satisfy the requirement to provide the actual data to the user. LinkedIn's full privacy policy is available here: https://www.linkedin.com/legal/privacy-policy

Noyb's legal argument

"The core issue is that many companies treat user data as a product they can sell back to the people it belongs to," said Martin Baumann, data protection lawyer at Noyb. "GDPR Article 15 does not have an exception for data that a company wants to monetize. If a business processes personal data, that data is covered by the user's right of access, free of charge."

Baumann noted that the only possible exception to Article 15 is the final paragraph of the provision, which states that a user's right to their data cannot adversely affect the rights and freedoms of others. LinkedIn could theoretically argue that disclosing profile visitor identities would violate the privacy of the visitors themselves. However, Baumann pointed out that LinkedIn already provides this exact data to paying Premium users, which would be unlawful if it truly adversely affected visitor rights. "You cannot argue that disclosing data harms third parties when you already disclose that same data to customers who pay for it," Baumann said. "That position is inconsistent, and it does not hold up under GDPR."

Broader implications for tech and finance

This case is not limited to LinkedIn. Noyb has identified multiple other instances of companies charging users for access to their own data, including banks that refuse to provide free account statements under GDPR, instead charging fees for paper or digital copies. "A clear precedent here would apply to any business that processes user data and then tries to charge for access to it," Baumann said. "The law does not distinguish between a social network, a bank, or any other entity that handles personal data."

The case also fits into a broader pattern of scrutiny facing LinkedIn and its parent company Microsoft. In recent months, LinkedIn has faced criticism for automatically opting users into AI training datasets, giving them only a one-week window to opt out. EU data protection regulators issued €1.2 billion in GDPR fines last year alone, with the majority of penalties going to large tech companies for data handling violations. Microsoft, which acquired LinkedIn for $26.2 billion in 2016, has also faced criticism for aggressive cross-selling of its services in Windows setup flows, pushing users to sign up for Microsoft accounts, LinkedIn, and other products during system configuration. More details on the 2016 acquisition are available here: https://news.microsoft.com/2016/06/13/microsoft-to-acquire-linkedin/

Noyb said the goal of the case is to clarify that data which is available to paying users is still subject to Article 15, even if the company packages it with additional analytics or features for premium subscribers. "LinkedIn can offer a premium service that presents data in a more useful format, with analytics and dashboards," Baumann said. "But a user who wants the raw data in a CSV file has the right to that, free of charge. The premium service is the presentation, not the data itself."

What to expect next

The case will be filed with the relevant EU data protection authority, which will issue a ruling on whether LinkedIn's practice violates GDPR. If Noyb prevails, LinkedIn would be required to provide all users with full profile visitor logs upon request, free of charge, regardless of subscription status. The ruling could also trigger similar challenges against other platforms that paywall user data, from banks to fitness apps to e-commerce sites.